Imprivata Blog

Data breaches in healthcare are certainly not new. Most data breaches today occur when electronic patient information (known as “protected health information” or PHI in the HIPAA regulation) is stored unencrypted on a device that is lost or stolen.  All of the data breach laws in effect today state that as long as the data or device are encrypted, there is no data breach and therefore no liability or legal remedy. So if it’s that easy, why do the number of breaches in healthcare continue to grow at alarming rates?

On November 30, 2011 HHS announced that they approve of the proposed push of Stage 2 Meaningful Use from 2013 to 2014 that has been talked about since July of this year.  But who does this decision really impact?

Today, Teradici have released Teradici PCoIP® Firmware release 3.5. Within this firmware update is code specifically designed to integrate with a new API from Imprivata that enables full No Click Access™ from a Teradici-enabled PCoIP zero client.  This integration supports strong authentication with just the tap of an access card or ID badge to automate the process of bringing the user directly to their virtual desktop.

Thanks again to everyone who joined us for a very interactive webinar to learn more about how Imprivata OneSign can save clinicians more than 15 minutes per day. We had more than 40 questions during our Q&A session and have provided a transcript below of the most common questions.

By combining the benefits of roaming desktops with the simplicity of No Click Access delivered by Imprivata OneSign, clinicians can now access Citrix XenDesktop or XenApp with the tap of a badge or swipe of a fingerprint - enabling clinicians to dedicate more of their time with their patients and less time with the computer.

Fast User Switching is a term that can often be confused because it can be applied to an application workflow or a workstation that is shared among different users.  For example, in the healthcare field, many Electronic Medical Record (EMR) vendors have a feature built-in that allows a user to “suspend” or “log off” the application without actually closing the application down, thus requiring the user to have to restart the application.  This feature is primarily a time saver and is most often seen in an Outpatient care model where a patient comes in for an appointment but is not being admitted to the hospital.

Healthcare has the reputation of being highly resistant to change, that paper based systems are the best solution and that clinicians will simply not use any replacement. Why else would a hospital have to prove that they are meaningfully using new technology in order to receive the HITECH funding? Couldn’t we just trust them? So who’d have thunk it that in a survey of 477 IT professionals across multiple industries, it’s healthcare that are leading the way in the deployment of desktop virtualization!

Over the past few months, the Solutions Database located within our online Customer Center has undergone a number of improvements to provide you with a reliable and effective source of information for addressing common product issues and questions. The improvements include enhanced searching capability, content reliability, and format consistency.

I often have conversations with customers about the level of effort that is required to support OneSign once it is deployed. We usually talk about the resources that are required to work on testing new application profiles or changes to existing profiles, but if you back up one level, you will see the X factor. 

Following the announcement that NHS Scotland had selected Imprivata to provide single sign-on for all of its health workers across Scotland, the Scottish Government has published an update to their e-health strategy for 2011-2017.

Today, a new partnership with PhoneFactor has been announced, offering  a new way of authenticating to complement the broad range of existing authentication modalities supported by Imprivata OneSign and OneSign Anywhere. PhoneFactor is two-factor authentication working out-of-band, and requiring nothing but a regular phone.

To round out VMworld 2011 I wrote another guest blog for SearchHealthIT summarizing why I think healthcare has made a significant move into desktop virtualization in the last 12 months. Now that’s done, what about the next big thing? What about the cloud? The feeling this year was health care is still three years away from public cloud adoption. Are you seeing the same thing in your hospital? Do the VMworld trends match your IT priorities over the next 12 months? I’d love to hear your comments…

VMworld was markedly different from a healthcare IT point of view this year. I wrote a guest blog for HealthITExchange summarizing a few of my thoughts which you can find here. Were you at VMworld this year? What was your impression?

The highlight of today was undoubtedly the customer panel in the session Healthcare and the Journey to the Cloud- State of the Industry.

Many agencies that I’ve spoken to are not aware of the Advanced Authentication requirements of the FBI CJIS Security Policy 5.6.2.2 and are therefore not aware that they may be in breach of this requirement. This video will quickly enable you to find out whether you may be in breach and how Imprivata can put you back in compliance.

Day 2 is now in full swing at VMworld 2011. We had a very busy Day 1 yesterday. While the show attendance was clearly impacted by Irene, it sure feels like there are 15,000+ VMworld attendees here in sunny Vegas.

I’m extremely excited about our participation in this year’s show particularly the opportunity to demonstrate the results of our collaboration and integration with some of our partners. Imprivata is working in conjunction with VMware, Teradici, Dell, and VCE to showcase our joint solutions, which showcase VMware View serving up virtual desktops,

Professional Services are not something that should only be considered during the initial implementation of Imprivata OneSign.  As our customer base has grown through the years, we’ve seen their personnel come and go, departments change, infrastructure develop and new technology appear. What doesn’t change is the need to provide simple secure access even though regulations get more rigorous and security threats become greater.

Head over to the Imprivata booth #1070 to take a look at the tech preview of the joint development between Teradici and Imprivata. And just in case it’s too busy to get close, you can also see it at the VMware, Teradici, Dell and VCE stands. Yes, it’s that cool.  While you’re there, ask Michelle for some sonic rocks – I hear they’re kind of fun...

We are very excited to have Ron Cornett from Radiology Ltd. presenting our customer webinar on Thursday  August 25^th at 1pm EST. 

So if you would like to give hours of reading time back, improve PHI security, improve user satisfaction, reduce helpdesk calls and improve your HIPAA compliance (and really, who wouldn’t…) don’t miss this great opportunity to listen to, and chat with someone who’s been there, done it and got the T-shirt.

The Siemens show has been fantastic. What a great group of people, from Siemens and their customers, as well as all the other great Siemens partners that are participating. What are we hearing? Signing on to desktops and applications is extremely painful! Remembering all the different passwords, trying to type them in while a patient is waiting for you, the time it takes for the applications to load… We need to simplify access to EMR and hospital IT systems for our clinicians! For those that know Imprivata, and for those that have been introduced to us this week, the response has been consistent; We can simplify access saving clinicians 15 minutes per day and help drive EMR adoption.

