skip navigation
Subscribe via RSS  


Tag Cloud
password management, hitech, data breach, breach, security, hipaa compliance, biometrics authentication, password sharing, security risk, security breach, secure authentication, data security, password policy, healthcare access management, user authentication, fingerprint biometrics, user access, data breaches, biometric authentication, healthcare single sign on, strong authentication, fingerprint biometrics,, hipaa, access management, single sign-on, onesign, application access, network access, proximity cards, insider breaches, compliance, authentication management, healthcare, emr, finger biometrics, two-factor authentication, security risks, biometric fingerprints, identity management, management, identity and access, secure application access, enterprise security, biometrics, application security, single sign on, mckesson insight conference, medical records, healthcare single sign-on, enterprise single sign on, single sign on technology, fingerprint biometric, identity and access management, biometric fingerprint, password policy management, himss 09, physical and logical convergence, two factor authentication, biometric identification, insider threat, events, user provisioning, electronic transactions, passwords, physical-logical convergence, physical logical security, esso, simple sign-on, sso, sso appliance, summit, keystone, 2008, authentication and access management, physical and logical access, authentication, physical/logical, asis, convergence, strong passwords, physical security, access and authentication, security breaches, secure access, sign-on


Archive
July 2010 (2)
June 2010 (3)
May 2010 (3)
March 2010 (4)
February 2010 (5)
January 2010 (1)
December 2009 (3)
November 2009 (3)
October 2009 (4)
September 2009 (4)
August 2009 (7)
July 2009 (4)
June 2009 (4)
May 2009 (1)
April 2009 (2)
March 2009 (2)
February 2009 (2)
January 2009 (1)
December 2008 (1)
November 2008 (2)
October 2008 (3)
September 2008 (4)
August 2008 (4)
July 2008 (6)
June 2008 (5)
May 2008 (8)


Authors
Michael Bilancieri
Dr. Barry Chaiken
Jim Whelan
Ali Pabrai
Tom McDermott
Jon Hamdorf
Chris Feeney
David Ting
Bill McQuaid
Jason Mafera
John Clark
Chip LeBlanc
Christopher Paidhrin
Rik Van Bruggen


Recent Posts
Even Spies Have Password Management Problems
HIT Policy Committee Consumer Choice Technology Hearing Recap
Major Healthcare Patient Data Breaches Nearing 100-Mark
PHI Access Requires Robust Security and Privacy
User Access Relevance in a HITECH Age


Chat Now
Chat Now
 


SSO and Strong Authentication: How OhioHealth Built a Paperless Hospital
In this case study presentation, Joe Greene, IT Security Director at OhioHealth, explains how he and his team approached employee access challenges when they laid the IT foundation at Dublin Methodist, a brand new paperless hospital. More than a year after the doors opened at Dublin, their project is a proven success and there are many best practices and lessons learned to be shared with viewers.  Download the webinar today!

Identity 360 - An Imprivata Blog



filter by tag: password sharing

User Access Relevance in a HITECH Age

June 3, 2010 at 9:24 AM by David Ting

The National Institute of Standards and Technology (NIST) published its Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule back in late 2008, but spurred by a jolt of healthcare IT investment driven by HITECH mandates has renewed relevance today. 

The HIPAA Security Rule “specifically focuses on the safeguarding of electronic protected health information (EPHI)… All HIPAA covered entities, which include some federal agencies, must comply with the Security Rule, which specifically focuses on protecting the confidentiality, integrity, and availability of EPHI, as defined in the Security Rule.”  This NIST 800-66 Revision 1 document provides a comprehensive guide for HIPAA compliance to the Security Rule, and details “Key Activities” to engage in that are segmented by defined categories that are easy to read and navigate.

From a user access perspective, there are important technical safeguards outlined in the area of Access Control, Audit Control, Integrity, and Person or Entity Authentication that are worth calling out.  Specific Key Activities within these technical safeguards criteria you should review include:

4.14 Access Control, Key Activity #3: Ensure All System Users Have Been Assigned a Unique Identifier
This requirement is integral to tracking who is accessing what information, and whether they have authorization to do so.  Enforcing policies that eliminate credential and password sharing are a crucial complement to this requirement as it ensures that all activity can be traced back to a specific user identity.

