Q&A: David Ting, Imprivata, discusses protecting sensitive data

Imprivata is a leading independent provider of single sign-on (SSO) and access management solutions for healthcare and other regulated industries, serving nearly 100 NHS Trusts across the UK. We spoke to the company’s founder and chief technical officer, David Ting, was has extensive experience in the biometric authentication industry—initially with large civil programs and now with enterprise solutions—to understand the issues surrounding securing data.

What are the drivers behind securing access to data?

Data is a hugely important commodity for any organisation and is not only the source of valuable intellectual property, but also includes information relating to employees and customers which businesses are obliged to protect.

The Data Protection Act of 1998 is one example of European regulation which mandates that access management policies must be in place to secure sensitive data, and failure to meet such standards can result in hefty penalties from bodies like the Information Commissioners Office, which has the power to impose fines of up to £500,000 if standards are not met.

It is also important to note that businesses have a responsibility to protect corporate data whether it resides within the corporate firewall, or whether it is being accessed remotely from a private computer or device. We are seeing a significant rise in mobile working practices and to align with this, businesses are being forced to reassess existing access policies to ensure that data security standards are being met by employees needing access from both inside and outside of the office building.

What are the ways in which sensitive data can be threatened?

Instances of data loss are typically caused ‘maliciously’ and with intent, or accidentally. Data losses can also result from the actions of employees or by individuals that are not associated with the organisation itself. Increasingly we are seeing more evidence of malicious attacks fostered by external organisations with significant impact on large populations of users.

Non-malicious internal data threats are commonly the byproduct of a repetitive access workflow, with complex security procedures sometimes encouraging workers to side-step access management policies in order to get the job done. For example, in a healthcare setting, we see physicians juggling multiple log-on credentials in order to access patient data. Typically, a separate username and password is required for each application, and consulting one patient frequently demands access to numerous applications.

Many organisations enforce ‘strong’ password policies that require an alphanumerical mix which is changed every 6-8 weeks, so it is not surprising that users often resort to noting their details down. This ‘post-it note’ culture can easily allow access details to fall into the wrong hands, potentially causing data loss.

Similarly, in environments where multiple users access one computer, for example an accident & emergency department, it is not uncommon that users share their log-on details to avoid the time required to sign-on and sign-off time and time again. This means that it is almost impossible to guarantee who accessed what information and when, making audit trails invalid and unreliable for any forensic investigation.

While the working practices of existing employees can lead to data threats, orphaned user accounts belonging to ex-employees can also leave organisations exposed to risk. This is especially the case when IT has no knowledge of the accounts as is the case with Web hosted applications.

Without tools in place to simplify user account governance, IT departments can easily overlook profiles that should no longer be active, meaning that individuals no longer employed by the organisation could have access to sensitive information long after their employment has been terminated, causing an obvious risk to data.

What are the solutions to securing data?

In the first instance, it is essential to note that successful security solutions must be unobtrusive to the user’s workflow. If the chosen solution attempts to change or complicate the way that users access information, short-cuts will be taken to bypass the solution where possible.

The ‘post-it note’ culture that I referenced earlier is a perfect example of how users have adapted working processes to avoid complex, multiple password demands. There are even examples where groups of users collaborated to defeat having to use a complex log on solutions.

One way that businesses can encourage users to adhere to password policies is through the use of Single Sign-On (SSO) solutions. By automatically authenticating users to all applications once they are logged into their desktop, the need for users to bypass security policy is annulled. SSO solutions can also be used alongside Strong Authentication (SA) devices such as biometrics or smart cards, to further secure user access while simplifying the logon experience.

SSO solutions can also integrate seamlessly with the organisation’s wider IT infrastructure. For example, in virtual desktop infrastructure (VDI) environments where data is stored centrally rather than at the end-point, SSO and SA can be used to further automate and simplify workflow. Using the hospital environment as an example again here, in a VDI environment, doctors can easily switch from one workstation to another as they go about their day-to-day activities.

If signed on to a workstation in Ward A, the doctor can move to Ward B and by swiping his smart card at this new location, his user session will end in Ward A and the same session will load in Ward B. This roaming desktop can hugely simplify access to the network while also ensuring that data is not left unattended on a workstation.

Ultimately, this also means that doctors are required to spend less time focusing on authenticating to their user accounts, allowing them more time to treat patients. In fact, in a recent survey conducted by the Ponemon Institute, SSO solutions like Imprivata OneSign can save doctors up to 14.6 minutes per day which is a considerable boost to efficiency.

With the proliferation of mobile working, how can companies adequately secure mobile and remote devices?

