Identity 360 - An Imprivata Blog

User Access Relevance in a HITECH Age

The National Institute of Standards and Technology (NIST) published its Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule back in late 2008, but spurred by a jolt of healthcare IT investment driven by HITECH mandates has renewed relevance today. 

The HIPAA Security Rule “specifically focuses on the safeguarding of electronic protected health information (EPHI)… All HIPAA covered entities, which include some federal agencies, must comply with the Security Rule, which specifically focuses on protecting the confidentiality, integrity, and availability of EPHI, as defined in the Security Rule.”  This NIST 800-66 Revision 1 document provides a comprehensive guide for HIPAA compliance to the Security Rule, and details “Key Activities” to engage in that are segmented by defined categories that are easy to read and navigate.

From a user access perspective, there are important technical safeguards outlined in the area of Access Control, Audit Control, Integrity, and Person or Entity Authentication that are worth calling out.  Specific Key Activities within these technical safeguards criteria you should review include:

4.14 Access Control, Key Activity #3: Ensure All System Users Have Been Assigned a Unique Identifier
This requirement is integral to tracking who is accessing what information, and whether they have authorization to do so.  Enforcing policies that eliminate credential and password sharing are a crucial complement to this requirement as it ensures that all activity can be traced back to a specific user identity.

4.14 Access Control, Key Activity #8: Automatic Logoff and Encryption and Decryption
This requirement calls for “electronic procedures that terminate an electronic session after a predetermined time of inactivity.”  There are plenty of automatic logoff solutions in the field which satisfy this requirement, but they’ve hindered workflow by requiring active logging back into a system.  In a healthcare environment, where doctors, clinicians and staff are sharing workstations and need fast access to patient information, session time-outs can add hiccups when time is of the essence.  This was a core consideration when we designed our OneSign Secure Walk-Away solution, which leverages computer vision technology with active presence detection and user tracking to identify an authenticated user in front of a workstation, automatically locking the desktop upon their departure and providing instant re-authentication upon their return.  It combines compliance with this Key Activity and real-world workflow for the best of both worlds.

4.15 Audit Control, Key Activity #1: Determine the Activities that Will be Tracked or Audited
This Key Activity serves as a foundational pillar to managing healthcare security risk.  Determining what systems and activities need to be monitored and reported are crucial to closing any potential security breach gaps and streamlining reporting requirements from other sections of the Security Rule.  The data breach notification requirements of HITECH that went into effect on Feb. 18, 2010 present new security risks for healthcare organizations, so it’s critical to understand and quickly report on breaches, whether malicious or accidental, to avoid penalties and fines from both state attorneys general and the feds.  To do so effectively, one must first establish what is tracked and/or audited, making this Key Activity even more relevant today than before HITECH went into effect.

4.16 Integrity, Key Activity #1: Identify All Users Who Have Been Authorized to Access EPHI
4.16 Integrity, Key Activity #5: Implement a Mechanism to Authenticate EPHI
These Key Activities combine to focus on identifying all approved users with the ability to alert or destroy data, ask questions around user authentication and seeks to determine if authentication tools interoperate with other applications and systems.  These requirements dovetail into audit trail requirements for understanding how information is accessed and authorized, so healthcare entities can report on all aspects of cross-organization healthcare access management.

4.17 Person or Entity Authentication, Key Activity #2: Evaluate Authentication Options Available
Secure authentication is integral to protecting patient information, so it comes to no surprise that the Security Rule calls out commonly used authentication approaches.  Specifically, the guideline urges aligning different levels of authentication with assessment of risk to the information and systems.  Password policy, biometrics authentication, smart cards, proximity badges and/or any combination of the aforementioned can satisfy this requirement, but it’s essential that they are all tied together in the form of easy-to-manage identity management – otherwise, it can become unwieldy and burdensome to keep up with as new hires are brought onboard and terminated employees are de-provisioned.

There’s a lot to this NIST resource for navigating the HIPAA Security Rule – it is 117 pages of guidelines and supporting appendices.  It’s a tremendous guide to a significant HIPAA compliance requirement.  With a recent injection of funds and incentives into the healthcare IT market from HITECH and healthcare reform driving increased investment in electronic medical records (EMR), secure user access to EPHI plays an increasingly important role. 

