Biometrics and SSO Treat Password Disease at Prescription Solutions

Prescription Solutions had the password disease. The company’s 300 call center workers needed access to a dozen or more applications running across OS/400, VMS, and Windows servers. Each application required a separate password, and, as you might expect, the workers had trouble memorizing them, which led to the “Post-It” note syndrome and increased the help desk’s workload. But after installing single sign-on (SSO) software from BNX Systems and fingerprint scanners, the company got the upper hand on this crippling affliction.

Prescription Solutions is a pharmacy- and medical-management company that handles the prescription drug benefits for commercial, Medicare, and governmental health plans. More than 5 million people use Prescription Solutions for their pharmacy- and medical-management needs, and they buy more than $2.6 billion in pharmaceuticals every year. These people can order prescriptions from the company through its Web site, www.rxsolutions.com, or over the telephone.

Helping customers on the other end of the phone line are 200 call center workers at Prescription Solutions headquarters in Costa Mesa, California; the company also staffs a 100-person call center at its mail-service pharmacy down the road in Carlsbad. These 300 call center workers represent the frontline of Prescription Solutions’ interaction with its customers and its “high-tech/high-touch” approach to customer service.

The Password Disease

One of the unfortunate side effects of the high-tech approach, however, is a complicated array of 12 to 15 applications that call center workers must navigate to do their jobs. These applications included an OS/400-based claims-adjudication application called RX Claims, which is the primary application used by the workers; a VMS-based application called RX Express; several healthcare applications hosted by Prescription Solution’s corporate parent, PacifiCare Health Systems; the Aspect call center software; and several Windows NT-based applications.

Mike Wallace, the company’s manager of technical services, says the form of authentication used in these systems–user name and password–was having a harmful impact on productivity. “They stay at one workstation and use different emulation screens. For each application, they have to log into the systems, and each one requires a different log in,” Wallace says. “We were seeing log-in times in excess of 15 minutes per person per day.”

As if remembering 12 to 15 different passwords wasn’t bad enough, Prescription Solutions–as a publicly traded company in the healthcare business–also enforced a strong password policy that required users to change their passwords every 60 days on some systems, including RX Claims.

With several dozen passwords to remember throughout the year, it’s no wonder users sought their own solution to the password problem: Writing passwords down on Post-It notes, and attaching them to their monitors. This is a major offense in any corporate environment, but especially in the healthcare business, where the Health Insurance Portability and Accountability Act (HIPAA) mandates that companies like Prescription Solutions maintain strict controls over accessibility to consumers’ private health data. Prescription Solutions says the Post-it Notes themselves were not compromising the patient data in any way, as the system had multiple safeguards, and personnel access was strictly controlled. But they did graphically illustrate that the system had become complex and inefficient for the end users.

Last but not least was the Prescription Solutions IT help desk, where call center workers (or “customers,” as Wallace refers to Prescription Solutions employees) locked out of the servers due to a forgotten or expired password would eventually wind up. According to Wallace, password resets accounted for about half of all calls to the help desk, or about 30 password reset calls per day.

“From a customer perspective, it was getting confusing and causing a lot of headaches,” Wallace says. “It was imperative to employ a solution that would provide end users the ability to sign into all applications at one time.”

SSO Research and Vendor Evaluation

Wallace knew he needed to simplify the log-in process if he was to reclaim the hours his call center and help desk employees lost to the passwords. But before committing to purchasing an SSO solution, Wallace sought to find out exactly how much money he was losing. He set up a study of 300 users, and found that if each user saved 10 minutes per day in the log-on process, the company would benefit to the tune of $200,000 per year in reduced log-on times and reduced calls to the help desk.

Wallace took the same methodical approach to his vendor evaluations as he did to modeling his password problem. “We take all of our requirement criteria and build it into a scorecard. We rank the vendors on how prevalent they are in the marketplace, and the time and cost of the solution. We rank them with RFPs (requests for proposals) and face-to-face meetings and references. Then we come up with a score. We don’t do anything unless we look at three vendors,” he says.