The Meaningful Use Analysis presented at the recent HIT Policy Committee Meeting indicates that 2,246 Eligible Professionals and 100 Hospitals have attested successfully.  That’s a good start to EHR Adoption; with Stage 2 potentially delayed for these earlier adopters it will be interesting to see how many more attest to Meaningful Use in 2011.   

Imprivata is pleased to announce the availability of the Imprivata Dedicated Technical Support Engineer (DTSE) program.  The DTSE program is designed for customers with mission critical environments where security and regulatory compliance make personalized support relationships essential.

In February we announced our integration between OneSign and the Epic authentication API to provide fast No Click Access™ into the EpicCare application with just the tap of a badge or the swipe of a fingerprint. This was actually version 2 of our integration with Epic with the big leap for version 2 being the use of the Epic API’s. This further integration provided Imprivata customers with the same simple login experience whether they were in the ambulatory environment, inpatient environment, or carrying out medication order signing or CPOE transactions.

As leaders in technology adoption, Radiologists are starting to look to biometrics to help provide No Click Access to the various systems and places they need to authenticate.  The recent article on auntminnie.com highlights Radiology Ltd. in Tucson, AZ who has 50 Radiologists using Imprivata’s OneSign product to remove the burden of having to enter multiple logins and remember passwords.

Study spotlights the value of single sign-on solutions for hospitals seeking meaningful use credits

An eye-opening new study that was just released from the Ponemon Institute revealed roughly 60 percent of the more than 400 healthcare IT respondents believe that single sign-on (SSO) solutions support their organizations’ efforts to demonstrate the “meaningful use” of EMR adoption.

As the trends of mobility and cool devices take more and more of our users outside the enterprise walls we run the risk of undoing all of the good work, security and cost savings that we’ve managed to put in place. If IT can’t, or doesn’t want to install agents to all of these new devices, how do we get our authentication and single sign-on to work?

On April 21^st, the HIT Policy Committee Certification/Adoption Workgroup held a meeting to discuss Electronic Health Record (EHR) usability. The discussions provoked a variety of opinions and thoughts on setting guidelines as part of Stage 2 Meaningful Use.  What needs to be highlighted in these discussions is the difficulty physicians experience in accessing EHR and other healthcare IT systems. It is important to address the amount of time physicians spend remembering multiple usernames/passwords, waiting for a computer to boot up, accept their credentials and finally get them to the right place in the patient’s chart. These vital minutes lost could instead turn into increased time spent with patients and an increase in revenues. 

Usability begins with pre-login to the EHR solution. Providing physicians No Click Access™ to patient information saves time and will help move Meaningful Use and physician adoption of EHRs in the right direction.

Security compliance often requires complex passwords – causing user frustration and helpdesk calls.  Jon Wu, System Engineer at Verity Credit Union, joined me for a webinar on how SSO helped Verity increase user productivity and customer satisfaction. Below is the transcribed Q&A from the webinar. View the full webinar here:

Question 1:
Did auditing play a role in your decision to buy single sign-on, and has it helped with reporting on user access?

• Answer: Yes it did. When we first mentioned that we would be getting a password program, users were nervous. They thought, “is this password program going to remember all of my passwords and keep it secure?” When we presented to Imprivata, they said no problem, it’s all taken care of. From end to end the passwords are encrypted. Imprivata takes care of both situations, and we don’t have to worry about it being exposed in any way.

As we all know, the CJIS policy is now final and mandates that all agencies must have enforced unique IDs strong passwords by September, 2010, and that all agencies must comply with the CJIS Advanced Authentication requirement by 2013.  However, if your agency has performed a system upgrade after 2005, the 2013 deadline advances to the time of the upgrade. If your agency is audited and found not to be in compliance with the CJIS policy, it could face losing access to CJIS systems.

Last week, ecfirst's CEO, Ali Pabrai joined me for a live webinar that discussed a checklist for healthcare IT Security compliance. If you missed the webinar, you won't want to miss this -- we've gone ahead and transcribed our answers from the Q&A session.

Question 1:
Where can I go to find out exactly which set of rules / regulations apply to my business?  There are so many different ones which change often that it's difficult to stay current.

• Answer: That is one of the areas that must be addressed in a comprehensive risk analysis activity. It’s critical to keep up with HITECH Act changes. The best source is the OCR site at www.hhs.gov. Also, it’s important to keep up with State regulations, especially CA, Massachusetts, etc.

Imprivata experienced a record-breaking year in 2010, punctuated by several prestigious awards and first place ratings from leading industry organizations. These honors underscore our dedication to providing customers and partners with exceptional technology and services, and help to further define Imprivata as the leader in single sign-on (SSO) and access management. We are extremely proud of these accolades, and wanted to share with you a few of the high points from 2010...

Joining us from Memorial Healthcare is Frank Fear, the VP of Information Systems.  Frank will share his experience with Imprivata OneSign dating all the way back to 2005, including the evolution of their implementation from fingerprint biometrics and proxy cards to present-day “follow me” desktops and virtual desktop access.

Recent survey results released show only 50.7% of U.S. hospitals with implemented electronic medical records (EMRs). While transitioning to a paperless system seems to be a logical evolution in the health care system, the rather slow rate of EMR adoption does not surprise me. Even with the passage of the Health Information Technology for Economic and Clinical Health Act (HITECH) in February 2009 which attached a monetary incentive to implementation, technologies that do not seamlessly fit into clinicians’ day-to-day activities, improve patient care, and enable them to work more efficiently fail to achieve widespread acceptance. In order to improve EMR adoption rates in the U.S., we must provide doctors with tools that do not disrupt time spent with the patients, while enhancing their ability to access vital information quickly and efficiently.

There' s been a lot of talk and focus on the Meaningful Use provisions of the HITECH Act. I worry that we're becoming too focused on the details of Meaningful Use, and losing the bigger picture.

The government instituted the Meaningful Use criteria and incentives because they believe that electronic medical records can improve quality of care and access to care – but only if the EMR solutions are actually deployed and used. Hence Meaningful Use.

Last month, Kristi Roose from Mahaska Health Partnership joined me for a live webinar that discussed deploying SSO and Strong Authentication, and the steps you can take to get to Meaningful Use faster. If you missed the webinar, you won't want to miss this -- we've gone ahead and transcribed our answers from the Q&A session.