Building on this, the guidelines outlined in the NIST 800-66 Revision 1 document should be applied worldwide as increased legislation in numerous countries drives greater attention to protecting patient health information in any form, and put stringent requirements around data security and the tools necessary for reporting on activities to demonstrate compliance.  It’s a great asset out there for public consumption, and can help drive best practices worldwide.

Tags: HIPAA_compliance user_authentication security_risk secure_authentication password_policy security_breach biometrics_authentication data_security password_sharing healthcare_access_management

Comments (0)

Email

Share FACEBOOK LINKEDIN DIGG DIIGO FURL TECHNORATI STUMBLE UPON DELICIOUS

 

Fast Access for Clinicians and Secure Patient Data for IT: Can You Have Both?

A couple of weeks ago I moderated a Healthcare IT News webinar session that examined how hospitals today make patient data easily and securely accessible throughout the clinical workflow.  I was joined by Dr. Zafar Chaudry, CIO of Liverpool Women’s NHS Foundation Trust & Alder Hey Children’s NHS Foundation trust and Dr. Lawrence Losey, Pediatrician, Chief of Pediatrics and Chief Medical Information Officer (CMIO) for Parkview Adventist Medical Center.  The session addressed the clinical workflow, process and technology behind providing fast, secure access to patient data, touching on all the areas within a hospital where a workstation sits and from anywhere a clinician may need access. 

Dr. Chaudry and Dr. Losey shared their experiences providing fast access to electronic medical records (EMR) for clinicians as well as strategies and processes for ensuring patient privacy.  Dr. Losey highlighted finger biometrics and remote access as huge draws for physicians and by providing doctors with laptops loaded with the applications they need to do their job from anywhere, it drove EMR adoption for the Parkview team. 

Dr. Chaudry discussed how his team organized their approach to streamlining secure access to applications.  By conducting workshops to effectively map workflow of clinicians, they were able to measure the before and after effect of what the clinical staff did each day to understand if there was indeed a performance improvement.  Findings were telling, as different clinical roles utilized different processes and workflows which showcased how important it was to take people’s real-world daily activities into consideration when planning any type of shift that impacts clinicians. As such, healthcare access management and secure authentication such as proximity cards and fingerprint biometrics play integral roles in enabling effective, efficient workflows.

The move to electronic systems, as Dr. Losey noted is “a wonderful opportunity to re-engineer your processes.”   It’s not enough just to computerize a process, but to step back and ensure the process is the right one in the first place.  Again, it all gets back to clinical workflows.  The points made in this session were quite prescriptive to deliver not only a successful EMR experience but a successful clinical workflow experience that encourages widespread adoption.

The panel also examined the impact of new patient privacy mandates in both the U.K. and the U.S., the role of patient data security, the auditability needed to ensure compliance and the impact on clinician workflow.  Dr. Losey provided some good anecdotes that illustrated how a complete audit trail is the most powerful way to remind clinical staff that they shouldn’t be ‘snooping’ on patient data records that they weren’t involved with.

The session closed with a number of great questions from the audience that sparked continued knowledge sharing from the panelists.  If you weren’t able to attend the live webinar, I suggest checking it out to hear useful insights from some smart medical executives: http://www.imprivata.com/fast_access_for_clinicians_hc_it_webinar

Barry P.Chaiken, MD, FHIMSS

Tags: Fingerprint_biometrics secure_authentication data_security healthcare_access_management

Comments (0)

Email

Share FACEBOOK LINKEDIN DIGG DIIGO FURL TECHNORATI STUMBLE UPON DELICIOUS

 

Welcome, Jim Whelan, VP of Imprivata’s North American Healthcare Group

I’m excited to join Imprivata at a time where healthcare IT, patient data security and clinician workflow efficiencies are front and center in boardrooms and nurses' stations across the country’s healthcare institutions.   With more than 500 hospitals on the customer roster, one million healthcare users and strategic relationships with all of the popular HIS vendors, Imprivata has built a strong foundation that was very attractive for me to join and bring my experiences.  Imprivata’s healthcare pedigree enables us to focus on delivering practical innovations for solving real-world problems surrounding simplifying and securing user access in hospital environments.