The three identity management software vendors that Wallace looked at were BNX Systems, an independent Vienna, Virginia, software company; Verinex Technologies, which is now owned by Jack Henry & Associates of Missouri; and Waveset Technologies, now owned by Sun Microsystems of Silicon Valley. BNX, which Wallace says was more responsive to providing reference requests than others, ranked a nearly perfect score in Wallace’s system–99 out of a 100. So that’s the vendor he went with.

Implementation and Enrollment

Prescription Solutions chose the BNX Authenticated Sign-On solution to address its password problem. BNX Authenticated Sign-On is the combination of two Windows-based BNX software products: BNX Enterprise Single Sign-On, a centralized password-replacement solution with about 80 pre-built adapters to existing applications and architectures, and BNX Authentication, which enforces role-based access controls, and works with about 30 authentication devices, including fingerprint and iris scanners, facial-recognition products, proximity devices, smart cards, and USB tokens.

In late 2004, BNX technicians arrived at Prescription Solutions’ Costa Mesa office to implement the Authenticated Sign-On software, integrate it with the company’s various OS/400, VMS, and Windows NT applications, and install the Sony PUPPY FIU-600 fingerprint scanners, which connect to PCs via USB connections and cost about $100, according to the Sony Business Solutions Web site.

The BNX technicians wrote the code connecting the BNX software to the back office applications, using either a combination of BNX’s existing connectors for Windows, Web, Citrix, and ActiveX controls, or writing the integration code from scratch. “The ‘400 was the more complex one. It was completely customized for us,” Wallace says. “It was a little bit of a challenge at first. . . Now we have the confidence to write our own connectors.”

Prescription Solutions experienced difficulty implementing the BNX software utilizing Windows SQL replication, which it had wanted to do to ensure the availability of the system. “We did have an issue with the SQL replication,” Wallace says. Instead of using SQL Server replication, the team utilized Windows SQL clustering and replicates all passwords utilizing its storage area network (SAN), which keeps the SSO system in high availability mode and backed-up.

Once the software and fingerprint scanners were installed, it was time to train the users and complete the enrollment process. The enrollment process took a bit longer than it might have, mostly because the company had a large volume of calls to deal with, and it didn’t want to disrupt service levels. After 30 days, each of the 200 call center workers at the Costa Mesa office was enrolled in the system. Prints of two fingers are kept on file for each user, in case one of their fingers is hurt or bandaged.

Some of the call center workers had a little trouble operating the PUPPY scanners at first, Wallace says. Dirty fingers, finger-on-scanner misalignment, or logins without a positive finger scan each presented problems. “But there was nothing from an administrative perspective,” he says. Concerns about privacy–which Wallace and his crew had anticipated might be an issue among the workers–never materialized.

Results and Advice

Today, when Prescription Solutions call center employees arrive at work, their PC is already booted, and the BNX log-in screen is displayed on the monitor. They put their fingerprint on the PUPPY, enter a single password, and–voila!–they have immediate access to all of their applications for the rest of the day, or until they log-off. All user log-in and log-off activities are monitored by the BNX software, providing Prescription Solutions managers with data for HIPAA reports that show they are maintaining strict access to consumers’ private health data, and that users are not sharing passwords.

The new single sign-on technology has had a palpable impact on Prescription Solutions. The amount of time the workers spend logging into the systems has been slashed from 15 minutes per day to five minutes per day. Users don’t have to remember multiple passwords (and they don’t have to remember to change them, either). What’s more, the volume of calls to the help desk has dropped by about 50 percent, Wallace says.

Prescription Solutions has realized the savings that Wallace predicted it would with his study before the implementation. Wallace estimated the company has made back the money that it invested in the software–a little more than $100,000–in about six months. The implementation is covering 300 people today, and when the company opens its new fulfillment center in the Midwest, slated for this year, it will have approximately 600 employees using the single sign-on system.

Wallace provides this advice to other IT managers considering an enterprise single sign-on solution. “Always do your homework and research the vendors. Create a well-documented plan, and look into the details of what you’re trying to do. If it was only a couple of applications, it might not have been the right thing for us to do. But given the amount of applications our users had to log into, it was the right solution for us.”