4.14 Access Control, Key Activity #8: Automatic Logoff and Encryption and Decryption
This requirement calls for “electronic procedures that terminate an electronic session after a predetermined time of inactivity.”  There are plenty of automatic logoff solutions in the field which satisfy this requirement, but they’ve hindered workflow by requiring active logging back into a system.  In a healthcare environment, where doctors, clinicians and staff are sharing workstations and need fast access to patient information, session time-outs can add hiccups when time is of the essence.  This was a core consideration when we designed our OneSign Secure Walk-Away solution, which leverages computer vision technology with active presence detection and user tracking to identify an authenticated user in front of a workstation, automatically locking the desktop upon their departure and providing instant re-authentication upon their return.  It combines compliance with this Key Activity and real-world workflow for the best of both worlds.

4.15 Audit Control, Key Activity #1: Determine the Activities that Will be Tracked or Audited
This Key Activity serves as a foundational pillar to managing healthcare security risk.  Determining what systems and activities need to be monitored and reported are crucial to closing any potential security breach gaps and streamlining reporting requirements from other sections of the Security Rule.  The data breach notification requirements of HITECH that went into effect on Feb. 18, 2010 present new security risks for healthcare organizations, so it’s critical to understand and quickly report on breaches, whether malicious or accidental, to avoid penalties and fines from both state attorneys general and the feds.  To do so effectively, one must first establish what is tracked and/or audited, making this Key Activity even more relevant today than before HITECH went into effect.

4.16 Integrity, Key Activity #1: Identify All Users Who Have Been Authorized to Access EPHI
4.16 Integrity, Key Activity #5: Implement a Mechanism to Authenticate EPHI
These Key Activities combine to focus on identifying all approved users with the ability to alert or destroy data, ask questions around user authentication and seeks to determine if authentication tools interoperate with other applications and systems.  These requirements dovetail into audit trail requirements for understanding how information is accessed and authorized, so healthcare entities can report on all aspects of cross-organization healthcare access management.

4.17 Person or Entity Authentication, Key Activity #2: Evaluate Authentication Options Available
Secure authentication is integral to protecting patient information, so it comes to no surprise that the Security Rule calls out commonly used authentication approaches.  Specifically, the guideline urges aligning different levels of authentication with assessment of risk to the information and systems.  Password policy, biometrics authentication, smart cards, proximity badges and/or any combination of the aforementioned can satisfy this requirement, but it’s essential that they are all tied together in the form of easy-to-manage identity management – otherwise, it can become unwieldy and burdensome to keep up with as new hires are brought onboard and terminated employees are de-provisioned.


There’s a lot to this NIST resource for navigating the HIPAA Security Rule – it is 117 pages of guidelines and supporting appendices.  It’s a tremendous guide to a significant HIPAA compliance requirement.  With a recent injection of funds and incentives into the healthcare IT market from HITECH and healthcare reform driving increased investment in electronic medical records (EMR), secure user access to EPHI plays an increasingly important role. 

Building on this, the guidelines outlined in the NIST 800-66 Revision 1 document should be applied worldwide as increased legislation in numerous countries drives greater attention to protecting patient health information in any form, and put stringent requirements around data security and the tools necessary for reporting on activities to demonstrate compliance.  It’s a great asset out there for public consumption, and can help drive best practices worldwide.

TagsHIPAA_compliance user_authentication security_risk secure_authentication password_policy security_breach biometrics_authentication data_security password_sharing healthcare_access_management

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

Seven Habits of Highly-Effective Healthcare Security (without Sacrificing Clinician Workflow)

March 22, 2010 at 3:49 PM by David Ting

Healthcare access management plays an integral role in the healthcare industry these days, with patient data security and breach disclosure notification mandates front and center with HIPAA compliance, HITECH incentives and other mandates from various parts of the world focused on protecting personal health information (PHI).