HITECH, healthcare reform and patient data breaches are staples of the news headlines, and rightfully so, as this is a year and an age of change anchored by healthcare issues and concerns.    We understand the strategic goals of healthcare organizations are focused on delivering better patient outcomes. At the same time, patient data privacy and user access are focal points in today’s healthcare environment with fines, penalties and negative exposure putting a spotlight on the clear need for effective security.  At Imprivata, we see the opportunity to help healthcare organizations affect positive change by bridging the gap between security and clinical productivity – and we firmly believe these concepts are not mutually exclusive.

In my role at Imprivata leading the North American healthcare group, I’ve had great conversations with customers about their daily challenges.  I look forward to deeper conversations s to understand the boardroom issues that drive decisions and to hear from the doctors and nurses on the front lines as to how we can better simplify and secure user access.

I’d love to hear your thoughts, questions and ideas.  Because of our customers, Imprivata has established its market leadership, and we are very thankful for these tremendous relationships.  Please drop me a line with thoughts, comments, ideas or other ways that Imprivata can better help you achieve your healthcare access management objectives – I welcome the conversation, and look forward to it!

Regards,

Jim Whelan

Tags: data_breaches user_access data_security healthcare_access_management

Comments (0)

Email

Share FACEBOOK LINKEDIN DIGG DIIGO FURL TECHNORATI STUMBLE UPON DELICIOUS

 

Seven Habits of Highly-Effective Healthcare Security (without Sacrificing Clinician Workflow)

Healthcare access management plays an integral role in the healthcare industry these days, with patient data security and breach disclosure notification mandates front and center with HIPAA compliance, HITECH incentives and other mandates from various parts of the world focused on protecting personal health information (PHI).

Coming out of HIMSS 2010, it was clear that patient data security was a chief concern, but so was the need for improved clinician workflows.  For all the requirements driven by new laws and the stimulus bill, what was overlooked was the impact of security in the real-world hospital environment from a user perspective.  Forcing someone to change habits and daily routines is difficult, if not impossible, to do. Therefore, it is integral to the successful adoption of these security endeavors that they be paired with improving workflow.  If change makes people’s lives easier, it’s easier for them to embrace.  It doesn’t need to be an either/or argument.  

• As such, here are our seven habits of highly-effective healthcare security:
  Ensure adequate password complexity across systems and applications logons to protect PHI
• Auto-generate strong passwords where possible to simplify the backend security process; take the task out of your hands and focus your attention where it can be better utilized
• Rely on technology that is easy to implement (for you) and support (for your users)
• Select strong authentication technologies (e.g., fingerprint biometrics) that  simplify user access to help achieve user adoption
• Seek solutions that have built-in audit logging and reporting capabilities; when compliance audits knock, proof should be a quick click away
• Manage password resets through self-service portal : enabling clinicians to solve simple password problems themselves eliminates unnecessary IT costs and reduces instances of password sharing across the medical unit or nurses station
• Fast access termination across systems and applications is mission-critical, as unattended workstations create a gaping hole in even the best-laid security plans

From a high-level, aligning with these habits can help secure user access in your healthcare organization, but as I mentioned workflow MUST be improved at the same time. Be sure whatever security solutions you’re deploying are easy for users to embrace.  Practical security innovations born from real-world clinician workflows can deliver the best in both transparent security and user productivity.  This is why the use of healthcare single sign-on and strong authentication that is easy for clinicians to use and doesn’t disrupt workflow is so attractive. 

Do you have any good healthcare security habits to share?   We’d love to hear them!

--David

Tags: Fingerprint_biometrics data_breach healthcare_access_management password_sharing HIPAA_compliance strong_authentication biometric_authentication healthcare_single_sign_on

Comments (0)

Email

Share FACEBOOK LINKEDIN DIGG DIIGO FURL TECHNORATI STUMBLE UPON DELICIOUS

 

HIMSS 2010: Meaningful Use, EMR Standards, Clinician Workflows, Security, Oh My!

This year’s HIMSS was quite an active conference, with healthcare IT a national focal point with new legislation and stimulus funding being funneled into reform and modernization initiatives. 

To kickoff the conference, Imprivata chief medical officer, Dr. Barry Chaiken, who is the current chair of HIMSS highlighted the need for healthcare IT solutions to drive positive industry change. Here are some pull-outs from an InformationWeek blog covering the event that capture the sentiment well: 
 
In his opening keynote address at the conference, Dr. Barry Chaiken, HIMSS chairman and chief medical officer of Imprivata, put the onus on the industry to create "healthcare IT solutions that are so compelling, so irresistible, that people just want to use them. We cannot rely on incentive programs or executive orders. We must create demand."

