Avoiding common security and compliance workarounds for medical devices

Jul 30, 2018

Security concerns continue to grow for healthcare organizations as systems integrate new technologies and as electronic patient health information (PHI) proliferates all aspects of the Internet of Medical Things (IoMT). However, increased security measures can quickly turn in to clinical roadblocks as providers spend more time interacting with security barriers and less time face-to-face with patients. Take a network-connected medical device for example, power users like nurses and physician assistants may have to manually log in and out of a device 20 or more times a shift as they move about the hospital, interacting with different patients. At 20-30 seconds per login (if done right the first time), that wasted time can dramatically add up over the course of a day, a week, or a year. As password fatigue, frustration, and productivity toil increases for providers, so does risk for healthcare organizations.

Far too often, in an attempt to reduce the burden of manual authentication and to focus more time at the bedside, clinicians find less than secure ways to access the tools that they need for patient care.

In the second installment of this three-part series, dedicated to educating healthcare organizations on the best ways to implement security measures for network-connected medical devices, we’ll discuss common security workarounds that organizations should watch out for when deploying new security measures.

Issue #1 – Password and credential sharing or leaving devices logged in to one user

When clinicians are required to manually enter usernames and passwords, they often resort to unsecure activities, such as the sharing of user credentials to remove some of their workflow pain points. This can be done in the form of password sharing between clinicians or in the form of clinicians opting to stay logged in to the devices, creating the potential for inadvertent charting under the incorrect clinician ID. Not only does this activity expose organizations to the risk that an untrusted user can gain access to one of these medical devices, it also interferes with data accuracy as audit logs can no longer be trusted.

Issue #2 – Hand written vitals and batch entry

When security barriers prevent clinicians from accessing medical devices, frustration and time sensitivity can often lead clinicians to revert to out-of-date practices such as the manual recording of a patient’s vitals that will then be entered into the EHR at a later time. Not only does this fail to fully leverage the medical devices that organizations have already invested in, but it removes the ability to benefit from the real-time visibility that devices offer through the automatic transmission of data to a patient’s record. Additionally, manual entry of vitals, especially when done at a later time can open up risk for human error, data integrity concerns, and down the line patient safety implications as well.

Issue #3 – Not requiring full, strong authentication

The security and compliance risks of not requiring credentials for network-connected medical devices, or for those that store PHI, are limitless. The risks range anywhere from a HIPAA fine when a patient monitor is left unattended, to an entire network compromise as a networked device is used as a backdoor entry to the HIT infrastructure, or even patient safety concerns in the event an untrusted user pushes incorrect information to the EHR, compromising the integrity of a device’s clinical decision-making support. Due to this scenario, many organizations opt for using only one factor of authentication, whether it be just a user name or a department shared pin. In either event, these solutions are not ideal as they offer unreliable visibility into which user is accessing these devices in addition to limited security when you fail to require multiple factors of authentication.

The industry agrees that security is critical for medical devices and other components of the IoMT ecosystem that capture, aggregate, transmit, or store PHI for healthcare organizations and providers. Unfortunately, when implemented improperly, poor ease of use, due to heightened security, can actually lead to increased risk for organizations. Therefore, it’s critical that prior to implementing a security strategy for medical devices, and other network-connected devices used at the point of care, organizations take time to evaluate the right authentication policies and modalities for each care setting and clinical workflow.

In the next installment of this series we will outline key workflow considerations that healthcare organizations should evaluate prior to selecting authentication modalities for their care settings.

Imprivata is working with leading medical device manufacturers to better enable organizations to implement foundational security best practices with modalities that are tailored specifically to clinical workflows. Join our upcoming webinar on August 1st, 2018 for a deep dive into the best practices for implementing access controls on medical devices, or contact an Imprivata representative today to learn more.