Identity 360 - An Imprivata Blog

Fast Access for Clinicians and Secure Patient Data for IT: Can You Have Both?

A couple of weeks ago I moderated a Healthcare IT News webinar session that examined how hospitals today make patient data easily and securely accessible throughout the clinical workflow.  I was joined by Dr. Zafar Chaudry, CIO of Liverpool Women’s NHS Foundation Trust & Alder Hey Children’s NHS Foundation trust and Dr. Lawrence Losey, Pediatrician, Chief of Pediatrics and Chief Medical Information Officer (CMIO) for Parkview Adventist Medical Center.  The session addressed the clinical workflow, process and technology behind providing fast, secure access to patient data, touching on all the areas within a hospital where a workstation sits and from anywhere a clinician may need access. 

Dr. Chaudry and Dr. Losey shared their experiences providing fast access to electronic medical records (EMR) for clinicians as well as strategies and processes for ensuring patient privacy.  Dr. Losey highlighted finger biometrics and remote access as huge draws for physicians and by providing doctors with laptops loaded with the applications they need to do their job from anywhere, it drove EMR adoption for the Parkview team. 

Dr. Chaudry discussed how his team organized their approach to streamlining secure access to applications.  By conducting workshops to effectively map workflow of clinicians, they were able to measure the before and after effect of what the clinical staff did each day to understand if there was indeed a performance improvement.  Findings were telling, as different clinical roles utilized different processes and workflows which showcased how important it was to take people’s real-world daily activities into consideration when planning any type of shift that impacts clinicians. As such, healthcare access management and secure authentication such as proximity cards and fingerprint biometrics play integral roles in enabling effective, efficient workflows.

The move to electronic systems, as Dr. Losey noted is “a wonderful opportunity to re-engineer your processes.”   It’s not enough just to computerize a process, but to step back and ensure the process is the right one in the first place.  Again, it all gets back to clinical workflows.  The points made in this session were quite prescriptive to deliver not only a successful EMR experience but a successful clinical workflow experience that encourages widespread adoption.

The panel also examined the impact of new patient privacy mandates in both the U.K. and the U.S., the role of patient data security, the auditability needed to ensure compliance and the impact on clinician workflow.  Dr. Losey provided some good anecdotes that illustrated how a complete audit trail is the most powerful way to remind clinical staff that they shouldn’t be ‘snooping’ on patient data records that they weren’t involved with.

The session closed with a number of great questions from the audience that sparked continued knowledge sharing from the panelists.  If you weren’t able to attend the live webinar, I suggest checking it out to hear useful insights from some smart medical executives: http://www.imprivata.com/fast_access_for_clinicians_hc_it_webinar

Barry P.Chaiken, MD, FHIMSS

Tags: Fingerprint_biometrics secure_authentication data_security healthcare_access_management

Comments (0)

Email

Share FACEBOOK LINKEDIN DIGG DIIGO FURL TECHNORATI STUMBLE UPON DELICIOUS

 

Seven Habits of Highly-Effective Healthcare Security (without Sacrificing Clinician Workflow)

Healthcare access management plays an integral role in the healthcare industry these days, with patient data security and breach disclosure notification mandates front and center with HIPAA compliance, HITECH incentives and other mandates from various parts of the world focused on protecting personal health information (PHI).

Coming out of HIMSS 2010, it was clear that patient data security was a chief concern, but so was the need for improved clinician workflows.  For all the requirements driven by new laws and the stimulus bill, what was overlooked was the impact of security in the real-world hospital environment from a user perspective.  Forcing someone to change habits and daily routines is difficult, if not impossible, to do. Therefore, it is integral to the successful adoption of these security endeavors that they be paired with improving workflow.  If change makes people’s lives easier, it’s easier for them to embrace.  It doesn’t need to be an either/or argument.  

• As such, here are our seven habits of highly-effective healthcare security:
  Ensure adequate password complexity across systems and applications logons to protect PHI
• Auto-generate strong passwords where possible to simplify the backend security process; take the task out of your hands and focus your attention where it can be better utilized
• Rely on technology that is easy to implement (for you) and support (for your users)
• Select strong authentication technologies (e.g., fingerprint biometrics) that  simplify user access to help achieve user adoption
• Seek solutions that have built-in audit logging and reporting capabilities; when compliance audits knock, proof should be a quick click away
• Manage password resets through self-service portal : enabling clinicians to solve simple password problems themselves eliminates unnecessary IT costs and reduces instances of password sharing across the medical unit or nurses station
• Fast access termination across systems and applications is mission-critical, as unattended workstations create a gaping hole in even the best-laid security plans

From a high-level, aligning with these habits can help secure user access in your healthcare organization, but as I mentioned workflow MUST be improved at the same time. Be sure whatever security solutions you’re deploying are easy for users to embrace.  Practical security innovations born from real-world clinician workflows can deliver the best in both transparent security and user productivity.  This is why the use of healthcare single sign-on and strong authentication that is easy for clinicians to use and doesn’t disrupt workflow is so attractive. 