There's a raw energy at HIMSS reminiscent of the broader IT industry's go-go days, when there were myriad vendors and incomplete standards and fractious debates and lots of customer uncertainty, but when there was an unshakeable belief that IT could still change the world.

In his opening address, Dr. Chaiken captured that vibe, calling on the HIMSS membership to rise to the challenge. "Through the implementation of compelling healthcare IT solutions, you must transform the way healthcare is provided in this country, not the president, not Congress, not clinicians--you. If you don't do it, it will not happen. You must step forward and you must lead."

At Imprivata’s booth, we had a constant flow of booth traffic, and we received great response to our interactive theater demonstrations – people loved watching our folks act out real-world scenarios vs. watching a canned demo loop on a monitor.  Having a live operational system at the booth allowed us to explore details of the product with customers and prospects with specific questions.

People were especially excited about our OneSign Secure Walk-Away solution for protecting unattended hospital workstations from unauthorized access, and Privacy Alert spurred a lot of interest and engaging conversations with IT and Privacy executives alike.  There were lots of high-energy discussions, mostly centered around definitions of meaningful use, EMR interoperability and the creation/non-existence of standards, clinical workflows, healthcare access management and data security breach issues – and more than few jabs on the outcome of the Olympics! 

This set the tone for the entire conference, and everyone contributed to a great gathering focused on pushing industry progress forward – presenters, vendors and attendees alike.  At Imprivata, we’re coming away from HIMSS 2010 energized for what the future holds in healthcare.  We’re ready to make a difference.  Are you?

Tags: healthcare_access_management security_breach

Comments (0)

Email

Share FACEBOOK LINKEDIN DIGG DIIGO FURL TECHNORATI STUMBLE UPON DELICIOUS

 

Five Security Considerations when Deploying EMR

EMRs are the hot topic du jour and rightfully so with the tax incentives and federal grants tied to them, as well as the overall efficiencies they bring to the healthcare industry. The conversation is only now starting to talk about the role of secure access in deploying EMRs, and I project this will increase in importance and awareness in 2010.

 To stay ahead of things, here are five security considerations organizations should plan for as they deploy EMRs:

·         The User’s Perspective is Vital

o   Just because this patient information is moving to an electronic format, doesn’t mean the complexity and number of passwords decreases to access data.  It is important to consider how this migration will impact clinician workflow, as any hiccup/disruption in the healthcare setting can be detrimental to patient data security.  Single sign-on technologies, for instance, not only decrease the amount of passwords to remember, but they also have a direct impact on user workflow and productivity improvements.

·    Strong Authentication Remains a Secure Priority

o   Combining EMRs with employee workflow improvements can be further augmented by utilizing strong authentication, fingerprint biometrics and other modes of two-factor authentication, such as proximity badges, to ensure secure access is limited to those who are truly authorized.  Readers of this blog already know the importance of strong authentication—its role and value to the healthcare sector will be vital to data security as EMRs become more widespread.

·         Auditing of Access is a Patient Right

o   Patients have the right to know who has accessed his/her information and when, and by law, healthcare organizations are required to track this information.  Organizations need to be sure they have a system in place that can quickly and easily report on healthcare access management details including: password sharing, what applications users are authorized to access, and what credentials they are using.

·         Compliance is Still King

o   Let’s not forget that, although hospitals are being incented to use EMR, this transition cannot be made at the expense of compliance.  Government mandates such as the Health Insurance Portability and Accountability Act (HIPAA) were put in place to protect patient information.  Electronic medical records are more efficient than paper-based systems, but that shift brings with it a new environment that must be proven secure, otherwise there could be risk fines, penalties and/or reputational damage. 

·         Federation of Identities Equates to a New Level of Required Trust

o   Federated identity establishes a mutual trust between organizations and systems, enabling the portability of identity information between systems and thus allowing secure access.  This plays a central role in the expected efficiencies of EMRs because of the various requirements for patient data privacy, secure access and compliance.  This emphasizes the need for secure authentication within one’s own system in order to ensure that trust with other systems can be guarantted and benefits can be realized.

