The Case for Single Sign-On

 Every morning, staff are required to log into multiple different systems just to do their jobs. Clinic staff must sign in to Citrix to get to the EHR environment, then into Intergy EHR for clinical functions, Intergy POMIS for scheduling, Outlook for email, PayCom to monitor time and payroll, Tower Diagnostics for updated test and procedure results, Epic to obtain hospitalization records, and VFC to print and update immunization records. That is eight different systems to do one job. If the employee works in the lab, they also have to log into Quest to print and send requisitions. If the employee is a center manager, they also have to log into McKesson to order supplies and Dentrix to monitor dental patients and departmental flow. Each of these systems requires its own username and password and none of them have a password cycle that synchronizes with the other systems. This means each employee could have to memorize eight different passwords at once. Given the stringency of the Citrix password parameters (at least one capital letter, one lowercase letter, one number, one special symbol, 9 to 15 characters in length, not similar to the past 6 passwords, and not containing any recognizable words), this creates a potential for a security breach. Why? Because with everything else the staff must do to successfully promote clinic flow and provide quality patient care, memorizing multiple complex passwords falls at the bottom of the priority list. Staff members have resorted to writing down their usernames and passwords and keeping those notes at their workstations. The Michigan Department of Health and Human Services (MDHHS) discussed this in their Use Case Summary for Single Sign-On: “This creates obvious productivity‐draining issues resulting from forgotten login information, recovering and resetting passwords, and auto‐lockout after multiple failed login attempts. There are also security risks inherent in users writing down passwords or keeping them simple or identical to ease memorization. The issues multiply with each additional login and password combination that a user must maintain, creating additional security risks and potentially taking health professionals’ valuable time away from patient care” (2016). To put it bluntly, someone could easily swipe that information, log into our systems, and have practically unlimited access to our patients’protected health information (PHI). Aside from this being a major HIPAA violation, it would also be a breach of our patients’ privacy, confidence, and trust. Something needs to change before such a violation occurs. I recommend we convert to Single Sign-On (SSO). Not only would SSO save us from possible security breaches, it would also save us time and money.

            “Single sign-on (SSO) is an emerging technology intended to facilitate easier and faster use of EHRs and other clinical information technology applications” (Gellert, Crouch, Gibson, Conklin, Webster, and Gillean, 2017). SSO allows users to sign in one time, with one username and password, yet gain access to all systems attached to it. Implementation of a Single Sign-On program is quick and relatively inexpensive. OneLogin (an SSO provider/program) has a calculator that estimates our organization’s first-year savings just by switching to an SSO would be around $75,000 (https://tools.totaleconomicimpact.com/go/onelogin/iam/). That’s just one company’s estimate. With multiple available players in the Single Sign-On market, it is likely that an organization like ours, with around 300 employees, could easily negotiate and drive implementation costs down. The monetary benefits are not limited to just the rollout of SSO, they also come as a result of increased productivity and decreased IT resource hours.

            Gellert, et al, conducted a study whereby they clocked how long it took employees to log in to the EHR at the 6 hospitals they observed. Their EHR, just like ours, requires a 2-step login: one login for Citrix and another for the EHR. The average time it took the employees, providers and staff alike, to log in was about 36 seconds (2017). If 300 people take 36 seconds to log into only two of the up to 10 systems we access, that equates to 180 minutes each day spent logging into Citrix and EHR. If that same timeframe applies to the other 6 applications the majority of the staff use, then the total amount of time spent per morning logging into applications is 540 minutes. That’s 9 hours of just logging in! Not to mention that the staff has to log in from scratch again after lunch. That means that 18 hours of logging in occur each day in our organization if everyone remembers their usernames and passwords for all of those applications. If they don’t, then IT has to get involved in order to reset the employee’s password, which can take up to 30 minutes if IT isn’t readily available to take the call or the employee has difficulty going through the steps to complete the process. A Single Sign-On system would eliminate both the excess sign-in times and the drain on IT resources. With SSO, staff wouldn’t need to write down all their usernames and passwords. They would just need to remember one. Staff could quickly and easily login to their workstations and begin seeing patients right away. The hospitals Gellert, et al, studied showed a reduction in login time of 28 hours per facility per week after the implementation of SSO, which, after a year, translated to a reduction in login time of 1461 hours per facility for the year, saving the hospitals around $92,150 (2016). Granted, our organization will not see savings like that, but we will see a definite positive shift to both our bottom line and our patient satisfaction scores.

Increasing provider and staff availability time allows more patients to be seen and more quality time to be spent during those patient visits. With SSO, medical assistants and providers will no longer have to worry about logging into Tower for a patient’s x-rays; they’ll already be signed in. A patient is in for a hospital follow-up but doesn’t have their discharge paperwork or lab results? SSO has the staff already logged into Epic and Quest. Our staff appears more composed and on top of their game when they aren’t scrambling for usernames, passwords, or someone who remembered there’s and is already logged in. This will increase patient confidence, resulting in improved survey scores. Additionally, Single Sign-On will free up providers to see more patients. It will be easier for them to meet and/or exceed productivity goals and quality measure requirements since they will have extra time and extra confidence knowing access is secured and the staff is ready to work. Medical assistants will be better able to review charts and spot overdue exams, pull test results, and access schedules to accommodate follow-up visits. Center managers will have better access to clinic flow, payroll, and resource management, which will help them maximize patient and staff allocation. The organization as a whole would work in a more streamlined fashion. Time wasted on login attempts, IT consultation, and seeking out co-workers with access would be practically eliminated. Our environment program, Citrix, is already built to handle Single Sign-On. Our IT staff are already versed in SSO implementation and maintenance from their previous employers. Clinic staff have been asking for ways to work smarter. SSO is a way to do just that, with the added benefit of putting money back into our organization. We can increase PHI security, reduce the potential for HIPAA breaches, elevate provider productivity, improve staff morale, and receive a considerable return on investment. The question should not be if we adopt Single Sign-On, it should be when do we start.