Remembering multiple passwords for multiple applications is a bane of the modern organisation: when forgotten – as they are frequently – they cost organisations a fortune in support costs, just to have them reset.

In healthcare, information security is particularly important because of the moral and legal obligation to keep patients’ records confidential. Having role-based systems and clear identities is crucial because, for example, a consultant can order procedures that a nurse cannot.

Addenbrooke’s Hospital in Cambridge has some 6,500 staff treating over 120,000 patients annually. These staff have access at different levels to 31 clinical applications which are either nationally or locally managed. “More applications mean more passwords, more passwords mean more helpdesk calls, and it all adds up to very frustrated clinicians,” explains David Hughes, technical manager at Addenbrooke’s.

And that has a parallel impact on security. To avoid having to remember so many identities, staff simply share passwords amongst themselves. Dealing with such sensitive information, it was imperative Addenbrooke’s simplified and secured its systems. Furthermore, the hospital’s IT support service was dealing with nearly 10,000 password resets a year – that worked out at around £14 a reset.

The solution has been a sophisticated single sign on (SSO) system based on two-factor authentication. But Addenbrooke’s did not want to spend years getting the system in place. The technology behind the SSO, from identity management specialist Imprivata, was also chosen for its ease of implementation. “We plugged it in and had four key applications working with SSO on the first day,” explains Hughes.

Addenbrooke’s expects a return on its investment within two years. And that is just the pure IT cost; in saving clinicians’ valuable time and letting them treat more patients, the real return is greater.

The hospital’s infrastructure is relatively complex. Some applications have been developed and deployed locally, but it also faces a mandate to integrate with the NHS’s national IT modernisation programme. A plan to consolidate existing applications had  to take a back seat. “The biggest problem was always getting the single sign-on – now applications can be easily added to that system.”

For Hughes and his team, the ideal state has always been to have one strong mode of identification that allows access to all local and national systems. For now, they have a non-biometric smartcard, coupled with a four-digit PIN. When

a card is inserted into one of Addenbrooke’s new 3,500 keyboards with in-built card readers and the PIN input, Imprivata’s OneSign system kicks in, authorising access to different levels of information depending on role. It is hoped the smartcard will eventually allow physical access to buildings as well.

Currently the hospital has rolled out SSO for six core local applications to the 200 most intensive users.

Three other NHS trusts are using SSO to sign onto the national applications that are part of the 10-year long Connecting for Health programme. The next project for the IT team at Addenbrooke’s is to follow their example, so increasing the value of their SSO investment.

Further reading

The UK Government's Identity Management Plan - Effective IT Summit Report, April 2006

The end of the password era - Information Age webinar report, March 2006

Identity crisis - reader debate, November 2005

More at Information Age's Security and Continuity Briefing Room