Question 1:
How long did it take to roll a unit out to all the departments and how long did it take to see acceptance to the change?

• Answer: We approached these rollouts one unit at a time, and the time frame depended on the number of users. Usually it took about 1-2 weeks per unit to make sure that everyone was comfortable with the product. Once the unit was rolled out acceptance was immediate; customers were grateful for the product and relieved to be able to access data more easily. It was a relief for their workflow. 

Are you interested in improving clinician productivity and securing access to NextGen EMR applications?

This webinar features St. Croix Regional Medical Center’s implementation of NextGen EMR through single sign-on and finger biometrics. IT Director, Brent McCurdy will cover:

• Reducing log-ins and speeding access for doctors who “count their clicks”
• Delivering Single Sign-on to all applications – without Active Directory schema changes
• Providing secure remote desktop access to care givers
• Allowing clinicians to access multiple applications without impacting productivity

Register for this webinar today!

The recent Ponemon Institute benchmark study on patient data privacy and security practices sheds some much-needed light on the practice of data protection within our nation’s hospitals. According to the study, today’s hospitals have little confidence in their ability to secure patient records, revealing just how vulnerable they are to data breaches – a concern for all patients. Highlighted are some of the key findings...

On Wednesday, November 10^th at 1:00 PM EST, I am fortunate to host Kristi Roose, IT director at Mahaska Health Partnership on a webinar where Kristi will share her insights on how to successfully deploy an EMR and help satisfy the requirements of meaningful use and the privacy and security standards embedded in the HITECH Act.

Walking into the McKesson InSight 2010 Annual Conference, I expected discussion and debate around the impact of healthcare reform, IT-enabled patient care and challenges surrounding clinician workflow.  The conference was abuzz with the usual from a user group conference – product updates, deployment scenarios and demos of new applications.  While all that was good and useful, what was truly exciting was getting to speak with countless organizations about their real-world issues...

VMworld 2010 in San Francisco this week was an amazing event, with more than 17,000 attendees converging on the Moscone Center to share innovations, ideas and experiences with virtualization technologies. While the healthcare industry was well-represented at the event, we were excited by the variety of conversations with people from other industries such as credit unions, retailers and life sciences. People at the event showed both an enjoyment for sharing their use of virtual environments with their hunger for new innovations to improve the experience. Some key themes that seemed to trend across the event included...

Catching up on some reading after a few weeks on the road, most notably at VMworld 2010, I read Joseph Goedert’s Health Data Management article on the Privacy and Security Tiger Team’s recommendations for privacy issues that were sent to The Office of the National Coordinator for Health Information Technology (ONC).  The core recommendations focus on how to empower patient consent and how to ensure appropriate use and exchange of personal health information (PHI) by care givers and business associates – all in the name of good data stewardship – as ONC encourages adoption of healthcare IT.

We’re about to hit the virtual road out to San Francisco for VMworld 2010 next week, and are excited for the many activities and conversations that are lined up for our team at the event.  If you’re going to the event, stop by booth #441 for a chat about securing user access in virtual desktop environments, or a demo of the integration of VMware View and Imprivata OneSign.  We’d love to share ideas, perspectives and experiences onsite!

I thought I’d call out some things you may want to check out as you navigate through the clouds of people milling around the various sessions, booths and labs within the Moscone Center...

Steve Coplan of The 451 Group recently published a terrific report on Virtual Desktops that examines the intersection of management and security. Steve hit the nail on the head in describing the importance of user authentication in securing virtual desktops. This is especially relevant in healthcare, which is rapidly adopting virtual desktop access (VDA) to improve clinician productivity and secure patient data. We were also pleased that Steve mentioned the work Imprivata is doing with VMware around fast, seamless user access for virtual desktops...

This week Imprivata announced its partnership with VMware, an exciting time for our company as more and more customers and prospects inquire about combining virtual desktops with simplified and secure user access to improve user productivity.  Partnering with a market leader like VMware presents a great opportunity for both organizations to deliver a secure working environment that allows end users to access their desktops from machines in any location.

The U.S. Department of Health and Human Services (HHS) recently announced new rules surrounding health information privacy and data security that is important for everyone involved in healthcare IT (HIT) to understand.

By now, you’ve likely seen these rules, however the Healthcare IT Consultant blog has a nice synopsis of the news that drills down into the aspects most relevant for those in the Imprivata community.   Pulling the key points from that blog and summarizing the primary requirements of the rules, here are some things to consider...

Catching up on some news from last week and I thought Tim Greene’s article in Network World was an interesting piece on the Russian spy ring story that is currently grabbing headlines. One of the most glaring errors made by one of the spy defendants was leaving an imposing 27-character password written on a piece of paper that law enforcement officers found while searching a suspect's home. They used the password to crack open a treasure trove of more than 100 text files containing covert messages used to further the investigation.

Last week, I attended the Privacy and Security Tiger Team Health Information Technology Policy (HIT) Committee Consumer Choice Technology Hearing in Washington, D.C.  The gathering brought together an impressive group of healthcare industry leaders, patient data privacy advocates and HIT vendors to discuss technologies that enable consumers to choose whether or not to share their information in health Information Exchanges (HIEs). Here are few things worth highlighting from the conference...

I read an interesting story over at HealthcareInfoSecurity.com highlighting the “Official Breach Tally Approaches 100”.  The article includes a link to the official federal list of healthcare information breaches that was launched a few short months ago.  While the article highlighted the major breaches affecting 500+ individuals as reported to the HHS Office for Civil Rights (OCR) and called out 61% of incidents stemming from stolen computer devices (e.g., laptops, USB drives, hard drives etc.), many of the largest breaches involved unauthorized access. Here’s a snapshot at the major breaches stemming from unauthorized access...

A nonprofit organization recently reported, over the last five years more than 45 million U.S. electronic health records (EHRs) were either lost or stolen by insiders and/or outsiders. How do we reconcile the absolute need of timely information access critical to patient welfare, while simultaneously protecting a patient’s right to privacy as granted by HIPAA and HITECH?

