skip navigation
Subscribe via RSS  


Tag Cloud
password management, hitech, data breach, breach, security, hipaa compliance, biometrics authentication, password sharing, security risk, security breach, secure authentication, data security, password policy, healthcare access management, user authentication, fingerprint biometrics, user access, data breaches, biometric authentication, healthcare single sign on, strong authentication, fingerprint biometrics,, hipaa, access management, single sign-on, onesign, application access, network access, proximity cards, insider breaches, compliance, authentication management, healthcare, emr, finger biometrics, two-factor authentication, security risks, biometric fingerprints, identity management, management, identity and access, secure application access, enterprise security, biometrics, application security, single sign on, mckesson insight conference, medical records, healthcare single sign-on, enterprise single sign on, single sign on technology, fingerprint biometric, identity and access management, biometric fingerprint, password policy management, himss 09, physical and logical convergence, two factor authentication, biometric identification, insider threat, events, user provisioning, electronic transactions, passwords, physical-logical convergence, physical logical security, esso, simple sign-on, sso, sso appliance, summit, keystone, 2008, authentication and access management, physical and logical access, authentication, physical/logical, asis, convergence, strong passwords, physical security, access and authentication, security breaches, secure access, sign-on


Archive
July 2010 (2)
June 2010 (3)
May 2010 (3)
March 2010 (4)
February 2010 (5)
January 2010 (1)
December 2009 (3)
November 2009 (3)
October 2009 (4)
September 2009 (4)
August 2009 (7)
July 2009 (4)
June 2009 (4)
May 2009 (1)
April 2009 (2)
March 2009 (2)
February 2009 (2)
January 2009 (1)
December 2008 (1)
November 2008 (2)
October 2008 (3)
September 2008 (4)
August 2008 (4)
July 2008 (6)
June 2008 (5)
May 2008 (8)


Authors
Michael Bilancieri
Dr. Barry Chaiken
Jim Whelan
Ali Pabrai
Tom McDermott
Jon Hamdorf
Chris Feeney
David Ting
Bill McQuaid
Jason Mafera
John Clark
Chip LeBlanc
Christopher Paidhrin
Rik Van Bruggen


Recent Posts
Even Spies Have Password Management Problems
HIT Policy Committee Consumer Choice Technology Hearing Recap
Major Healthcare Patient Data Breaches Nearing 100-Mark
PHI Access Requires Robust Security and Privacy
User Access Relevance in a HITECH Age


Chat Now
Chat Now
 


SSO and Strong Authentication: How OhioHealth Built a Paperless Hospital
In this case study presentation, Joe Greene, IT Security Director at OhioHealth, explains how he and his team approached employee access challenges when they laid the IT foundation at Dublin Methodist, a brand new paperless hospital. More than a year after the doors opened at Dublin, their project is a proven success and there are many best practices and lessons learned to be shared with viewers.  Download the webinar today!

Identity 360 - An Imprivata Blog



filter by tag: biometric authentication

Seven Habits of Highly-Effective Healthcare Security (without Sacrificing Clinician Workflow)

March 22, 2010 at 3:49 PM by David Ting

Healthcare access management plays an integral role in the healthcare industry these days, with patient data security and breach disclosure notification mandates front and center with HIPAA compliance, HITECH incentives and other mandates from various parts of the world focused on protecting personal health information (PHI).

Coming out of HIMSS 2010, it was clear that patient data security was a chief concern, but so was the need for improved clinician workflows.  For all the requirements driven by new laws and the stimulus bill, what was overlooked was the impact of security in the real-world hospital environment from a user perspective.  Forcing someone to change habits and daily routines is difficult, if not impossible, to do. Therefore, it is integral to the successful adoption of these security endeavors that they be paired with improving workflow.  If change makes people’s lives easier, it’s easier for them to embrace.  It doesn’t need to be an either/or argument.  