In an increasingly consumerised workplace, more and more users are looking to access corporate information from mobile devices such as tablets, smartphones, netbooks and notebooks. This has made the job of the IT department ever-more complex, and the challenge of providing access to both personal and corporately-owned devices further adds to this dilemma.

To address this issue, SSO capabilities have recently moved into the mobile device space and Imprivata’s answer to this problem, OneSign Anywhere, is one such example. OneSign Anywhere provides a portal that grants authenticated access to all enterprise and web-based applications, anywhere and on any device, without requiring employees to remember individual login credentials for each application.

In addition, users are able to use a range of devices including tablets and smartphones and no installation of software at the device level is required, making this an ideal option for IT departments with limited staff resources, and for employees working from personal devices.

The ability to access corporate data securely from mobile devices means that employers can be confident when allowing employees access outside of the office building. Plus, users are no longer required to download information onto devices such as USB keys in order to allow them to work outside of the office. This reduces the risk of storage devices holding corporate data being lost, further contributing to data security at an organisational level.

On a technical level, how are Strong Authentication (SA) and Single Sign-On (SSO) technologies typically undertaken today?

Organisations today typically work with a complex environment of legacy and web-based applications and with this in mind, SSO solutions that can be easily integrated into the network infrastructure without requiring changes to Active Directory schemas are hugely valuable. Minimising the time and cost of implementation this way allows business to quickly reap time and cost savings associated with improved workflow and security, while also freeing up IT resources for more strategic activities.

SSO solutions which offer application-level strong authentication, built-in support for a broad range of strong authentication devices, and VDI support through integration with Citrix XenApp and VMware View allow businesses to tailor their SSO implementations to meet their business needs.

Imprivata’s OneSign solution can support most two factor authentication devices including active and passive proximity cards, finger biometrics, one-time-password tokens, Windows smart cards, National ID smart cards, USB tokens and built-in RADIUS server for remote authentication. In fact, many of these authentication devices can also be supported through OneSign in VDI environments, enabling users to quickly access applications and switch users.

How are businesses using access management solutions to support security and workflow productivity?

There are many innovative ways in which business are using SSO to support security and workflow productivity. One great example can be seen in healthcare environments such as University Hospitals Bristol NHS Foundation Trust, which has recently announced its work with Imprivata OneSign.

University Hospitals Bristol NHS Foundation Trust is a specialist teaching and research hospital trust, which has implemented Imprivata OneSign 4.5 across multiple sites, providing 5,100 users with secure and efficient access to patient data. The solution was deployed as part of the Trust’s Clinical Systems Strategy which aims to replace the existing patient administration system; theatre, maternity and Accident and Emergency systems and pharmacy stock control, as well as providing a platform for future developments including e-Prescribing.

The Trust chose to implement Imprivata’s OneSign 4.5 to assist IT staff with this process and ease users into the planned system changes by improving workflow and avoiding potential complexity surrounding the upgrades. For the IT team, the SSO solution was also seen as a way to ensure that security policies were being met at all times.

Imprivata OneSign 4.5 was integrated into University Hospitals Bristol’s network infrastructure following a competitive analysis and proof of concept (POC) rollout within the Trust’s IT department. With no changes required to the Active Directory schemas, the IT team developed SSO profiles for 50 clinical systems, dramatically reducing the amount of time that clinicians spent accessing critical data.

Following the POC implementation, OneSign 4.5 was rolled out in priority departments including Accident and Emergency at Bristol Royal Infirmary and Bristol Royal Hospital for Children, where fast and secure access to critical data is essential to ensure patient confidentiality while providing excellent standards of patient care.

As well as offering SSO access to locally hosted applications, the Imprivata solution has also provided the Trust with secure access to patient data from neighbouring trusts, which is essential to University Hospitals Bristol NHS Foundation Trust as it provides a range of specialist services. Due to the success of the implementation, the Trust is also piloting and evaluating biometric authentication and proximity cards as part of this rollout.

Dave Oatway, Computer Services Manager at University Hospitals Bristol NHS Foundation Trust in fact stated that “As a speciality centre for several different types of treatment including oncology services and paediatric care, security, confidentially and clinician productivity are all essential to the service that we provide to our patients. Imprivata has allowed us to tackle the common security challenges associated with multiple passwords, improving data security, and simplifying day-to-day access for our users and feedback from these users has been overwhelmingly positive.”

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Christian Harris is editor and publisher of BCW. Christian has over 20 years' publishing experience and in that time has contributed to most major IT magazines and Web sites in the UK. He launched BCW in 2009 as he felt there was a need for honest and personal commentary on a wide range of business computing issues. Christian has a BA (Hons) in Publishing from the London College of Communication.