The National Institute of Standards and Technology (NIST) published its Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule back in late 2008, but spurred by a jolt of healthcare IT investment driven by HITECH mandates has renewed relevance today. From a user access perspective, there are important technical safeguards outlined in the area of Access Control, Audit Control, Integrity, and Person or Entity Authentication that are worth calling out.  Specific Key Activities within these technical safeguards criteria you should review include...

The Digital Healthcare Conference 2010 occurred last week in Madison, WI, under the theme of “Healthcare IT in transition.”  Imprivata Chief Medical Officer Dr. Barry P. Chaiken served as the conference chair for this event, which boasted an impressive agenda that kicked off with KLAS Founder and Chairman Kent Gale exploring the obstacles to physician adoption of electronic medical records (EMRs).  Gale’s “Top Ten” list highlighted common things that stand in the way of EMR adoption, and the takeaway from the entire session aimed to get attendees to see how establishing transparent workflow can lead to physicians truly embracing EMRs.

A couple of weeks ago I moderated a Healthcare IT News webinar session that examined how hospitals today make patient data easily and securely accessible throughout the clinical workflow.  I was joined by Dr. Zafar Chaudry, CIO of Liverpool Women’s NHS Foundation Trust & Alder Hey Children’s NHS Foundation trust and Dr. Lawrence Losey, Pediatrician, Chief of Pediatrics and Chief Medical Information Officer (CMIO) for Parkview Adventist Medical Center.  The session addressed the clinical workflow, process and technology behind providing fast, secure access to patient data, touching on all the areas within a hospital where a workstation sits and from anywhere a clinician may need access.

I’m excited to join Imprivata at a time where healthcare IT, patient data security and clinician workflow efficiencies are front and center in boardrooms and nurses' stations across the country’s healthcare institutions.   With more than 500 hospitals on the customer roster, one million healthcare users and strategic relationships with all of the popular HIS vendors, Imprivata has built a strong foundation that was very attractive for me to join and bring my experiences.  Imprivata’s healthcare pedigree enables us to focus on delivering practical innovations for solving real-world problems surrounding simplifying and securing user access in hospital environments.

The HITECH Act, HIPAA, as well as mandates from State regulations (e.g. Massachusetts 201 CMR 17.00), are raising the minimal requirements that organizations such as healthcare-covered entities and business associates must implement to prevent unauthorized access. Further, the Connecticut Attorney General’s lawsuit against Health Net of Connecticut for failing to secure approximately 446,000 enrollees’ Protected Health Information (PHI), and to notify State authorities and enrollees of a security breach, is a reminder that breaches are not just a risk to information, but a risk to the organization.

Coming out of HIMSS 2010, it was clear that patient data security was a chief concern, but so was the need for improved clinician workflows.  For all the requirements driven by new laws and the stimulus bill, what was overlooked was the impact of security in the real-world hospital environment from a user perspective.  Forcing someone to change habits and daily routines is difficult, if not impossible, to do. Therefore, it is integral to the successful adoption of these security endeavors that they be paired with improving workflow.  If change makes people’s lives easier, it’s easier for them to embrace.  It doesn’t need to be an either/or argument.

While many of us were down at HIMSS 2010, on March 1, 2010, Mass 201 CMR 17.00 officially went into effect:

17.05: Compliance Deadline

(1)Every person who owns or licenses personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00 on or before March 1, 2010.

This year’s HIMSS was quite an active conference, with healthcare IT a national focal point with new legislation and stimulus funding being funneled into reform and modernization initiatives. 

To kickoff the conference, Imprivata chief medical officer, Dr. Barry Chaiken, who is the current chair of HIMSS highlighted the need for healthcare IT solutions to drive positive industry change. Here are some pull-outs from an InformationWeek blog covering the event that capture the sentiment well...

There’s a lot of discussion around meaningful use, its definition and how organizations can obtain the government incentives that recent legislation promises. However, in the dash for these types of healthcare IT investment reimbursements, one must not overlook the role of security risk in satisfying compliance requirements.

On Thursday, Feb. 11 @ 1pm ET, please join me and cyber security and compliance expert Ali Pabrai of ecfirst for a can’t-miss Webinar outlining the critical steps for preparing for HITECH & HIPAA compliance audits.  It’s a must-attend session with enforceable HITECH requirements taking effect Feb. 18, 2010 and HIMSS 2010 a short few weeks away.

Over at the Life as a Healthcare CIO blog, John D. Halamka MD captured a list of top barriers to electronic health record (EHR) implementations, then added on with another ‘Top 10’ that puts a little fun into the serious business of EHRs. Below are barriers that stood out to me from a data security and healthcare access management perspective, and I urge you to check out John’s blog for more specifics – definitely worth the read and a great source of information. The key Barriers to deploying EHR worth noting...

Greetings from the Eighteenth National HIPAA Summit in Washington, DC!  It’s turned out to be an interesting event pulling in an array of people as it is co-located with the National Health IT Summit for Government Leaders, the National Health Information Exchange (HIE) Summit and the International mHealth Networking and Web Conference.

Mid-way through the week-long event, there are some notable highlights from the conversations I’m having, and from the chatter on the floor and the breakout rooms.  In no particular order...

On Feb. 17, 2009, the HITECH Act was enacted, giving birth to new tiered civil monetary penalties for data breach violations, new powers to state attorney generals (AGs) for class-action pursuit and new guidelines for technology and methodologies that render data “unusable, unreadable or indecipherable.”  While we previously covered how HITECH will make available $2.0 billion in grant money for organizations to transition to electronic medical records (EMRs) and deploy appropriate security measures, the time is now upon us for full compliance.  Otherwise, organizations risk significant penalties from the department of Health and Human Services (HHS)/ Office of Civil Rights (OCR). The Healthcare & Technology blog has a good, quick post with some useful resources...

As we turn the page to 2010 and look to delve into the top–level security concerns that lie ahead, we’d be remiss not to reflect on those security events that helped shape 2009 into the ‘year of the data breach,’ and take these as learning experiences for the New Year.

2009 was a tough year with the global economic downturn resulting in unprecedented workforce reductions.  As a result, security risk from insider breaches has never been greater.  Now, as we look to turn the page to 2010, it’s already clear that organizations will continue to go beyond the traditional levels of network access security by implementing policies that require users to provide a second form of identity to gain access to IT resources.