Tags: Fingerprint_biometrics secure_authentication healthcare_access_management two-factor_authentication strong_authentication password_sharing data_security

Comments (0)

Email

Share FACEBOOK LINKEDIN DIGG DIIGO FURL TECHNORATI STUMBLE UPON DELICIOUS

 

HIMSS Virtual Conference Box Butte General Hospital -- VDI, Productivity and the User Experience

The HIMSS Virtual Conference occurred this week, covering myriad of topics ranging from Electronic Health Records (EHRs), impact of the HITECH Act, workflow optimization as well as privacy and security in the cloud for healthcare systems.

 One presentation that readers of this blog may find useful was that from Box Butte General Hospital on Nov. 4 at 9:00am CT (you can register on the site for access; HIMSS members can already access it online).  Here’s a brief synopsis from the session description highlighting what was covered in the presentation:

• Describe attainable savings to a hospital after implementation of virtualized desktop infrastructure (VDI) and single sign-on (SSO)
• Recognize how the use of technologies such as SSO, strong authentication and virtualization increase productivity, improve security and improve user convenience
• Explain how replacing PCs with virtualized desktops, in conjunction with an SSO and strong authentication deployment can garner healthcare organization significant annual savings associated with password management and electricity bills

Congrats to Tony Hindman and Mandy Whaley of Box Butte General Hospital on an insightful session.  Thanks for sharing your experiences and innovative approach with healthcare access management! 

Tags: password_management strong_authentication healthcare_access_management

Comments (0)

Email

Share FACEBOOK LINKEDIN DIGG DIIGO FURL TECHNORATI STUMBLE UPON DELICIOUS

 

Identifying Identity Resources, Part II

Back when this blog was in its infancy, we outlined a number of identity management resources that readers should check out.  Those blogs are still on the “must-read” list, but there are a number of new ones that have popped up that people interested in identity and access management may find useful

·         The Health Care Blog: this blog covers everything from electronic health records (EHRs) and HIPAA Compliance to HITECH and Health 2.0, often with amusing headlines and relevant details to get the most pressing issues across succinctly.

·         ITBusinessEdge’s Authentication Systems channel:   This covers opinion pieces and news, ranging from fingerprint biometrics and other forms of strong authentication to password policy and security risk.

·         FierceEMR: “Mapping the future of Healthcare Information,” this site combines news with opinion on topics ranging from electronic medical records (EMRs), health information exchanges, healthcare access management, interoperability and deployment updates.

·         Healthcare & Technology blog:  this blog covers the high-level healthcare IT issues and trends while also pulling in various graphics, charts and video to help tell the story. 

·         Planet Identity blog: This blog aggregates blogs related to identity management topics, leaning towards the technical while pulling through data, survey findings and trends from some of the most highly-subscribed blog feeds.

Tags: password_policy security_risk identity_management identity_and_access strong_authentication management healthcare_access_management

Comments (0)

Email

Share FACEBOOK LINKEDIN DIGG DIIGO FURL TECHNORATI STUMBLE UPON DELICIOUS

 

EMR Survey Finds Best Value Resides in Secondary Uses, but what about Data Security?

I read a good article on FierceEMR recently surrounding a PricewaterhouseCoopers survey on electronic medical records (EMRs) that indicated that the secondary use of this information may be an organization’s greatest asset over the next five years. An overwhelming 76 percent of respondents agreed, and pointed to the abilities for mined data to decrease healthcare costs, predict public health trends and improve patient care. EMRs, with vendors such as Allscripts, NextGen and QuadraMed blazing the trail, have been a huge focal point of healthcare payers and providers, pharmaceutical companies and the general public with healthcare reform a primary platform of the Administration.

The PwC report highlighted that hundreds of billions of terabytes of health data are now being collected in EMRs. The focus of the report calls on all the wonderful potential that de-identified and aggregated data can produce for doctors, researchers, insurance companies and pharma manufacturers. According to the press release, the healthcare industry won’t see the full value of EMR and other healthcare IT investments until it adopts standards and subsequently finds secondary uses of EMR data.

While there is significant opportunity with EMR data, the report only briefly calls out concerns, centered on respondent’s feelings that the industry needs better guidelines on how information can be used and shared. Full-on security of the data has been a topic largely ignored by the populous pushing for healthcare reform and EMR standardization.

