Date of Award

Spring 2012

Degree Type

Thesis (Restricted access)

Degree Name

Master of Science in Information Technology Leadership (MS ITL)


Computer Science

First Advisor

Stephen Longo


When working with sensitive information about people, it is imperative for the privacy, safety, and wellbeing of these individuals to be protected. Several factors, which must be considered, include the physical security mechanism (e.g. locking an office containing the workstation), the administrative procedures put in place to regulate the access (e.g. implementing organizational policies in accordance with state, local, and federal laws), as well as the application of the logical, electronic methods to ensuring access to this sensitive information is controlled (e.g. user authentication, access control). Thus, user authentication can be a cumbersome task for employees of any organization within the public and private sectors, especially if they work with confidential electronic information on a daily basis and/or have to remember a unique password for several applications. Also, many employees with multiple responsibilities do not always remember to lock their workstations and/or mobile devices, or ensure that their devices are secured from theft, resulting in a possible data breach. Further, these individuals are inclined to call Help Desk, or to write down their passwords, as many factors, such as password length and frequency in required password resets, affect their timely response to other matters for which they are responsible. With this lack of attention and/or due diligence toward ensuring the security of confidential information, especially concerning protected health information (PHI) of patients, the privacy and security of people are threatened.

Throughout this paper, we will first examine how unauthorized access to patients’ sensitive information violates their right to privacy and security. In this section, we will investigate laws that protect such information, including HIPAA and HITECH for patient information, and how state laws can override HIPAA legislation. Secondly, we will use case studies from several medical-based organizations to examine instances of data breaches caused by unauthorized access to workstations. Thirdly, we will investigate the advantages and disadvantages of using system and/or software resources to automatically lock computing devices after a period of inactivity, and to effectively authenticate users, and to encrypt data, along with other security methods.

In the latter portion of this paper, we will discuss the implementation of a software and hardware-based solution, called single-sign-on (SSO), and the many different configurations, such as utilizing it in a cloud-based environment. First, to fully understand the purpose of SSO, we outline traditional methods to authenticate users and secure workstations, such as using operating system password options and timeout capabilities. Secondly, we will compare the traditional password and workstation security options to that of SSO. Thirdly, we will visit case studies of medical institutions’ approaches to devices and password security, and what methods their leaders sought to ensure its effectiveness. Finally, we will outline a plan to implementing user authentication using Einstein Healthcare Network as a study for this plan. We will discuss several SSO options, comparing the features and cost effectiveness of each, as well as discuss how these options interface with other security measures taken, including encrypting workstation hard drives.


This capstone is restricted. Permission from the authors is required in order to access this document.