Do you have any good healthcare security habits to share?   We’d love to hear them!

--David

Tags: Fingerprint_biometrics data_breach healthcare_access_management password_sharing HIPAA_compliance strong_authentication biometric_authentication healthcare_single_sign_on

Comments (0)

Email

Share FACEBOOK LINKEDIN DIGG DIIGO FURL TECHNORATI STUMBLE UPON DELICIOUS

 

Five Security Considerations when Deploying EMR

EMRs are the hot topic du jour and rightfully so with the tax incentives and federal grants tied to them, as well as the overall efficiencies they bring to the healthcare industry. The conversation is only now starting to talk about the role of secure access in deploying EMRs, and I project this will increase in importance and awareness in 2010.

 To stay ahead of things, here are five security considerations organizations should plan for as they deploy EMRs:

·         The User’s Perspective is Vital

o   Just because this patient information is moving to an electronic format, doesn’t mean the complexity and number of passwords decreases to access data.  It is important to consider how this migration will impact clinician workflow, as any hiccup/disruption in the healthcare setting can be detrimental to patient data security.  Single sign-on technologies, for instance, not only decrease the amount of passwords to remember, but they also have a direct impact on user workflow and productivity improvements.

·    Strong Authentication Remains a Secure Priority

o   Combining EMRs with employee workflow improvements can be further augmented by utilizing strong authentication, fingerprint biometrics and other modes of two-factor authentication, such as proximity badges, to ensure secure access is limited to those who are truly authorized.  Readers of this blog already know the importance of strong authentication—its role and value to the healthcare sector will be vital to data security as EMRs become more widespread.

·         Auditing of Access is a Patient Right

o   Patients have the right to know who has accessed his/her information and when, and by law, healthcare organizations are required to track this information.  Organizations need to be sure they have a system in place that can quickly and easily report on healthcare access management details including: password sharing, what applications users are authorized to access, and what credentials they are using.

·         Compliance is Still King

o   Let’s not forget that, although hospitals are being incented to use EMR, this transition cannot be made at the expense of compliance.  Government mandates such as the Health Insurance Portability and Accountability Act (HIPAA) were put in place to protect patient information.  Electronic medical records are more efficient than paper-based systems, but that shift brings with it a new environment that must be proven secure, otherwise there could be risk fines, penalties and/or reputational damage. 

·         Federation of Identities Equates to a New Level of Required Trust

o   Federated identity establishes a mutual trust between organizations and systems, enabling the portability of identity information between systems and thus allowing secure access.  This plays a central role in the expected efficiencies of EMRs because of the various requirements for patient data privacy, secure access and compliance.  This emphasizes the need for secure authentication within one’s own system in order to ensure that trust with other systems can be guarantted and benefits can be realized.

Tags: Fingerprint_biometrics secure_authentication healthcare_access_management two-factor_authentication strong_authentication password_sharing data_security

Comments (0)

Email

Share FACEBOOK LINKEDIN DIGG DIIGO FURL TECHNORATI STUMBLE UPON DELICIOUS

 

From HIPAA Compliance to HITECH – Reforming Healthcare Security

Khalid Kark of Forrester Research recently issued a useful whitepaper that outlines the security reforms needed to improve patient data security in the healthcare industry. A complimentary copy of the Forrester whitepaper, “Healthcare Security: Ready or not, Here it Comes,” can be downloaded from the Imprivata website.

The whitepaper highlights four key reasons why healthcare organizations are failing behind on security. Khalid provides a comprehensive set of recommendations to help healthcare organizations address these challenges – these are near and dear to what we do here every day. I thought I would share some of the insights gathered from work with our many healthcare customers.

I’ll tackle two of these issues in today’s post, and address the remaining ones in a subsequent posting.

1. Basic security technologies and processes are missing:
Kark correctly states that many CISOs struggle to get management’s attention on security issues and are limited in the resources they have to address the critical security risks they face. Bill McQuaid, CIO for Parkview Adventist Medical Center, recently spoke about how they were able to achieve Stage 6 HIMSS Analytics status, despite their relatively small size. Deploying strong authentication technologies, like fingerprint biometrics, considerably increases clinician productivity, while ensuring that only properly credentialed users have accessing sensitive information. This combination of security along with greater user productivity is sure to gain the attention of any manager.

2. Security spending lags behind other leading industries

As Khalid notes in his whitepaper, higher spending doesn’t necessarily equate to stronger security. What matters is using the dollars and resources you do have wisely. The days of enterprise-wide projects that take years to complete are over. By identifying the immediate areas of risk and implementing projects that yield immediate results, you can protect your organization, while demonstrating a quick ROI – this can come in handy when fighting for more dollars to spend on additional projects.