This week, Computerworld announced the honorees for its annual Premier IT Leaders awards program, and we’d like to congratulate Imprivata customer Bill McQuaid of Parkview Adventist Medical Center for making the 2010 list!  Bill was recognized for his innovative approach to electronic medical records (EMR) and the significant contribution he has made to Parkview’s healthcare IT infrastructure.

Imprivata’s Geoff Hogan authored an article for Security Technology Executive last month titled, “Passwords in Peril” that delves into the password management conundrum that organizations face with the growing number of applications that employees use daily.  While the article summarizes succinctly the helpdesk costs issue, employee productivity and the data security vulnerabilities that a runaway password management problem causes, it also highlights effective single sign-on (SSO) strategies and tactics to overcome these challenges.

I wanted to take this opportunity to pull out a couple of SSO and Password Management best practices that Geoff covered, while adding a couple more...

The right single sign-on (SSO) solution can resolve your password management issues. However, some SSO solutions raise as many issues as they promise to solve—the cost of purchase can be quite high, and the complexity of implementation and management can overwhelm IT departments. As you start your SSO vendor evaluation process, it’s important to know what questions to ask to ensure that you have a thorough understanding of the complete solution including product features and functionality, implementation and deployment, and ongoing management. Sample questions across important categories include...

EMRs are the hot topic du jour and rightfully so with the tax incentives and federal grants tied to them, as well as the overall efficiencies they bring to the healthcare industry. The conversation is only now starting to talk about the role of secure access in deploying EMRs, and I project this will increase in importance and awareness in 2010.

 To stay ahead of things, here are five security considerations organizations should plan for as they deploy EMRs...

The HIMSS Virtual Conference occurred this week, covering myriad of topics ranging from Electronic Health Records (EHRs), impact of the HITECH Act, workflow optimization as well as privacy and security in the cloud for healthcare systems.

 One presentation that readers of this blog may find useful was that from Box Butte General Hospital on Nov. 4 at 9:00am CT (you can register on the site for access; HIMSS members can already access it online).  Here’s a brief synopsis from the session description highlighting what was covered in the presentation...

This week, I took part in Network World’s annual real-life scary security stories podcast, a panel hosted by Keith Shaw that looks at some of the most frightful security incidents over the past year.  This year, I focused on some of the data security incidents that are becoming all too common in the healthcare industry.

Back when this blog was in its infancy, we outlined a number of identity management resources that readers should check out.  Those blogs are still on the “must-read” list, but there are a number of new ones that have popped up that people interested in identity and access management may find useful...

I read a good article on FierceEMR recently surrounding a PricewaterhouseCoopers survey on electronic medical records (EMRs) that indicated that the secondary use of this information may be an organization’s greatest asset over the next five years. An overwhelming 76 percent of respondents agreed, and pointed to the abilities for mined data to decrease healthcare costs, predict public health trends and improve patient care. EMRs, with vendors such as Allscripts, NextGen and QuadraMed blazing the trail, have been a huge focal point of healthcare payers and providers, pharmaceutical companies and the general public with healthcare reform a primary platform of the Administration.

I just left the annual Cerner Health Conference in Kansas City, where clinical and technical users of Cerner software gather to share ideas, best practices and technology solutions that are molding the future of healthcare.

 This week I had a chance to talk with Network World’s director of programming Keith Shaw about the various ways that employees breach data security – both intentionally and inadvertently.

The podcast interview captures a number of ways that employees breach enterprise security, whether by accident or with malicious intent. Here are some of the highlights...

Khalid Kark of Forrester Research recently issued a useful whitepaper that outlines the security reforms needed to improve patient data security in the healthcare industry. The whitepaper highlights four key reasons why healthcare organizations are failing behind on security. Khalid provides a comprehensive set of recommendations to help healthcare organizations address these challenges – these are near and dear to what we do here every day. I thought I would share some of the insights gathered from work with our many healthcare customers.

I am currently at the Insight 2009 Annual Conference in Orlando, where 1,200-1,400 attendees are converging to learn and build relationships centered on their McKesson healthcare IT systems. Users are hearing details of new product enhancements and integrations, learning best practices and engaging in valuable peer discussions they can take back to their organizations. Overall, there seem to be two overarching themes that are driving discussions, both in sessions and in the hallways...

A recent BankInfoSecurity article reported that the Massachusetts Data Protection Law has been delayed yet again, pushing the new effective date back to March 1, 2010. As part of the law, organizations are required to protect confidential data – social security numbers, driver license numbers and financial account/credit/debit card numbers – of Massachusetts citizens. The regulation covers all non-public data, regardless of how the company obtains the information.

In February 2009, the Obama administration announced that $2.0 billion in grant money will be made available to help hospitals and other health care providers transition to electronic health records (EHR). This past Monday, the White House took a big step and launched the first of two grant programs under the HITECH act which lays the groundwork for EHR.

Last December, I blogged about the growing interest in implementing desktop virtualization (VDI) and the enterprise security challenges companies would face in this new environment. As with any new technology the best way to learn what is really happening is to listen to the field. With that in mind we polled executives across industries to understand the rate of VDI adoption and recently released the results as part of the “2009 Desktop Virtualization Survey.”

I just got back from the annual Siemens Innovations Conference in Philadelphia. Imprivata had a booth at the event.  I had an opportunity to talk with existing and prospective OneSign customers. Clearly, single sign-on and authentication are top of mind for many of the Siemens customers we spoke with. One thing is clear - CMIOs and IT folks are looking for ways to make application access seamless and secure for the clinicians while NOT changing workflows. Imprivata OneSign is what Siemens Med is recommending as the solution of choice. In fact, there were two customer presentations where OneSign was discussed.

Security expert Bruce Schneier pulls out an interesting excerpt from an essay “When Security Gets in the Way” that is sparking great discussion on his Schneier on Security blog. The essay, from Don Norman’s jnd site, debates security vs. usability, and addresses design considerations for enterprise security systems. This article captures important concerns often discussed in security circles on how to make security stronger without disrupting user behavior. It’s a delicate balance – we often say the most secure computer is the one in a locked room not powered up but that would hardly be usable. At Imprivata we have always believed that usability and security don’t need to be mutually exclusive.

