Getting authentication right – considerations for medical device security

Drivers such as HIPAA compliance, general PHI privacy, and concerns around unauthorized use have led to increased regulations for medical device security. While healthcare organizations look to implement critical security measures for Internet of Medical Things (IoMT) components, such as medical devices, it’s important to do so in a way that does not impede clinical productivity.

Strong authentication is a fundamental component of securing medical devices, as it addresses many of the top security and compliance concerns for IT leaders today. However, adding an extra step for authentication can quickly become cumbersome, especially when manual entry of a username and password is the native authentication method for a medical device. The alternative – not requiring authentication – opens healthcare organizations up to a great deal of risk, as do inefficient authentication workflows which may create a barrier between clinicians, the technology they are using, and patient care.

This final installment in our three-part series (see parts one and two), dedicated to educating healthcare organizations on the best ways to implement security measures for network-connected medical devices, we’ll discuss the top four areas to evaluate prior to implementing authentication requirements for the field.

1. Workflow considerations

When selecting an authentication modality or workflow, it’s important to understand the care setting in which the authentication will happen. For example, FIPS-compliant biometric authentication may make sense in some areas of the hospital, such as shared workstations or nurse stations, but may not be as practical in care settings where gloves are required. Similarly, while proximity cards are convenient and easily accessible during regular patient interactions, they may not be the best approach to authenticating in operating rooms. Therefore, flexible authentication that gives the user the option of more than one modality can help account for varying scenarios and help to prevent workarounds from being implemented.

2. Single-factor vs. two-factor authentication

Another factor to take into consideration during evaluation of an access control strategy is when and where to employ single-factor authentication and two-factor authentication. The FDA stresses the importance of ensuring that authentication not interfere with patient care. It’s important to consider what level of security is required and practical for each situation. Some workflows, such as transmitting blood pressure or temperature readings, may only require one level of security, whereas other workflows may require multifactor authentication, either due to internal mandates or government regulations (e.g., medication dispensing in certain states). Consult with both clinical and compliance teams to understand which option makes the most sense for your medical devices and care settings.

3. Grace periods

One of the largest roadblocks to access control compliance is the burden put on clinicians to repeatedly enter user credentials throughout the day. Consider implementing grace periods to further streamline authentication once a user has established trust.

In selecting the proper timeframe for a grace period for a medical device, it’s imperative to understand how clinicians are using each device in the field.

A grace period for one type of device, such as a spot check vitals monitor, may need to be different than that of an infusion pump or other medical device.

4. Break-glass considerations

Consider multiple modality options to ensure that trusted clinicians can access medical devices through various methods in the event that one is not available. For example, a patient vitals monitor may be configured to accept a proximity badge for a trusted user as well as the manual entry of username and password in the event a clinician does not have his or her badge. Additionally, a vitals monitor may be configured to only transmit data after authentication, but still allow for vitals to be taken to quickly asses any immediate patient health concerns.

When done correctly, a well-thought-out implementation of new security measures should be able to improve both security and compliance, while also balancing the workflow and productivity needs of providers. Imprivata is working with leading medical device manufacturers to better enable organizations to implement foundational security best practices with modalities that are tailored specifically to clinical workflows. Read our whitepaper, Best practices: Access controls for medical devices for more insights into how your organization can successfully balance security and convenience in order to reduce risk for medical devices in your environment.