Coming out of HIMSS 2010, it was clear that patient data security was a chief concern, but so was the need for improved clinician workflows.  For all the requirements driven by new laws and the stimulus bill, what was overlooked was the impact of security in the real-world hospital environment from a user perspective.  Forcing someone to change habits and daily routines is difficult, if not impossible, to do. Therefore, it is integral to the successful adoption of these security endeavors that they be paired with improving workflow.  If change makes people’s lives easier, it’s easier for them to embrace.  It doesn’t need to be an either/or argument.  

  • As such, here are our seven habits of highly-effective healthcare security:
    Ensure adequate password complexity across systems and applications logons to protect PHI
  • Auto-generate strong passwords where possible to simplify the backend security process; take the task out of your hands and focus your attention where it can be better utilized
  • Rely on technology that is easy to implement (for you) and support (for your users)
  • Select strong authentication technologies (e.g., fingerprint biometrics) that  simplify user access to help achieve user adoption
  • Seek solutions that have built-in audit logging and reporting capabilities; when compliance audits knock, proof should be a quick click away
  • Manage password resets through self-service portal : enabling clinicians to solve simple password problems themselves eliminates unnecessary IT costs and reduces instances of password sharing across the medical unit or nurses station
  • Fast access termination across systems and applications is mission-critical, as unattended workstations create a gaping hole in even the best-laid security plans

From a high-level, aligning with these habits can help secure user access in your healthcare organization, but as I mentioned workflow MUST be improved at the same time. Be sure whatever security solutions you’re deploying are easy for users to embrace.  Practical security innovations born from real-world clinician workflows can deliver the best in both transparent security and user productivity.  This is why the use of healthcare single sign-on and strong authentication that is easy for clinicians to use and doesn’t disrupt workflow is so attractive. 

Do you have any good healthcare security habits to share?   We’d love to hear them!


--David

 

TagsFingerprint_biometrics data_breach healthcare_access_management password_sharing HIPAA_compliance strong_authentication biometric_authentication healthcare_single_sign_on

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

Mass 201 CMR 17.00: When State Compliance Kicks in, How Do You Respond?

March 11, 2010 at 8:08 PM by David Ting

While many of us were down at HIMSS 2010, on March 1, 2010, Mass 201 CMR 17.00 officially went into effect:

17.05: Compliance Deadline

(1)Every person who owns or licenses personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00 on or before March 1, 2010.

We began talking about this Massachusetts data privacy regulation and what it means back in November 2008, and continued the discussion on this blog in September 2009 as the compliance deadline was pushed off numerous times throughout the course of 2009.  Now, the day has finally come, and Mass 201 CMR 17.00 is officially here and active. 

As you may know, Massachusetts is at the forefront with legislation that creates standards for protecting personal information in both paper and electronic format.  A key purpose of the standards is to “protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer” and minimize overall security risk.

While we’ve examined the specific parameters in our previous blog posts on the topic, it’s important to recognize what companies must do now if they own or license information about a resident of the Commonwealth.  A majority of the provisions in the Mass 201 CMR 17.00 standards center on securing access to data, so as such it’s crucial to:


• Map where personal information resides in your company
• Inventory which applications access and/or store personal information
• Understand what third-party service providers access this personal information
• Ensure only appropriate, authorized access to data by personnel by deploying appropriate user authentication technologies
• Assign unique identifications such as fingerprint biometrics plus strong passwords to fortify security and eliminate password sharing… then streamline log-on/off process by single sign-on enabling applications
• Monitor and report on access of personal information to ensure compliance
• Regularly educate and train users on appropriate system user and the importance of securing personal information

If you’ve accounted for the above, you’re well on your way toward compliance.  If not, what are you going to do when the Commonwealth of Massachusetts comes knocking?   Do you really want to find out?

--David

Tagsuser_authentication fingerprint_biometrics, security_risk password_sharing

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

2010 Look Ahead: Chief Security Concerns for Chief Executives

January 13, 2010 at 1:22 PM by David Ting

As we turn the page to 2010 and look to delve into the top–level security concerns that lie ahead, we’d be remiss not to reflect on those security events that helped shape 2009 into the ‘year of the data breach,’ and take these as learning experiences for the New Year.