What about Data Security?
What is glossed over is the need to secure access to EMR data. With so much data being collected, analyzed and shared, organizations need to get a handle on who has access to this data, through which systems and with which safeguards. Who is authorized, how are they authenticated, and how can companies ensure compliance with policies and procedures?

We’ve seen the problems caused by celebrity medical records being breached by hospital employees. Take that issue and multiply it exponentially as the billions of terabytes of EMR data translates into billions of dollars in market opportunity over the coming decades for healthcare providers, insurance companies and pharmaceutical manufacturers. This will spawn a new wave of insider threats, and healthcare access management must be dealt with during the formative stages of EMR deployments… as the old adage states, “an ounce of prevention is worth a pound of cure.”

Tags: data_security healthcare_access_management

Comments (0)

Email

Share FACEBOOK LINKEDIN DIGG DIIGO FURL TECHNORATI STUMBLE UPON DELICIOUS

 

2009 Identity Management Mid-Year Report: A brief look back and ahead

Back in January, I shared some of my observations on 2009 Priorities for identity management in the new economic reality people are faced with - productivity, security and manageable IT projects. This year’s economics have forced people to do more with less, manage tighter budgets and maintain enterprise security while dealing with re-orgs and layoffs. While 2008 was the worst year to date for data breaches, 2009 hasn’t been much better if you look at this chronology of data breaches, including the recently disclosed incident at Goldman Sachs. The Identity Theft Resource Center keeps tabs as well, and has a nice snapshot of high-profile data breaches. Many of these are the result of unauthorized access, some combined with placing malicious code on servers or laptops to siphon off data. It’s amazing the methods that are being used to access systems, steal data, sometimes extort money and always damage reputations. Potential impact of the Goldman Sachs’s unauthorized upload of proprietary software is still under investigation, but information on how easy it was to pull off makes for scary reading. Given the potential impact of data breaches, there has been significant progress made to tighten access to systems, so let’s review some of the relevant things that are happening in identity management. Following are three areas, I believe, we need to watch for in the latter half of 2009.

Biometrics Hit Stride, Will Gain Even More Steam

Frost & Sullivan projects the European biometrics market to triple from 2008 to 2012, as biometrics are used more now to secure access and prevent breaches. With fingerprint biometric readers and other scanners embedded in everyday devices, the ability to tie unique identity to access via strong authentication means has a profound effect on overall data security.

EHRs Become Focal Point of Healthy Debates

Electronic Health Records (EHRs) are also making headway, thanks in large part to the Recovery and Reinvestment Act of 2009. A large portion of the discussion is based on healthcare access management, patient data security and user authentication. Security assurance is a key hurdle to widespread EHR adoption, but using strong authentication capabilities that are now widely available is a significant enabler to achieving the benefits EHRs promise, while minimizing the security risk. Watch for these specific debates and discussions to progress in 2H 2009.

Greater Emphasis on User Workflows Considered in Product Development
While biometrics authentication has certainly played a role in making user lives easier, new developments around walk-away security and faster access to systems are shortening the process to secure logon. By making it easier for users to come and go from a system, there is less password sharing and improved employee productivity, while encouraging and enforcing better overall identity and password policy management.

What areas do you see most, now that we are half way through 2009?

What issues do you seek to solve?

How can identity management better serve you? --David

Tags: healthcare_access_management password_sharing security_risk fingerprint_biometric enterprise_security user_authentication strong_authentication identity_management data_security password_policy_management

Comments (0)

Email

Share FACEBOOK LINKEDIN DIGG DIIGO FURL TECHNORATI STUMBLE UPON DELICIOUS

 

Trends Heading into HIMSS - Strong Authentication and Virtualization

Tags: healthcare_single_sign-on Sign-On authentication_and_access_management authentication healthcare_access_management Single_Sign_On

Comments (0)

Email

Share FACEBOOK LINKEDIN DIGG DIIGO FURL TECHNORATI STUMBLE UPON DELICIOUS

 

Tips for Implementing Healthcare SSO and Strong Authentication

Tags: healthcare_single_sign-on secure_access healthcare_access_management password_management

Comments (0)

Email

Share FACEBOOK LINKEDIN DIGG DIIGO FURL TECHNORATI STUMBLE UPON DELICIOUS