At Parkview Adventist Medical Center we're very proud of our accomplishment of being only one of a handful of hospitals that have been awarded with HIMSS Analytics Stage 6 status.Moving to an EMR format and a paperless environment requires a significant commitment from the executive team and from our clinicians. As we began our move to EMR, we had two major concerns. 1 – Can we maintain patient data security and HIPAA compliance in an electronic format? 2 – Will the clinicians buy into what we’re doing and use the technologies we provide? These are two critical components in achieving Stage 6 status.

Congratulations to Imprivata customer Parkview Adventist Medical Center for recently earning the HIMSS Analytics Stage 6 designation! HIMSS Analytics highlights the Stage 6 award as recognition for hospitals that have made significant investments in healthcare IT and as well as implementing paperless medical records. This is a remarkable achievement for Parkview, considering that they’re one of only 42 hospitals out of 5,166 in the US to attain this level.

Another insider unauthorized access incident came across my radar just as I put the finishing touches on my most recent blog post highlighting Lesmany Nunez’s case being the latest example of a disgruntled employee breaching a network. As of today, the most current remote access security breach involves Danielle Duann, an IT director of a nonprofit organ and tissue donation center.

I was reading the recent security breach news about Lesmany Nunez, a former IT administrator who was recently sentenced to a year and one day in federal prison for computer fraud. Mr. Nunez was an employee at Miami-based Quantum Technology Partners (QTP) and three months after his employment ended, he was still able to access the company’s network with an administrator password. What he did then was break into QTP’s servers, shut them down, change the system administrators’ passwords and erase files, all of which ended up costing QTP more than $30,000.

Late last year, California enacted a new state law to help notify patients of potential breaches of their personally identifiable health information, requiring healthcare organizations to report suspected incidents of data breaches. The initial results are in, and it’s not pretty. According to the Journal of the American Health Information Management Association, California officials have received more than 800 reports of potential health data breaches in the first five months since the laws went into effect on January 1st. Of the 122 cases that have been investigated, 116 have been confirmed assecurity breaches. Officials expect the numbers to grow as more organizations put in the processes to report potential breaches.

Back in January, I shared some of my observations on 2009 Priorities for identity management in the new economic reality people are faced with - productivity, security and manageable IT projects. This year’s economics have forced people to do more with less, manage tighter budgets and maintain enterprise security while dealing with re-orgs and layoffs. While 2008 was the worst year to date for data breaches, 2009 hasn’t been much better if you look at this chronology of data breaches, including the recently disclosed incident at Goldman Sachs. The Identity Theft Resource Center keeps tabs as well, and has a nice snapshot of high-profile data breaches. Many of these are the result of unauthorized access, some combined with placing malicious code on servers or laptops to siphon off data. It’s amazing the methods that are being used to access systems, steal data, sometimes extort money and always damage reputations. Potential impact of the Goldman Sachs’s unauthorized upload of proprietary software is still under investigation, but information on how easy it was to pull off makes for scary reading. Given the potential impact of data breaches, there has been significant progress made to tighten access to systems, so let’s review some of the relevant things that are happening in identity management. Following are three areas, I believe, we need to watch for in the latter half of 2009...

The New York Times recently published an interesting article on the rising problem of medical identity theft. When the federal government last researched the issue in 2007, more than 250,000 Americans reported that they were victims of medical identity theft. Since that last report, most experts agree the problem has undoubtedly grown, in part because of the growing use of electronic medical records built without extensive safeguards. To exacerbate the situation, cleaning up after medical ID theft can be hindered by HIPPA compliance – the regulations protect the medical information of the ID thieves as well as you.

Join us for an informative session on the “Do’s and Don’ts” of employee access management next Wednesday, June 24. Forrester Research’s Bill Nagel will lead the discussion on what organizations should do to improve security with strong authentication.

In addition, the session will discuss the pros and cons of various strong authenticationmethods, explain why a single point of authentication to the network is key to employee access and provide examples of a wide range of implementations via real-world case studies.

Theoretically, as employees go on vacation during the summer months, there will be fewer demands on your IT team. Realistically, we know that’s not true and it seems like there is actually more to do. However, summer can provide the opportunity to step back and evaluate the state of your identity and authentication management infrastructure and policies. Here are five things that are easy to overlook throughout the year that you should consider doing this summer:

I was reading about the recent access management related breach at the California Water Services Company, where an auditor resigned, but illegally accessed computer systems to steal more than $9 million before leaving. While the company should be lauded for catching the fraud before the wire transfers could go through and irreparable damage could be done, it should serve as another cautionary tale in what has become a recurring theme on the application security front. This is just one more saga in an every growing litany of tales of breaches that we’ve hearing about.

The National Institute of Standards and Technology (NIST) recently put out a draft “Guide to Enterprise Password Management” for public comment for feedback and improvement. While it gives a lesson in password management history, it doesn’t quite break new grounds on prescriptive opinion.

Dave Kearns provided useful analysis of the NIST paper in his recent Managing Passwordsarticle on Network World, and a couple of nuggets of wisdom jumped out at me:

HIMSS is right around the corner. 

It's one of our favorite conferences of the year, as we get to see many of our healthcare customers all in one place.  As I mentioned in my last post, if you're attending the conference this year, please plan to stop by our booth (#7339) and say hello, or check out the presentations by Imprivata's customers. OhioHealth and Southwest Washington Medical Center will be discussing the ‘Paperless Hospital' and ‘HIPAA Audits' respectively.  With all the focus on healthcare now, what trends am I going to be looking for at HIMSS this year?  Here are a few topics that our customers have shared with us:

We often hear of security getting in the way when it comes to clinicians wanting immediate access to patient data.  Since it's better to hear from one's peers, Imprivata asked some of its healthcare customers for tips on implementing single sign-on and strong authentication to eliminate password management headaches and how it facilitated making it easier for clinicians to get access to the records they need.

