Best Practices for Authenticating users for Hospital Intranet access
Since HospitalPortal.net is a niche hospital-specific Intranet solution and we work almost exclusively with healthcare clients, the topic of best practices for Intranet authentication methods in hospital environments comes up very often in both pre-sale discussions as well as during system implementation. Just in the last week alone, we were asked by 3 different hospitals for recommendations and best practices for user authentication and delivery of personalized content to end users.
While every hospital is unique in terms of its technical infrastructure and its Intranet needs, there are some general recommendations for configuring user authentication for healthcare Intranets that apply to most clinical environments.
1. Utilizing Microsoft Active Directory for user management and authentication in Hospital environments
A majority of hospitals utilize Microsoft Active Directory for managing network user accounts. Our system is currently installed in some 150 hospitals of various sizes throughout the US and I can think of only a few cases where network user management is not done thru AD.
If network user accounts are already managed in AD, it only make sense to also use AD for Intranet portal authentication. With AD integration, anytime a network account is added or terminated access to the Intranet will be granted accordingly. For network users that should not have access to the Intranet (such as vendor accounts or service accounts), we can configure “deny” groups (managed in AD) or we can base portal user access on a specific Organizational Unit (OU) in AD to prevent unauthorized users from accessing secure Intranet content.
The second main benefit of using AD authentication is related to password management. Intranet users will be using the same password for both workstation/network logon and Intranet logon. Therefore, the typical fear of “managing yet another account” both from the user’s and the administrator’s perspective is automatically addressed.
In terms of best practices for when to enable AD integration for Intranet authentication, our recommendation is to always start with stand-alone portal authentication (users are managed in Intranet portal) for the initial implementation and training tasks. This allows portal administrators and content editors to easily configure content and permissions to test out various scenarios and access rights without having to involve IT and dealing with AD architecture. It is usually safe to switch over to AD integrated authentication once a general road map for user authentication is developed.
2. Pass-thru or Mixed Mode authentication for Hospital Intranet access?
Once a decision is made to use AD for user authentication and authorization, the next question hospital Intranet administrators will be facing is whether or not to enable pass-thru authentication. The “pass-thru” user authentication allows desktop applications (such as an Intranet running within an Internet browser) to automatically assume identity of the user that is logged in to a workstation. The other option is to have users explicitly log in to the Intranet using their AD login and password prompt on an Intranet page. We call this second method a mixed mode AD authentication in our system.
Since pass-thru authentication method does not require an explicit logon, it obviously leads to a much better user experience and it is a preferred option. Users are logged in automatically and have access to their secure content and editing tools.
However, until fairly recently, the pass-thru method was often out of the question in hospital environments due to use of what is often referred to as “generic workstation accounts”. Many computers across a hospital and specifically at nursing workstations used to be always logged in to the network under a pre-defined generic AD account. This eliminated hassles for clinical staff to have to log in and out constantly as they were moving from workstation to workstation or when shifts changed. In that case, because computers were logged in under a generic user account, allowing pass-thru access to and assuming identity of the logged in user for Intranet access just didn’t work as everyone would assume identity of the same generic Active Directory account
However, this paradigm has changed in the past few years. With the introduction of very strict HIPAA and PHI laws, hospitals are moving away from using generic user accounts. And therefore the use of pass-thru authentication for Intranet access become quite feasible and is now the preferred option.
3. Manage User Groups in Intranet Portal Application or AD?
The last aspect of use of AD authentication for healthcare Intranet access deals with AD user groups and Intranet content access rights management. User groups are often used to enable access to a specific page or content within an Intranet system. Since any user can be a member of many groups, use of group membership information opens endless possibilities for granting appropriate and relevant access rights across different Intranet pages and resources. For example, if a nurse is also a department head, she or he would likely be a member of a Nursing user group and a Management user group. If your Intranet site has separate secure resources for each team, likely we would want nurses (members of Nursing group) to have access to the secure Nursing resources, and the management team (members of Management group) to have access to management only resources. Members of multiple groups naturally would have access to all resources accessible to groups they are a member of.
Since user groups are already managed in AD, at first glance, it may seem quite logical to use already pre-defined AD-based user groups for Intranet portal access rights management. These groups are already maintained by IT in Active Directory and set accordingly to a user’s needs and job functions.
In real world however, we quite often see a disconnect between the needs of the Intranet application, and the network security aspects of AD user groups. The specific architecture of group membership in Active Directory is based on network security access rights requirements and it is unlikely aligned with the Intranet application needs. Furthermore, portal administrators often want to have full control over user group assignment in their Intranet system as it may change often. Since AD is managed by an IT network administrator, having such changes made on an ongoing basis is unrealistic or impossible. Therefore it is typically easier and more logical to manage groups in Intranet and outside of AD.
The above recommendations are likely applicable to a majority of needs and situations. However, as with any system integration, there will always be special cases and unique requirements that will require further customization.