With the economy in its worst state in decades, we saw IT budgets decimated and security threats evolve into clever, sophisticated entities that caused serious havoc for organizations.  Do the names Kaiser Permanente, Fannie Mae and Stens Corporation ring a bell?  These big name organizations experienced some of the most high-profile data breaches as a result of poor security and access management policies.  And whether it is a result of disgruntled employees, inappropriate password sharing or terminated employees retaining access rights, these events point to a trend that isn’t going away. 

Now let’s focus our attention back to 2010 and break down the top-level security concerns chief executives need to focus on to protect the integrity of their organization.  The global economic downturn and wave of breaches mentioned above are clear indicators that these types of activities are only going to propagate more strongly in 2010, as threats are not only escalating but becoming more sophisticated and damaging. And to help protect these organizations, we are seeing an increased number of federal compliance regulations set in place—HITECH ACT, Data Breach Notification Laws, HIPAA, Meaningful Use of EMRs, etc.

Understanding these regulations and having strong security policies in place are critical to starting 2010 off on the right foot.  On Wednesday, January 27th we will be conducting a webinar demo on Imprivata OneSign and will have a discussion on how technologies such as single sign-on (SSO) strengthen user authentication to network applications, streamline application access and simplify the process of compliance reporting—key elements to understanding the changing security landscape in 2010.  We encourage you to attend and participate, and share your ideas for the New Year.

--David

Tagsonesign Single_Sign-On security application_access password_sharing data_breaches user_authentication HIPAA access_management

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

Five Security Considerations when Deploying EMR

November 17, 2009 at 8:22 AM by David Ting

EMRs are the hot topic du jour and rightfully so with the tax incentives and federal grants tied to them, as well as the overall efficiencies they bring to the healthcare industry. The conversation is only now starting to talk about the role of secure access in deploying EMRs, and I project this will increase in importance and awareness in 2010.

 To stay ahead of things, here are five security considerations organizations should plan for as they deploy EMRs:

·         The User’s Perspective is Vital

o   Just because this patient information is moving to an electronic format, doesn’t mean the complexity and number of passwords decreases to access data.  It is important to consider how this migration will impact clinician workflow, as any hiccup/disruption in the healthcare setting can be detrimental to patient data security.  Single sign-on technologies, for instance, not only decrease the amount of passwords to remember, but they also have a direct impact on user workflow and productivity improvements.

·    Strong Authentication Remains a Secure Priority

o   Combining EMRs with employee workflow improvements can be further augmented by utilizing strong authentication, fingerprint biometrics and other modes of two-factor authentication, such as proximity badges, to ensure secure access is limited to those who are truly authorized.  Readers of this blog already know the importance of strong authenticationits role and value to the healthcare sector will be vital to data security as EMRs become more widespread.

·         Auditing of Access is a Patient Right

o   Patients have the right to know who has accessed his/her information and when, and by law, healthcare organizations are required to track this information.  Organizations need to be sure they have a system in place that can quickly and easily report on healthcare access management details including: password sharing, what applications users are authorized to access, and what credentials they are using.

·         Compliance is Still King

o   Let’s not forget that, although hospitals are being incented to use EMR, this transition cannot be made at the expense of compliance.  Government mandates such as the Health Insurance Portability and Accountability Act (HIPAA) were put in place to protect patient information.  Electronic medical records are more efficient than paper-based systems, but that shift brings with it a new environment that must be proven secure, otherwise there could be risk fines, penalties and/or reputational damage. 

·         Federation of Identities Equates to a New Level of Required Trust

o   Federated identity establishes a mutual trust between organizations and systems, enabling the portability of identity information between systems and thus allowing secure access.  This plays a central role in the expected efficiencies of EMRs because of the various requirements for patient data privacy, secure access and compliance.  This emphasizes the need for secure authentication within one’s own system in order to ensure that trust with other systems can be guarantted and benefits can be realized.