As we turn our attention to HIMSS 2009, we want to share our customers' advice, thoughts and concerns on how best to navigate through the employee access management obstacles:

We've found that the best resource for better understanding how to solve employee access management are our customers.  So over the past week or so, as a few of our customers have shared details of their OneSign experiences, I thought you may want to hear what some of them are saying and doing...

The stimulus package recently signed by President Obama has been the cause for vigorous debate.  One by-product of the package that has not been widely discussed is a provision that would reshape the medical industry by creating a central repository of computerized medical records for all American's.  An increase in the level of electronic information of this magnitude exponentially raises the vulnerability of a security breach, which we'll focus on today.

In our last blog posting, we discussed three priorities all organizations should focus on in 2009:  security, productivity and manageable IdM projects.  Today we're looking more closely at enterprise security.

Happy New Year everyone.  Unfortunately for all of us, we enter 2009 facing the reality of an economic recession that affects every industry.  Layoffs are rampant, budgets are slashed and businesses are scrambling to weather the economic storm. Faced with these hard realities, it's a good time to regroup and rethink our next steps as we prepare for the eventual upturn.

The discussion on desktop virtualization, or hosted virtual desktop, is heating up. Some view it as futuristic.  Others say it is throwback to the world of mainframe computing. With economic concerns forcing businesses to take a hard look at expenses across the enterprise, however, there are many reasons this is such a hot topic.

A recent Gartner Blog Network post and Wall Street Journal article both focus on new, stricter data regulations being passed in several states, including Massachusetts.  The final set of the Massachusetts regulations focus on restricting employee access to data, monitoring malicious activity on the network, and strong authentication protocols. The new regulations will go into effect beginning January 1, 2009.

The other week, we announced some findings from a survey conducted over the past couple of months aimed at understanding where authentication and access management sits in the eyes of those concerned with Payment Card Industry (PCI) data security standards (DSS).  With PCI publishing the latest PCI Data Security Standard 1.2 on Oct. 1, 2008, this online survey highlighted some interesting trends as companies work toward compliance.

Here are a few stats to briefly call out...

This week I was part of Network World's second annual real-life scary security stories podcast, a panel hosted by Keith Shaw that told the tales of some frightful security happenings over the past year. There were some amazing examples of breaches of data, corporate espionage and simple access and authentication mis-steps, of which I added a few anecdotes from actual conversations I've had over the past year. [to protect the innocent, actual names were not used]

While the concept of cloud computing (accessing applications online) has been around for close to a decade, talks on the subject have intensified significantly in recent months. The catalysts to these discussions range from the sharp decline in hardware and network infrastructure costs to the desire for a business to "go green" to the need for accessibly by an increasingly distributed workforce.  Whatever the reason, big business has taken notice and as this interest turns into action, these companies must be prepared to look at all of the key issues around this move before taking action.

Strong authentication can come in a variety of forms, each with it's own unique strengths and weaknesses.  Before selecting a type of strong authentication, think about the following:

Hundreds of McKesson customers converged in Grapevine, Texas this past week to learn what their peers are doing and to get the latest product updates from McKesson. Infrastructure upgrades was a common theme this year for many of the attendees I spoke to, with virtualization in particular continuing to rise in priority. Many hospitals had partially or completely virtualized their data center, and some had even virtualized all their desktops.

I just came back from the ASIS 2008 Show in Atlanta and boy, do my feet hurt. Over 15,000 attendees, participation in 6 booths including our own, 3 days of constant conversation will do that to a person. This security show is the top venue for those wanting to be educated on the latest in security...from state of the art manhole covers to new IP video and access control systems.

I was recently asked to comment on the future of biometrics so I wanted to share my thoughts here after distilling them down into four buckets... What's Next in Adoption, What's Next in the Tech, What's Next in the Enterprise, and What's Next in Consolidation.

Since 1996, HIPAA has become one of the most important and highly publicized pieces of healthcare legislation in the United States. Over this time it has also become one of THE biggest topics of conversation within the healthcare and security industries and with good reason-HIPAA involves two major issues, patients and privacy. What's truly amazing to me is that behind the scenes, one would naturally have to assume that the majority of healthcare organizations are being driven by the worry of the potential penalties that might be levied on them by the Department of Health & Human Services (HHS) for their failure to fully comply with HIPAA...

Physical logical security convergence has garnered increased attention over the past year, and we've had countless conversations with both IT departments and physical security teams about the people, process and technology issues that come with the territory.  Integrating teams and policy, not just the technology, needs to be well thought out.  Increasingly, the path of our conversations with prospects and customers interested in converging physical and logical access focuses on where to start that type of project.

The New York Times recently posted an article decrying passwords as an inadequate defense mechanism for security today in a wave of identity theft occurrences.  The article goes on to push a cryptography-based approach to log-on systems, touting ‘information cards' that rely on the computer handshake between machines to authenticate a user, or in this case, a site visitor.  The article goes on to rail against the OpenID initiative because of its password-driven approach to SSO to access OpenID-enabled Web sites.

Dave Kearns recently posted an article from an interview with Upek on the state of things in the world of biometrics, talking how fingerprint readers are now being built into laptops, keyboards and all types of devices at a dizzying pace. [disclosure: Imprivata partners with Upek]  It was nice to see Dave addressing the topic of biometrics adoption. Combining biometrics with single sign-on has a strong value prop, as more and more industry and government regulations require two-factor authentication and audit trails for access reporting.

Recently, according to a Federal Computer Week article, the Drug Enforcement Administration proposed rules to allow e-prescribing of controlled substances, such as painkillers and stimulants. The proposed rules require doctors to use two forms of identification for each transmission of e-prescriptions for controlled substances in addition to an annual audit of each system by a certified public accountancy. Under current rules, doctors may use e-prescribing for most prescriptions but must sign a written prescription for Schedule II controlled substances, such as Nembutal, OxyContin and opium. The DEA rule, if it becomes final, would allow doctors to use the same system for generating and transmitting all prescriptions.

Risk management seems to be the conversation du jour.  I was just a the Lenel Paradigm Conference in Rochester with some of their leading security consultants and the topic that constantly came up was Risk and how security practioners needed to understand the business drivers around mitigating risk. With access and authentication management-centric security breaches like LendingTree and Societe Generale making headlines and compliance requirements mandating greater information security, how does one even begin to understand what a company needs to do?

