Slashdot Mirror
Rapid Authentication Systems?
Barrington Johnson asks: "I am an emergency physician, and am looking for a solution for authentication which is compatible with rapid logons and logoffs. We have several web-based terminals into which we put information. The web application gives a real-time representation of the emergency department, so it is important that it is kept up to date. We have an opportunity to re-design our system, and I know that if I make the authentication process too difficult e.g. username+password, doctors will store up their data entry, and do it all in one go, removing the real-time usefulness of the display. At what level (application/browser/system) should authentication occur, and what method would be best?" Might a smartcard-based authentication system work well in this situation?
A nice device, allows over-ride if you loose it, and instant unlock as need be.
wireless lock
=================
Unix is very user friendly, it's just picky about who its friends are.
I am an emergency physician
Hire a professional web designer that specializes in security. I wouldn't want people to expect me to be a doctor, and I wouldn't want a doctor designing a secure web site for me.
No offense, but for something like medical records, stick to what you went to school for.
Depending on your network setup, host-based auth might be best. You could assign a specific IP address based on a DHCP Client-ID and have the web app look up the client's address in a table to determine if it's allowed automatic access (ie, to jump straight to an authorized state), or otherwise to prompt for a username/password, and thereby set the authorized state.
This is interesting. 5 seconds? That's slow.
Are these proximity-type cards? Can RF-based proximity-card readers be used with terminals?
I use a proximity card to enter university buildings, and it takes less than 1 sec for the reader to read my card, find my record in the authorized personnel database, and unlock the door. Instantaneous.
UID/pw usually takes more than 1 sec -- it depends on the length of UID and pw, and how fast the person can type.
How secure are the workstations? If the public can get at them then security is still a big concern. If not, a simple 4 digit pin as others suggested might be enough. However, if its feasible that a unknown person could have a few minutes unobserved at the machine, then I would look for something a little more secure
How quick is quick? Smart cards, or USB keys could be quick, but if in a hurry, Doctors may not want to fumble around with something else they have to carry around... and what if they forgot it at home. Typing username - TAB - password - ENTER is usally very quick for anyone that has typed their username and password a few times. However, it could be inconvenient if the doctors are not usually standing/sitting with both hands free. What is the environment like? Do they sit at a desk, or quickly pass one of these terminals, click a few buttons, and continue on? If they're time spend at the terminal is measured in minutes, 5 seconds to log on wouldn't be inappropriate. If its measured in seconds, something quicker should be investigated.
What's the budget like? Bio-metric sensors are always an option, like a thumb print scanner. However, these would be slightly more costly that a small USB key, but eliminate remembering passwords/pins and carring around an ID card/USB key.
I'm not sure how sensitive the data is, but I'm assuming its relatively low. (Please don't go on a tangent here, there is little to no security involved with paper files...)
The quickest/easiest/cheapest way would be to use a standard mag strip reader or an RFID tag with no pin/password etc, just a swipe, and someway to "logout".
If more security is needed or possibly variable security needed (maybe 1st screen is kinda public domain, but to get more details you need more authentication), then a smartcard that uses its serial number as a token like in the RFID or mag strip example I just gave, and then the user would have to put in a PIN to get the more sensitive data.
The fortunate thing is that all 3 technologies are pretty inexpensive and easy to work with.
One suggestion here is to hire a security professional. That is not a bad idea.
However I have a better one. Hire me! (Better for me, at least). But seriously, if you can't figure out the best solution, you certainly are not going to get it solved here. Bring in a consultant who specializes in this aspect of your business (ER management) and have them explain the options.
It is not clear what your requirements are, but I am not sure this is a good candidate for a "technology" solution. Charts are still the standard method for tracking in ER environments and a good old-fashioned white board is a pretty good way to track assignments. No matter what the solution, if the doctor has to go away from the patient to check status or update status the system is going to be always out of date (hence charts hanging on for so long).
I know this isn't the sexiest solution but you need to prepare yourself for the boring solutions when you present this problem.
It seems like you could use a BlueTooth device to authenticate. The same way that if you have a BlueTooth cell-phone the screensaver on a mac will shut off when you get close to the system.
I work for a medical software company. Due to HIPAA regulations, if we even have PHI on our PC, even if it's not being displayed, we have to lock the PC when we aren't there. All hard copies have to be locked up and disposed of in a secure container. We also have to be able to disclose to our customers and their patients who viewed what data when and for what purpose if demanded of us, so all access has to be authenticated.