Case Study: Children's Hospital Boston
Modernizing Authentication — What It Takes to Transform Secure Access
Improve ID management
Number of Users
Saved $210,000 per year in increased productivity
Courion AccountCourier, Courion PasswordCourier
Children's Hospital Boston treats more than 300,000 patients each year. In such circumstances, a moment's distraction can result in a tragic outcome. For the IT staff, avoiding such tragedies requires ensuring that the right people have access to the right informationand in the time it takes to fill out a search prompt and click "send"and so, starting in early 2002, the hospital began looking for a way to make sure that not only could long-term care providers reset their passwords, but also that a constantly changing stream of nurses and residents could, too.
"There was a pretty significant problem in going through password reset," says Scott Ogawa, CTO at Children's Hospital Boston. "The user community didn't like that they couldn't just call up and say, 'I'm Dr. Jones, please reset my password."
Because of the sensitivity of the information to which doctors, nurses and other staff sought access, an arcane system had been implemented in order to keep patient histories, pharmaceutical orders, radiology results and the like from falling into the wrong hands. Users were issued different levels of access according to their different dutiesa clinician would have greater access than a file clerk, for instanceand altogether new log-ons were needed for different areas of the system. The improvised way in which the staff dealt with their various passwords was anything but secure. Kevin Murray, operating systems manager, calls this the "3M Factor"; users keep track of their many passwords with Post-its taped to their computers. Resetting these passwords was the most troublesome concern of all. This was done entirely off-line, and required a tedious phone call to the help desk, in order to go through an elaborate, though necessary, identity authentication. The entire process could take several minutes.
"I was very disillusioned," says Ogawa. "I wanted to give users complete control over their destinies, and I also wanted a way to synchronize passwords across multiple applications and platforms."
Help came from nearby Courion Corp. in Framingham, Mass., a software firm that, since its founding, has focused on self-service identity management. For Children's Hospital, Courion implemented a Web-based, easy-to-use ID-management program that synchronized passwords across all applications and enabled sign-on with a single password. A password-reset program was also incorporated, thus allowing Children's staff to avoid that call to the IT desk. Since the program's launch in January 2003, the hospital has logged 13,500 fewer calls to reset passwordspreviously, this process had cost Children's $14 per call. The hospital says it's a call-avoidance factor of 80 percent, and Ogawa estimates that the program has saved around $210,000 each year in productivity.
Cost savings are always nice, but Children's had an additional motivation for getting its self-service program in line: the Health Insurance Portability and Accountability Act (HIPAA) legislation passed to protect the privacy of patient data. Children's new digital ID system gives doctors greater control over access to their patients' information, and what's more, a built-in time-out system closes off access to that information should a doctor walk away without logging off.
Courion attributes the success of the self-service implementation at Children's to tests, with staff, of its intuitiveness. As the program rolled out, Courion and Children's also launched an internal awareness campaign to make sure the program got used. Posters urged doctors and nurses to "Reduce the Hassle Factor." E-mail reminders nudged them to sign on. And, in a nod to the "3M Factor," Post-its were distributed with the words "Don't write your password here." The adoption rate at press time: 90 percent.