Full disclosure: I'm just a medium-sized hospital's IT security guy. I've had Imprivata'sESSO appliance (three of them actually, a pair of HA, and a test box) up and running, happily, for about three years. I was invited by Imprivata and Ping Identity to participate in a panel discussion at the SSO Summit held in Keystone, CO, on July 23-25 (http://www.ssosummit.com/).

Andre Durand (Ping Identity) and friends put on a very nice event. There was a good blend of topics, from SSO-centric details, to Federation issues, and a mixture of interesting case studies to visionary presenters like John Haggard (independent security consultant and long-time IT mentor) and Gunnar Peterson (Arctec Group). The event was solid throughout, but to hear John and Gunnar speak about the important issues of the past and future of SSO and IT/Web security, made the event a powerful experience not to be missed.

The term "security policy" used to mean different things to different people.  For the facilities management department, it covers physical access points and teaching staff to lock office doors and file cabinets before leaving for the night.  For the IT manager, it means keeping up to date with the latest patches and ensuring that users can only access the applications and data that they are allowed to.  However, this situation is changing with IT and physical security being managed together.  Although they come from separate disciplines, what these two areas have in common is policy.

Managing the Increasing Vulnerability of a Decentralized Workforce

More and more companies today are enabling employees and partners to work remotely, accessing networks, data and applications from just about anywhere to be productive.  Being productive is good.  Behaving less responsibly is not.  I was reading that Cisco Systems commissioned a survey to examine the security behavior of remote workers, and I found some of the findings startling -- here's a few that stood out for me:

Users from temporary staff all the way up to the corner office complain about ‘drowning in security.'  Why does it take four more passwords to open an email at work in some cases than to check a bank balance via the home PC?  The things that make a car safe - airbags, safety glass, crumple zones, etc. - are not obvious to the driver.  What lessons can we adopt from hidden security measures to make security less of a drag on employee performance?

The merger between RxHub and SureScripts has garnered extensive coverage - here,here and here, among others.  This is a huge step forward for standardizing on, and speeding the adoption of, electronic prescriptions.  It is significant progress, and the latest of many advancements the healthcare sector is driving forward.  There is one area of the electronic prescriptions story though that is missing from all of the stories around the RxHub/SureScripts merger, though it's an important piece of the equation - authenticating that the prescription drug order is legitimate, and truly from an approved physician.  Electronic transactions are easier and quicker, sure, but so is the potential for misuse and fraud.

I've had a few conversations lately tied around the topic of the insider threat in the financial services arena, so I figured I'd scan around the Web to see what's out there and came across an interesting InfoWorld article.  Though it is from last Fall, it hits on a number of concerns that are timely now, especially given the major breaches like Societe Generale.  The article reports on a Deloitte study that highlights two major data points that I want to call out:

There's a lot of news and opinions on the web as the blogosphere continues to grow.  As a result, the web can be overwhelming on one hand and full of wonder on the other as you sort and click through the rabbit hole of conversations on the other side. 

In light of this, I thought I would provide a short list of great blogs and resources that I follow from the identity management circles that are worth checking out and engaging with: 

Insider threat is among the biggest challenges security folks face in 2008.  The perimeter is dissolving with increased reliance on distributed computing and the mobile workforce, making it more difficult than ever to put up definitive walls around the enterprise.  It's a simple reality that we all have to deal with.  Check out last month's 2008 Global Information Security Workforce Study conducted by Frost & Sullivan for ISC(2) andSearchSecurity.com's coverage.  Two-factor authentication using biometrics as well as physical-logical convergence will gain speed in dealing with the insider threat.

Just a quick post to congratulate OhioHealth's CTO Jim Lowder on being named to InfoWorld's CTO 25, a short list of visionaries recognized for their industry leadership and technological contributions.  Welcome to the club.

OhioHealth took quite an ambitious vision and made it a reality.  We're proud to have a role in OhioHealth's innovative endeavor to create an all-digital facility that can serve as the template for healthcare facilities of the future.

Congrats, Jim and OhioHealth, on well-deserved recognition of your accomplishments!

--David Ting, CTO

Having spent last week at the 2008 International MUSE (Medical Users Software Exchange) Conference in Grapevine Texas - the 25^th annual gathering of clinical and technical users of Meditech software - I was delighted to see SSO is such a hot topic among this group.  There were five customer presentations related to SSO and Strong Authentication, and all of them were filled to capacity.

I work in the field for Imprivata, working with customers day in, day out. And the single most heard question I get relating to our products is: "which authentication technology should I use". Fingerprint? Yeah that's good, I will never forget my finger, right? Or a prox card? Even better, because I can use that to open doors, pay at the lunch cashier, and so forth. Nah - maybe a smartcard is better. Or a one-time-password token. Or ...

Of all of the suggestions I made above, none of them is ideal. All of them have pros and cons, and really, all of them have very different characteristics. In my mind, there are three/four things to ask yourself when choosing an authentication technique...

After the recent 2008 HIMSS Conference, we conducted a survey of 171 healthcare IT decision makers to identify some of the trends they face relating to identity management. I wanted to call out a few interesting data points...

Our partner SecureLink is hosting a fun series of events in the Netherlands: the SecureTour08. Every event discusses one specific security topic in detail - and the participants get free cake, fruit, candy - something tasty :) .... On September 4th, we will be presenting OneSign at the event in The Hague - feel free to join in!

To paraphrase Princess Leia, ‘the more you tighten your grip, the more star systems will slip through your fingers.' The same can be said in trying to manage identities in today's enterprise.  A number of weeks back, I got into a discussion with the 451Group's Steve Coplan about this very topic:  the chaos of identities.

Next week, Tuesday 27th of May, we will be speaking at the ICT & Healthcare seminar in Ede, the Netherlands. Topic of our discussions will be clear and simple: how can we restore the "Identity balance". With this topic, we aim to explore how customers and partners can work with healthcare organisations to strike the right balance between...

I'm often asked what seems like a simple question: "what's new in identity management?"  As simple as it is, it's a big question so here are five trends that I see out there for identity management... at least for now.