What are the main obstacles you’re facing in securing your organization? Share your story.
David

Tags: Fingerprint_biometrics HIPAA_compliance data_security security_risks strong_authentication

Comments (0)

Email

Share FACEBOOK LINKEDIN DIGG DIIGO FURL TECHNORATI STUMBLE UPON DELICIOUS

 

HITECH Grants – Earmark Dollars for Data Security Too

In February 2009, the Obama administration announced that $2.0 billion in grant money will be made available to help hospitals and other health care providers transition to electronic health records (EHR). This past Monday, the White House took a big step and launched the first of two grant programs under the HITECH act which lays the groundwork for EHR.

The grant will be used to create what the HITECH Act calls the Health Information Technology Regional Extension Centers. These regional centers will play a major role in implementing a nationwide system of health information networks.
According to the Health and Human Services website, these centers will help hospitals select EMR technology, provide assistance on the implementation front, and ensure that the hospitals are complying with all regulatory and legal requirements to protect the patient’s health information.

While it’s encouraging that the regional centers will have a strong focus on enterprise security, it’s critically important that HITECH doesn’t become a HIPAA like paper tiger of passive regulations with little accountability. As I’ve blogged previously, the universal adoption of EHR significantly increases the vulnerabilities for a security breach of patient information. Security assurance remains a primary hurdle to the widespread adoption of EHR, but technologies like strong authentication, including fingerprint biometrics, proximity cards, etc…, are now widely available and can fullfill the promise of EHRs by significantly minimizing the security risks.

Khalid Kark of Forrester Research just issued a compelling whitepaper on how HITECH can strengthen information security across healthcare – accomplishing what HIPAA ultimately may have failed to do. If you’re moving forward on EMRs and have questions about security, you can download a complimentary copy of the Forrester whitepaper, “Healthcare Security: Ready or not, Here it Comes,” from the Imprivata website.

I’d be interested in hearing how HITECH may impact your hospital’s move towards EHRs, and what role you think these centers can play in facilitating your timely implementation.

Tags: security_risks Fingerprint_biometrics security_breach enterprise_security strong_authentication HIPAA data_security

Comments (1)

Email

Share FACEBOOK LINKEDIN DIGG DIIGO FURL TECHNORATI STUMBLE UPON DELICIOUS

 

2009 Desktop Virtualization Survey – Understanding the New Security Risks

Last December, I blogged about the growing interest in implementing desktop virtualization (VDI) and the enterprise security challenges companies would face in this new environment. As with any new technology the best way to learn what is really happening is to listen to the field. With that in mind we polled executives across industries to understand the rate of VDI adoption and recently released the results as part of the “2009 Desktop Virtualization Survey.”

While organizations are increasingly embracing VDI/hosted virtual desktop as a way to reduce IT costs associated with desktop maintenance, there are still security concerns and fundamental challenges facing these companies as they change to this new desktop delivery vehicle. Most of these concerns center around managing user identities, roles and enforcing access policies.

In a VDI environment, user identities become relevant in multiple points within the virtual desktop, making the coordination and enforcement of access policies a more difficult task. Having a centralized way to manage user identities, roles and access policies is critical. This is true however you choose to deliver desktops to your users.

To help deal with these security challenges, the survey found organizations are increasingly turning to strong authentication solutions such as fingerprint biometrics, and proximity cards to associate a user identity to the desktop so an authentication and policy can be applied to control the type desktop the user can access. This type of strong authentication ensures the desktop is being used by a properly credentialed user and provides the critical step in managing role-based access at the desktop level.

As the unique security challenges of VDI become more well know, I expect we’ll see a greater emphasis on multiple forms of strong authentication to coordinate user IDs and access policies, which will enable organizations to overcome the final barrier to realizing the true potential of VDI solutions.

I’ll be discussing this and more in an upcoming webinar with Forrester’s Natalie Lambert, go here to register.

Have you implemented VDI in your organization? Are you on that track? Let me know what challenges you’re facing.

Tags: enterprise_security security_risks strong_authentication Fingerprint_biometrics

Comments (0)

Email

Share FACEBOOK LINKEDIN DIGG DIIGO FURL TECHNORATI STUMBLE UPON DELICIOUS

 

Using Single Sign-On to Ease EMR Adoption – A Look at Parkview Adventist Medical Center

Congratulations to Imprivata customer Parkview Adventist Medical Center for recently earning the HIMSS Analytics Stage 6 designation! HIMSS Analytics highlights the Stage 6 award as recognition for hospitals that have made significant investments in healthcare IT and as well as implementing paperless medical records. This is a remarkable achievement for Parkview, considering that they’re one of only 42 hospitals out of 5,166 in the US to attain this level.

