How SSO Streamlines Identity Management to Improve Healthcare Workflows

Making Access Seamless — and Shutting It Down When Necessary

The clear benefit of SSO is removing the administrative burden of logging in to individual applications. This typically manifests in simple passwords that are easy to crack, or lists of passwords, which are easy to misplace. And when it comes to modern authentication standards, such as those spelled out in the National Institute of Standards and Technology Digital Identity Guidelines, it’s more than passwords too.

“Identity platforms can apply flexibility in how they authenticate,” says Dan Cinnamon, principal solution architect for healthcare at Okta. Options could include multifactor authentication (MFA), biometrics or the detection of a user’s physical presence. “When there’s one login process for everything a clinical user needs, you can create a consistent experience.”

On the back end, SSO works by transitioning authentication from the application layer to a centralized IAM system. Because clinical applications no longer collect or store password information, or communicate them over the network to be authenticated, an organization’s potential attack surface shrinks significantly, Cinnamon says.

EXPLORE: These are the top three reasons to modernize your IAM program.

Once a clinical user is logged in, SSO and IAM platforms work in tandem to monitor how they move from one application to another over the course of their shift. (This also extends to machine identities, which can be assigned to everything from remote monitoring devices to workstations on wheels.)

Over time, this helps establish patterns of normal behavior. Under typical circumstances — a trusted ID, device and endpoint — authentication can be seamless. For Traffanstedt, it’s less about frictionless access and more about transferring the friction from the end user to the SSO and IAM systems that set controls and enforce policies.

That said, if it appears an ID has been compromised or a device has been breached, access will be denied. As Cinnamon puts it, “Once something’s fishy, the roadblocks come up.” In this case, the momentary frustration an end user may experience is offset by the effectiveness of the quick clampdown on lateral movement throughout the organization’s network.

SSO’s Close Alignment With Zero Trust Supports New Care Models

Traffanstedt says SSO aligns nicely with the principles of Zero Trust in healthcare, which requires authentication and continuous validation before a user is granted access to an application, device or data set.

“Continuous validation of access is easier when ingress and egress are centralized,” as they are with SSO platforms, he says. “This hardens the security environment in ways SSO wasn’t originally conceived to do.”

As an example, Traffanstedt points to adaptive MFA, which applies business rules to determine which authentication factors make the most sense in each scenario. A clinician who works at the hospital some days and an ancillary clinic on other days may be subject to different access controls based on location.

LEARN MORE: Bust the top three identity and access management myths to boost security.

Cinnamon describes this scenario as access at rest and in transit, similar to the key principles of data encryption. Access at rest is comparable to traditional IAM, based on a user’s position in the organization and hiring status. It’s role-based, relatively static and built on an expectation of trust.

Access in transit is more like modern authentication, powered by SSO. While no assumptions are made and authentication is required, “you can apply layers of authentication and validation in flexible ways, given a user’s context,” Cinnamon says. This can benefit healthcare’s embrace of remote monitoring, telehealth and other models of distributed care.

An Imprivata case study from Northern Ireland highlights this well. There, the South Eastern HSC Trust was able to onboard 500 new employees in less than 30 minutes to staff a COVID-19 booster vaccination clinic. As the report noted, “compression of the time required between policy and programmatic decisions to expand vaccine efforts and delivery of vaccine is a public health imperative.”