Overcome risk to drive a successful healthcare IT strategy (Part II)

Joel Alcon

May 13, 2020

In Part I of this two-part blog, we highlighted key challenges facing a health system Chief Information Security Officer (CISO), including the ever-present need to manage operational risk and ease-of-use of technology. In Part II, we will examine emerging trends and innovative technologies that are helping to improve patient care, but can have the potential to introduce complexity if approached without a focus on decreasing operational risk and improving end-user experience with technology.

DEA requirements for EPCS
In healthcare, regulations drive much of what you can do from an IT perspective. Things like HIPAA regulations and federal requirements force you to build an IT strategy that meets these unique requirements. DEA compliance for the electronic prescribing of controlled substances (EPCS), for example, requires certain modalities that allow for secure two-factor authentication, FIPS-201 approved finger print biometrics, and push token notification. Healthcare organizations will want to select the two-factor authentication option that best fits provider workflow requirements based on how, when, and where electronic prescribing will take place.

Federal and state mandates, meanwhile, are increasingly prompting providers and healthcare delivery organizations to implement EPCS.The “SUPPORT for Patients and Communities Act” – which President Trump signed into law on October 24, 2018 – includes an electronic prescribing requirement for all controlled substance prescriptions for a covered Medicare part D drug under a prescription drug plan (or an MA–PD plan). The deadline to comply with this section of the new law is January 1, 2021. With 41M+ patients and 1.4M+ prescribers currently participating in the Medicare Part D prescription drug program, the potential impact, EPCS requirements are rapidly expanding across the nation. 

State legislatures are not only keeping pace with federal legislation, but even exceeding the scope in many cases. In fact, 13 states (NY, ME, CT, AZ, NC, RI, IA, OK, TN, VA, MA, CA, and PA) have already enacted legislation containing full EPCS mandates for controlled substances prescribed in those states. Corporate leaders, meantime, are now actively joining lawmakers in the growing push to create a more secure opioid distribution chain. Several large companies are now requiring that prescriptions for controlled substances be completed electronically. Just this past spring, Walmart – one of the nation’s largest pharmacy chains – stated that “e-prescriptions are proven to be less prone to errors, they cannot be altered or copied and are electronically trackable. The retail giant is requiring EPCS by January 1, 2020. 

Interconnected Medical Devices / Shared Mobile Devices
You’ve got a constantly evolving ecosystem of technologies. Medical devices, for instance, are increasingly becoming interconnected. Most organizations segment them from their network, but what happens when they need to connect to your EHR systems and Active Directory credentials? How do you ensure that these systems have the proper security policies enabled? Are medical devices even monitored by the security group, or are they “owned” by the clinical staff from an IT perspective? As healthcare increasingly adopts mobile technology, the same questions apply to these mobile devices. Key questions: are your end-users accessing these devices securely and efficiently? Are passwords or disruptive authentication methods getting in the way of patient care? If the answer is “yes” to any of these, end-users may be less likely to adopt these technologies or adhere to security policies for proper access to these devices.

Secure Communications: As the use of mobile smartphones increases, you can’t ignore how users communicate across these devices. Consider this: when doctors want to communicate with each other or with additional clinical staff about their patients, they need to trust that their communications are secure and that PHI is protected. If your communications platform is unsecure or difficult to use, clinicians may resort to rogue apps, many of which are not built with healthcare compliance or ease of use in mind.

Patient Identification: And finally, but perhaps most importantly, let’s not forget about patient safety. While that’s often considered a strictly clinical responsibility, IT and security teams play an important role in this area, particularly in terms of patient identification. Are you putting systems in place to prevent duplicate medical records from being created, which can potentially lead to clinical errors? Is the registration process easy for registrars and for the patients themselves?

As you reflect on the areas I’ve highlighted above, consider how you currently ensure that the digital identity of your patients is accurate and protected? How do you establish trust between IT, clinicians, and most importantly – your patients? How do you reduce risk across the organization without diminishing the end-user experience as you adopt new technology?

There’s a gap today that organizations must address to drive a successful IT strategy that is secure, compliant, and drives a seamless end-user experience. Leading organizations are looking for a single platform that provides simplicity and offers ubiquitous access into a broad range of clinical and non-clinical systems and applications, including EHRs, cloud applications, VPNs, medical and mobile devices, and more. This can also help reduce costs and drive more efficiency. 

But security can’t come at the expense of the end-user experience, so organizations implement a system that drives efficient workflows across all of these systems. And because of the complex regulatory landscape, they deploy systems that drive security and full regulatory compliance to gain a single pane of glass that helps them address any audits that may arise.

This is why more than 6 million clinicians from over 1,900 healthcare organizations across 45 countries trust the Imprivata platform. Imprivata offers a wide range of solutions ranging from:

  • Imprivata Identity Governance to automate IAM processes
  • Imprivata OneSign to power authentication and enterprise single sign-on
  • Imprivata Confirm ID for EPCS and clinical workflows
  • Imprivata Mobile Device Access and Imprivata Medical Device Access for seamless access at the point of care
  • Imprivata Cortext for secure communications
  • Imprivata PatientSecure for positive patient identification.

Innovative healthcare organizations are bridging the gap between IT, security, and clinicians with the Imprivata platform. As a result, they are reducing risk by protecting the digital identity across the ever-changing threat landscape and they are enabling healthcare securely by establishing trust between people, technology, and information.