  • As such, here are our seven habits of highly-effective healthcare security:
    Ensure adequate password complexity across systems and applications logons to protect PHI
  • Auto-generate strong passwords where possible to simplify the backend security process; take the task out of your hands and focus your attention where it can be better utilized
  • Rely on technology that is easy to implement (for you) and support (for your users)
  • Select strong authentication technologies (e.g., fingerprint biometrics) that  simplify user access to help achieve user adoption
  • Seek solutions that have built-in audit logging and reporting capabilities; when compliance audits knock, proof should be a quick click away
  • Manage password resets through self-service portal : enabling clinicians to solve simple password problems themselves eliminates unnecessary IT costs and reduces instances of password sharing across the medical unit or nurses station
  • Fast access termination across systems and applications is mission-critical, as unattended workstations create a gaping hole in even the best-laid security plans

From a high-level, aligning with these habits can help secure user access in your healthcare organization, but as I mentioned workflow MUST be improved at the same time. Be sure whatever security solutions you’re deploying are easy for users to embrace.  Practical security innovations born from real-world clinician workflows can deliver the best in both transparent security and user productivity.  This is why the use of healthcare single sign-on and strong authentication that is easy for clinicians to use and doesn’t disrupt workflow is so attractive. 

Do you have any good healthcare security habits to share?   We’d love to hear them!


--David

 

TagsFingerprint_biometrics data_breach healthcare_access_management password_sharing HIPAA_compliance strong_authentication biometric_authentication healthcare_single_sign_on

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

Reaching Stage 6 Status with Imprivata

August 4, 2009 at 9:35 AM by Bill McQuaid

Thanks David.

We’re very proud of our accomplishment of being only one of a handful of hospitals that have been awarded with HIMSS Analytics Stage 6 status, especially when you consider our relatively small size compared to the many other bigger hospitals with larger IT departments trying to accomplish the same thing. Moving to an EMR format and a paperless environment requires a significant commitment from the executive team and from our clinicians.

As we began our move to EMR, we had two major concerns. 1 – Can we maintain patient data security and HIPAA compliance in an electronic format? 2 – Will the clinicians buy into what we’re doing and use the technologies we provide? These are two critical components in achieving Stage 6 status.

Training for Success
To address the concerns simultaneously, we knew that we had to come up with a solution that would get immediate buy-in from our clinicians. If you don’t have people internally using the systems and championing them for you with their colleagues and peers, it makes the road to full scale EMR a very difficult one.

This has been one of the secrets to our success – we haven’t forced any of our doctors to use the systems we implement. Instead, we work with the people who want to be worked with, and then let the rest come to us once they see how easy and successful it is.

A great example of this is when we started asking doctors to do computerized physician order entry (CPOE), which requires all doctors to do their own ordering using a computer. There was some hesitancy on the part of the doctors when we asked them to do their own ordering. The chief concern was accessing the necessary systems – doctors kept telling us “there’s no way we can log in – we won’t be able to remember all the passwords.”

To address these concerns, we used Imprivata OneSign to create a zero sign-on environment through the use of biometric authentication. We went live and gave access to a few people – when other clinicians saw how well it worked, they all wanted to use it. But here’s the key – we made them sign up for training and went through the whole process with them individually. By providing a quick and easy tutorial on the technology, we were able to mitigate any concerns of using the technology. The result is that the doctors loved it, and we use this technology in all of the physician practices now.

Not only did we get a groundswell movement on the part of clinicians to use the technology, but we also solved our core data security issues. Biometric authentication considerably increases productivity, but also ensures that only the properly credentialed users are accessing sensitive information. This level of strong authentication meant that clinical staff now had the ability to walk up to any workstation and securely log into the network, providing the real-time, secure access needed to provide superior care to our patients.

In fact, it’s worked so well, we’re rolling it out to secure remote access as well. We’ve set up virtual desktops for some doctors, so when they log in remotely, they log in once and get the security of single sign-on. So now, no matter where they are, they get their own desktop – they can print orders and do what they need to do from anywhere in the country.