TagsFingerprint_biometrics secure_authentication healthcare_access_management two-factor_authentication strong_authentication password_sharing data_security

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

California Medical Data Breach Report Highlights Healthcare Access Management Concerns

July 14, 2009 at 3:57 PM by David Ting

Late last year, California enacted a new state law to help notify patients of potential breaches of their personally identifiable health information, requiring healthcare organizations to report suspected incidents of data breaches. The initial results are in, and it’s not pretty. According to the Journal of the American Health Information Management Association, California officials have received more than 800 reports of potential health data breaches in the first five months since the laws went into effect on January 1st. Of the 122 cases that have been investigated, 116 have been confirmed as security breaches. Officials expect the numbers to grow as more organizations put in the processes to report potential breaches.

While the majority of the breaches are being called “unintentional” breaches, the intentions behind the unauthorized access of patient information matters little. Seemingly innocuous activities, such as password sharing, present significant data security challenges for healthcare organizations that put them, and their patient’s private information, at risk.

These initial reports demonstrate that access management is still a priority concern for healthcare organizations to prevent unauthorized access to patient records – whether intentional or not. Tying a user’s identity to access via strong authentication, such as proximity cards and biometric fingerprints, can have a profound effect on overall enterprise security and help prevent organizations from becoming another one of the statistics cited in the next report. Are these numbers an accurate reflection of the state of security in the healthcare industry? Do you think that the numbers will decrease as organizations get a handle on the processes to prevent or report breaches? Email me and let me know.

Tagssecurity_breach enterprise_security password_sharing strong_authentication biometric_fingerprint data_security

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

2009 Identity Management Mid-Year Report: A brief look back and ahead

July 9, 2009 at 3:23 PM by David Ting

Back in January, I shared some of my observations on 2009 Priorities for identity management in the new economic reality people are faced with - productivity, security and manageable IT projects. This year’s economics have forced people to do more with less, manage tighter budgets and maintain enterprise security while dealing with re-orgs and layoffs. While 2008 was the worst year to date for data breaches, 2009 hasn’t been much better if you look at this chronology of data breaches, including the recently disclosed incident at Goldman Sachs. The Identity Theft Resource Center keeps tabs as well, and has a nice snapshot of high-profile data breaches. Many of these are the result of unauthorized access, some combined with placing malicious code on servers or laptops to siphon off data. It’s amazing the methods that are being used to access systems, steal data, sometimes extort money and always damage reputations. Potential impact of the Goldman Sachs’s unauthorized upload of proprietary software is still under investigation, but information on how easy it was to pull off makes for scary reading. Given the potential impact of data breaches, there has been significant progress made to tighten access to systems, so let’s review some of the relevant things that are happening in identity management. Following are three areas, I believe, we need to watch for in the latter half of 2009.

Biometrics Hit Stride, Will Gain Even More Steam

Frost & Sullivan projects the European biometrics market to triple from 2008 to 2012, as biometrics are used more now to secure access and prevent breaches. With fingerprint biometric readers and other scanners embedded in everyday devices, the ability to tie unique identity to access via strong authentication means has a profound effect on overall data security.

EHRs Become Focal Point of Healthy Debates

Electronic Health Records (EHRs) are also making headway, thanks in large part to the Recovery and Reinvestment Act of 2009. A large portion of the discussion is based on healthcare access management, patient data security and user authentication. Security assurance is a key hurdle to widespread EHR adoption, but using strong authentication capabilities that are now widely available is a significant enabler to achieving the benefits EHRs promise, while minimizing the security risk. Watch for these specific debates and discussions to progress in 2H 2009.

Greater Emphasis on User Workflows Considered in Product Development
While biometrics authentication has certainly played a role in making user lives easier, new developments around walk-away security and faster access to systems are shortening the process to secure logon. By making it easier for users to come and go from a system, there is less password sharing and improved employee productivity, while encouraging and enforcing better overall identity and password policy management.

What areas do you see most, now that we are half way through 2009?

What issues do you seek to solve?

How can identity management better serve you? --David

Tagshealthcare_access_management password_sharing security_risk fingerprint_biometric enterprise_security user_authentication strong_authentication identity_management data_security password_policy_management

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 
© 2010 Imprivata, Inc. all rights reserved | Sitemap