Rapid Authentication Systems? 48
Barrington Johnson asks: "I am an emergency physician, and am looking for a solution for authentication which is compatible with rapid logons and logoffs. We have several web-based terminals into which we put information. The web application gives a real-time representation of the emergency department, so it is important that it is kept up to date. We have an opportunity to re-design our system, and I know that if I make the authentication process too difficult e.g. username+password, doctors will store up their data entry, and do it all in one go, removing the real-time usefulness of the display. At what level (application/browser/system) should authentication occur, and what method would be best?" Might a smartcard-based authentication system work well in this situation?
USB Keys (Score:1)
SmartCards slow -- YMMV (Score:3, Interesting)
A restaurant-type system might be best/fastest.
Perhaps forgo authentication? Or make it concurrent with data entry? A "secret" 4-6 char UID field that whoever fills-in when they enter other data (vitals).
Re:SmartCards slow -- YMMV (Score:4, Informative)
Are these proximity-type cards? Can RF-based proximity-card readers be used with terminals?
I use a proximity card to enter university buildings, and it takes less than 1 sec for the reader to read my card, find my record in the authorized personnel database, and unlock the door. Instantaneous.
UID/pw usually takes more than 1 sec -- it depends on the length of UID and pw, and how fast the person can type.
Re:SmartCards slow -- YMMV (Score:2)
Agreed on the typing, I was measuring from complete entry of data to access-grant.
Other smartcard problems (Score:2)
Here you go (Score:3, Informative)
wireless lock [thinkgeek.com]
Re:Here you go (Score:1)
the correct link is here [diebold.com]
2 tiers of authentication (Score:3, Insightful)
First level being a 4 digit pin that can be easily entered at a login screen that will allow view access to all the important data.
Second level, require a username and password if anyone actualy wants to modify something.
Re:2 tiers of authentication (Score:3, Insightful)
Uh, the whole point is to encourage easy modification, so that the records are up to date.
Simple answer... (Score:5, Insightful)
Hire a professional web designer that specializes in security. I wouldn't want people to expect me to be a doctor, and I wouldn't want a doctor designing a secure web site for me.
No offense, but for something like medical records, stick to what you went to school for.
Re:Simple answer... (Score:4, Insightful)
Re:Simple answer... (Score:3, Insightful)
Too often hav I seen professional designers choose technology over stability and form over function when it comes to implementing everyday tools. When it comes to m
Host-Based Auth (Score:3, Interesting)
Re:Host-Based Auth (Score:3, Insightful)
Re:Host-Based Auth (Score:1)
iButtons or other hardware keys (Score:2)
http://www.ibutton.com
-psy
It depends. (Score:3, Insightful)
How secure are the workstations? If the public can get at them then security is still a big concern. If not, a simple 4 digit pin as others suggested might be enough. However, if its feasible that a unknown person could have a few minutes unobserved at the machine, then I would look for something a little more secure
How quick is quick? Smart cards, or USB keys could be quick, but if in a hurry, Doctors may not want to fumble around with something else they have to carry around... and what if they forgot it at home. Typing username - TAB - password - ENTER is usally very quick for anyone that has typed their username and password a few times. However, it could be inconvenient if the doctors are not usually standing/sitting with both hands free. What is the environment like? Do they sit at a desk, or quickly pass one of these terminals, click a few buttons, and continue on? If they're time spend at the terminal is measured in minutes, 5 seconds to log on wouldn't be inappropriate. If its measured in seconds, something quicker should be investigated.
What's the budget like? Bio-metric sensors are always an option, like a thumb print scanner. However, these would be slightly more costly that a small USB key, but eliminate remembering passwords/pins and carring around an ID card/USB key.
Re:It depends. (Score:1, Insightful)
Depends on your security needs (Score:5, Insightful)
The quickest/easiest/cheapest way would be to use a standard mag strip reader or an RFID tag with no pin/password etc, just a swipe, and someway to "logout".
If more security is needed or possibly variable security needed (maybe 1st screen is kinda public domain, but to get more details you need more authentication), then a smartcard that uses its serial number as a token like in the RFID or mag strip example I just gave, and then the user would have to put in a PIN to get the more sensitive data.
The fortunate thing is that all 3 technologies are pretty inexpensive and easy to work with.
Re:Depends on your security needs (Score:2)
Don't require a session login, require an id and associated pin number with each data transaction.
Re:Depends on your security needs (Score:1)
If it were my institution, we've already got transponder-on-the-ID-card-based authentication for entry to ER, ICU, OR, etc. I'd just extend that system out to provide authentication. Define a logout key, and you're done.