Parkview is a great example of how our healthcare customers are using single sign-on technology and strong authentication solutions like fingerprint biometric identification to address the productivity and security concerns that come with deploying a full-scale electronic medical records system.

We’ve asked Bill McQuaid, CIO of Parkview, to be a guest blogger to share some tips on how they’re using the Imprivata OneSign platform to increase physician productivity, while ensuring data security for patient records in a completely paperless environment. With the federal government continuing to push healthcare providers to adopt an EMR format, Parkview provides a successful model to emulate and learn from.

Tags: Fingerprint_biometrics single_sign_on_technology strong_authentication data_security

Comments (0)

Email

Share FACEBOOK LINKEDIN DIGG DIIGO FURL TECHNORATI STUMBLE UPON DELICIOUS

 

OneSign Customers Talk Shop: Fingerprint Biometric Security, Password Management and Security Risk

Tags: SSO security_risk Fingerprint_biometrics password_management two-factor_authentication

Comments (0)

Email

Share FACEBOOK LINKEDIN DIGG DIIGO FURL TECHNORATI STUMBLE UPON DELICIOUS

 

2009 Priorities: Security and Strong Authentication

In our last blog posting, we discussed three priorities all organizations should focus on in 2009:  security, productivity and manageable IdM projects.  Today we're looking more closely at enterprise security.

Businesses continue to grapple with economic realities, making hard decisions to stay competitive during the downturn.  These decisions can have a negative impact on IT security  - as IT staffs are re-organized, budgets slashed and  security professionals tasked with doing more with less while addressing data security.   Unfortunately, as this is happening, the number of vulnerabilities they're tasked with covering is growing.  The latest news about the logic bomb at Fannie Mae just reinforces the need for additional vigilance as organizations down size.

The challenges can be overwhelming, but they're not insurmountable.  So where do you start?  The important thing is to have a plan - think through the challenges and anticipate possible problems.  With that in mind, here are three areas you can address to make sure your company is secure:

Identify and deal with your greatest areas of risk

It may sound simple, but it represents a shift in philosophy and mindset, moving away from comprehensive, enterprise-wide projects that take years to fully implement with little to show for in return.  Given the constraints in staffing and budgets, IT staffs need to focus on the immediate areas of security risk and make sure those gaps are closed.  For example, if you're undergoing a company-wide reorganization, start by asking yourself:  Can we immediately revoke access of former employees, and alter access to employees whose job functions have changed? Are we fully aware of all access points of dismissed consultants?  If the answer is no to either of those questions, then you're at risk and have identified your first project. Assess what potential damage can be perpetrated if revocation is not immediate or all inclusive. 

To understand the risk you face, just look at the case that came out last week about the former employee of Fannie Mae who was charged with implanting malware on the company's network that could have potentially caused millions of dollars in damages.  While the case is still pending, the fact remains that this former employee, in the time between when he was informed of being laid off and when he left the building, was able to plant a logic bomb that could have wiped out data on 4000 servers  .   This remains one of the biggest security risk facing organizations - one that can be dealt with quickly and efficiently with the proper systems and processes in place.

Know who is getting on your system

Trust has never been a sound security strategy, especially when you consider the number of insider related security breaches over the last year.  The nature of business dictates that you need to know what your employees are accessing, providing the ability to track users and audit usage.  Having confidence in who is getting on your system means believing more than just who someone is as a username and password. It means relying on strong authentication and using a comprehensive model of device-based authentication to prove the user's identity. The dramatic reduction in the cost of fingerprint biometric scanners, card scanners and tokens allows for corporate wide deployment of new technology that is now mainstream. Think about this in the context of what happens if the wrong person is getting onto a computer, the network, an application or conducting a transaction within an application. It's become best practice in many businesses to require biometric authentication or building smart cards for enforcing user authentication and access whenever sensitive information or applications are at stake.

Have demonstratable ROI for your project

The general consensus of the CIOs I've spoken to recently is that they are being selective in the  security projects they tackle in 2009 - undertaking only those projects that can yield immediate results either to improve business productivity or reduce security risk.  We discussed this recently with some of our customers in a webinar roundtable discussion.  If you weren't able to attend, I encourage you to download the webinar to see how they're addressing the security challenges in 2009.

So what challenges are you facing? 

What steps are you taking to tackle security in 2009? 

Feel free to email me if your organization is facing a different set of challenges in the coming year.

Tags: Fingerprint_biometrics enterprise_security security_breaches data_security biometric_authentication security_risk

Comments (0)

Email

Share FACEBOOK LINKEDIN DIGG DIIGO FURL TECHNORATI STUMBLE UPON DELICIOUS