Single Sign-On Integrations


          Healthcare providers, large and small, are overwhelmed with disparate systems, with providers manually jumping from system to system during their daily routine.  With the need to support cross-system workflows, sharing patient and user context has never been more vital than it is today.  Single sign-on (SSO) integrations at Galen Healthcare Solutions go well beyond basic authentication, enhancing Allscripts Enterprise and Professional workflows by incorporating third-party applications into the EHR, sharing patient and user context, and even handling real-time context changes.  In an effort to eliminate many of the challenges, risks, and overhead costs associated with implementing an SSO integration, Galen has developed a framework with functionality for handling login requests and responses, patient and user context sharing, and sharing sensitive data.  With the Galen framework as a starting point, focus can be placed primarily on designing the integration to optimize the particular workflow, knowing the core functionality is already rock solid.

          SSO integrations provide more than just single sign-on functionality and are appropriate for optimizing any workflow that benefits from the following features.

  • Enable end-users to jump between applications seamlessly, avoiding wasting precious time and allowing user’s focus to remain on the workflow.
  • Eliminate need for users to remember numerous login credentials.
  • Promote the utilization of systems that are otherwise avoided due to the inconvenience of accessing them.
  • Share data between the integrated systems.

Single sign-on integrations can vary greatly in implementation; however, they are designed to solve a major issue caused by the use of multiple, disparate systems: repeated authentication.  The number of credentials one can commit to memory is limited, not to mention the act of opening an application and entering login credentials takes away from the intended workflow for the user and costs precious time.  By configuring an application to authenticate using domain credentials against an Active Directory domain controller, many applications can achieve “single sign-on” functionality with little or no development effort.  This requires that the application specifically supports Active Directory or LDAP authentication, and assumes end-users have domain credentials. As an alternative, Galen’s SSO integrations also handles authentication, but are designed to provide optimized solutions by placing the integration within the context of a workflow.  Additionally, unlike SSO achieved via domain authentication, Galen’s SSO integrations can deliver context-sensitive information, right from within the EHR.

Feature Comparison

Domain SSO Galen SSO

Integrated Login

Application Context Sharing

Launch from within EHR

To provide context-sensitive integrations, Galen’s Enterprise SSO integrations leverage Allscripts’ Universal Application Integrator (UAI) to place a button within any toolbar inside the EHR’s views.  For example, a provider may wish to review a patient’s health record in a healthcare information exchange (HIE) portal to check for discrepancies on the patient’s chart.  Not only would the button in the EHR open the HIE portal, logging in the provider automatically, but it would also pass along the patient in question, allowing the HIE portal to immediately display that patient’s clinical data.  In this scenario, scrutinizing the patient’s chart against the HIE can become part of the provider’s standard workflow rather than an extraneous task requiring portal login and searching for the patient manually.  Custom integrations can even incorporate third party web applications, like this HIE portal, directly inside a new tab of the Allscripts Enterprise UI.  In this scenario, the user doesn’t even need to bother with a second browser window.

SSO

Integration Style Benefits Drawbacks

Single-Click Button Integration with UAI

  • Button is easily deployed via EEHR admin screens to specific views.
  • Integrated application is started in its own browser window, avoiding cross-application incompatibilities.
  • Supports launching thick-client applications
  • Requires that the UAI desktop agent is deployed to all end-user client systems.
  • More difficult to handle changes to patient context after the external application is launched.

Custom Tab within Enterprise EHR

  • Can handle EHR patient context changes gracefully even after the external application has been interacted with.
  • External application is displayed within the EEHR user interface for a more seamless integration from the user’s perspective.
  • Application within another application can be awkward to end-users depending on the user interface of integrated application.
  • More difficult and time consuming to implement.
  • Potential JavaScript compatibility issues.
  • Only supports integration with other web-based applications.

Challenges at a Glance

  • Handling real-time patient context changes.
  • Securing communication between the systems integrated using encryption.

Whether an SSO integration opens in a new window, or as a tab within the EHR, it’s important to handle context changes gracefully and it can be challenging.  How context changes should be handled usually is unique to a particular SSO integration.  Using the previous HIE portal integration example, the provider may want the HIE portal to switch the displayed patient when he or she changes patient context in the EHR.  Other integrations that Galen has implemented even met requirements to have the integrated application exit completely on patient change.  Galen implements these complex context-based behaviors by leveraging the same events Enterprise EHR raises to trigger user interface updates during a patient context change. This ensures that context changes are handled quickly and reliably. However, it is also important that the context changes are handled securely.

Encrypted communication between integrated systems is the other primary challenge associated with an Enterprise SSO integration.  The National Institute of Standards and Technology (NIST) may have established national encryption standards, such as the Advanced Encryption Standard (AES), and more recently the family of Secure Hash Algorithms (SHA), many software vendors leverage less common, and even obsolete, encryption algorithms to secure data communication.  Other vendors have even chosen to customize standard cryptographic functions and, in extreme circumstances, develop completely custom implementations of encryption standard to enable SSO.  While Galen advocates the use of standard, cryptographically secure algorithms, it has experience in implementing those customizations such as a custom version of RC4, and even retrofitting OpenPGP file encryption libraries.  Vendor-specific custom encryption implementations become a part of the standard Galen SSO framework and implementation process, allowing future integrations with the same vendor to benefit from that experience.  As a result, Galen has had tremendous success interfacing with vendors, regardless of their security requirements.

While securely handling patient information during single sign-on is a critical aspect of all integrations, the value of a Galen SSO integration is it’s ability to fit seamlessly within the EHR and existing workflows.  Indeed, SSO integrations effectively minimize or eliminate disruptions to a workflow caused by manually accessing an external application. Furthermore, the volume of SSO integrations Galen has implemented has resulted in an extensive library of code designed to handle all of the nuances of facilitating SSO from within Allscripts Enterprise. Additionally, the Galen SSO framework streamlines development, ensuring high-quality and predictable results, all while reducing project timelines and cost. The end result is another a safe, affordable and high-value service offered to our clients.

 

About the authors:

Michael Commo is an integration analyst and software engineer focused on developing Galen’s custom integration and software solutions.

Michael Tamlyn is an integration architect and is responsible for the standards, platforms, and tools that act as the foundation of Galen’s custom integration and software solutions.

Facebook Twitter Email

2 Comments

Add yours
  1. 1
    Michele

    Great article, Michael and Michael. SSO is always a challenge. Do either of you know if Allscripts supports SSO via SAML? THANKS!

  2. 2
    Mike Tamlyn

    Michelle,

    Thank you for your question. My understanding is that Enterprise EHR does support SAML via Unity’s SOAP-based endpoints.

    Mike

+ Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.