If you're in a smaller environment, that would be a new expense, and maybe a hard sell to the admin. But it's totally HIPAA-t
Check out a Sun Ray solution (Score:2)
Try a different approach... instead of having to log in and out of a web page each time, log in once (per shift) and take your session with you.
The Sun Ray will allow you to log in using both your smartcard and your login/password combo.
Once logged in, you can launch your web browser and log into whatever you need (and whatever other apps you need).
Now, if you need to run away... just yank out your smartcard and the Sun Ray is available to someone else (they have to login at this point).
When you got back,
Re:Check out a Sun Ray solution (Score:2)
Re:Check out a Sun Ray solution (Score:2)
Sounds like the server was VERY poorly configured.
The Sun Ray device itself does not determine the performance.
Any lag or performance issue will be due to a severely overloaded server, or poorly configured network.
I've set up multiple labs for universities, and they love them... no performance problems at all.
Hire me (Score:3, Insightful)
However I have a better one. Hire me! (Better for me, at least). But seriously, if you can't figure out the best solution, you certainly are not going to get it solved here. Bring in a consultant who specializes in this aspect of your business (ER management) and have them explain the options.
It is not clear what your requirements are, but I am not sure this is a good candidate for a "technology" solution. Charts are still the standard method for tracking in ER environments and a good old-fashioned white board is a pretty good way to track assignments. No matter what the solution, if the doctor has to go away from the patient to check status or update status the system is going to be always out of date (hence charts hanging on for so long).
I know this isn't the sexiest solution but you need to prepare yourself for the boring solutions when you present this problem.
SunRay or similar (Score:1)
A SunRay server + terminals would seem ideal here. Pop your smartcard in, log in once in the morning, pull the card out and walk away. Need to enter something? Walk to an available terminal anywhere on the same network and pop your card in again. Your session appears. Rinse, wash, repeat. No keyboard input except during the login.
If you have enough memory you can just keep the sessions running indefinitely. I would highly r
Something you have and something you know (Score:3, Interesting)
When the Dr walks up it unlocks and askes for a pin ( it already knows who you are ). Once the pin is entered you are set... once the RFID leaves range ( 5-8 ft ) the station would automaticly lock. I personally think this would be the best of all worlds. I would not skimp on the proximity sensor for a card swipe since locking the station is still important, and the card is one more thing that they would have to keep clean. As much as the slashdot crew hares RFID it could be very handy you have to admit.
Re:Something you have and something you know (Score:2)
iButtons (Score:2, Interesting)
Doctor arrives at work, logs in his user/password then simply taps his ibutton on whatever system he wants to use. Hit's the logout button when he's done, and moves on to the next machine.
Why do the login/pass thing in the morning? Because people lose small things like ibuttons. So each morning when you login (and for the next 8 hours or however long until the login ticket expires) the ibutton supplies is the new "key". If you lose it, simply get a new one
Why authenticate? (Score:3, Insightful)
In an ER situtation, there must be hundreds of things lying around that unauthorised people MUST NOT mess with, or people die and other people get fired. Just define the terminal as one of those things.
Stick a dummy video camera pointing at the keyboard, and tell all the unauthorised staff they'll get fired if they are seen touching it.
If you need to identify who is making entries, give every doctor a dedicated function key, and refuse any entires that are not preceded by a fkey press.
Re:Why authenticate? (Score:3, Informative)
Re:Why authenticate? (Score:3, Informative)
Mag Stripes, Edit Windows (Score:3, Interesting)
2) Keep a central authentication system, but also mirror authentication information locally to wherever a doctor authenticates so subsequent authentications go quickly.
3) Disallow record editing after hours without permission. Counsel doctors who habitually require after-hours editing.
Re:Mag Stripes, Edit Windows (Score:2)
4a) Remember that its not your job to review the audit log and you should not unless subpoenaed.
4b) Consider getting an old ibm/lexmark proprinter, one of the old, built-to-withstand-ww3 fan-fold printers to have a paper copy of the logfiles.
4c) An even better model is where you prohibit the removal of records. When information must be corrected, an update is added such that the old and new in
Something like this: (Score:2)
You haven't really asked an answerable question, however, since you didn't tell us what the exact security requirements are.
e.g., just don't secure the damn thing would be a legitimate response in some circumstances (probably not this one, granted).
Identifying a suitable solution depends on determining just how 'secure' the system needs to be; there are different requirements for se
BlueTooth (Score:4, Interesting)
Go to lunch.. (Score:2)
BYPASS the terminals (Score:1)
Also, I'd bet money that there are already vendors or VARs who offer vertically-integrated solut
zerg (Score:2)
re: shiny things, consider a biometric fingerprint scanner [kk.org].
Other options (Score:1)
Depending on the level of security you need, you could just as easily not have any authentication at all, and just tell unauthorized users not to touch it.