The road to Stage 6 status can be a tough journey. What we’ve learned along the way is that technology alone isn’t the solution – educating the staff on the value of the technology is the most powerful tool in your arsenal.

If you’re currently working on similar projects, I’d love to hear your thoughts on how the project is progressing and if you have great tips to share for others too.

TagsSingle_Sign_On HIPAA_compliance biometric_authentication strong_authentication data_security

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

2009 Priorities: Security and Strong Authentication

February 5, 2009 at 7:40 pm by David Ting

In our last blog posting, we discussed three priorities all organizations should focus on in 2009:  security, productivity and manageable IdM projects.  Today we're looking more closely at enterprise security.

Businesses continue to grapple with economic realities, making hard decisions to stay competitive during the downturn.  These decisions can have a negative impact on IT security  - as IT staffs are re-organized, budgets slashed and  security professionals tasked with doing more with less while addressing data security.   Unfortunately, as this is happening, the number of vulnerabilities they're tasked with covering is growing.  The latest news about the logic bomb at Fannie Mae just reinforces the need for additional vigilance as organizations down size.

The challenges can be overwhelming, but they're not insurmountable.  So where do you start?  The important thing is to have a plan - think through the challenges and anticipate possible problems.  With that in mind, here are three areas you can address to make sure your company is secure:

Identify and deal with your greatest areas of risk

It may sound simple, but it represents a shift in philosophy and mindset, moving away from comprehensive, enterprise-wide projects that take years to fully implement with little to show for in return.  Given the constraints in staffing and budgets, IT staffs need to focus on the immediate areas of security risk and make sure those gaps are closed.  For example, if you're undergoing a company-wide reorganization, start by asking yourself:  Can we immediately revoke access of former employees, and alter access to employees whose job functions have changed? Are we fully aware of all access points of dismissed consultants?  If the answer is no to either of those questions, then you're at risk and have identified your first project. Assess what potential damage can be perpetrated if revocation is not immediate or all inclusive. 

To understand the risk you face, just look at the case that came out last week about the former employee of Fannie Mae who was charged with implanting malware on the company's network that could have potentially caused millions of dollars in damages.  While the case is still pending, the fact remains that this former employee, in the time between when he was informed of being laid off and when he left the building, was able to plant a logic bomb that could have wiped out data on 4000 servers  .   This remains one of the biggest security risk facing organizations - one that can be dealt with quickly and efficiently with the proper systems and processes in place.

Know who is getting on your system

Trust has never been a sound security strategy, especially when you consider the number of insider related security breaches over the last year.  The nature of business dictates that you need to know what your employees are accessing, providing the ability to track users and audit usage.  Having confidence in who is getting on your system means believing more than just who someone is as a username and password. It means relying on strong authentication and using a comprehensive model of device-based authentication to prove the user's identity. The dramatic reduction in the cost of fingerprint biometric scanners, card scanners and tokens allows for corporate wide deployment of new technology that is now mainstream. Think about this in the context of what happens if the wrong person is getting onto a computer, the network, an application or conducting a transaction within an application. It's become best practice in many businesses to require biometric authentication or building smart cards for enforcing user authentication and access whenever sensitive information or applications are at stake.

Have demonstratable ROI for your project

The general consensus of the CIOs I've spoken to recently is that they are being selective in the  security projects they tackle in 2009 - undertaking only those projects that can yield immediate results either to improve business productivity or reduce security risk.  We discussed this recently with some of our customers in a webinar roundtable discussion.  If you weren't able to attend, I encourage you to download the webinar to see how they're addressing the security challenges in 2009.

So what challenges are you facing? 

What steps are you taking to tackle security in 2009? 

Feel free to email me if your organization is facing a different set of challenges in the coming year.

TagsFingerprint_biometrics enterprise_security security_breaches data_security biometric_authentication security_risk

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 
© 2010 Imprivata, Inc. all rights reserved | Sitemap