Blog Listing

On Feb. 17, 2009, the HITECH Act was enacted, giving birth to new tiered civil monetary penalties for data breach violations, new powers to state attorney generals (AGs) for class-action pursuit and new guidelines for technology and methodologies that render data “unusable, unreadable or indecipherable.” While we previously covered how HITECH will make available $2.0 billion in grant money for organizations to transition to electronic medical records (EMRs) and deploy appropriate security measures, the time is now upon us for full compliance. Otherwise, organizations risk significant penalties from the department of Health and Human Services (HHS)/ Office of Civil Rights (OCR). The Healthcare & Technology blog has a good, quick post with some useful resources...…

I just got back from the annual Siemens Innovations Conference in Philadelphia. Imprivata had a booth at the event. I had an opportunity to talk with existing and prospective OneSign customers. Clearly, single sign-on and authentication are top of mind for many of the Siemens customers we spoke with. One thing is clear - CMIOs and IT folks are looking for ways to make application access seamless and secure for the clinicians while NOT changing workflows. Imprivata OneSign is what Siemens Med is recommending as the solution of choice. In fact, there were two customer presentations where OneSign was discussed.…

In our last blog posting, we discussed three priorities all organizations should focus on in 2009: security, productivity and manageable IdM projects. Today we're looking more closely at enterprise security.…

Full disclosure: I'm just a medium-sized hospital's IT security guy. I've had Imprivata'sESSO appliance (three of them actually, a pair of HA, and a test box) up and running, happily, for about three years. I was invited by Imprivata and Ping Identity to participate in a panel discussion at the SSO Summit held in Keystone, CO, on July 23-25 (http://www.ssosummit.com/). Andre Durand (Ping Identity) and friends put on a very nice event. There was a good blend of topics, from SSO-centric details, to Federation issues, and a mixture of interesting case studies to visionary presenters like John Haggard (independent security consultant and long-time IT mentor) and Gunnar Peterson (Arctec Group). The event was solid throughout, but to hear John and Gunnar speak about the important issues of the past and future of SSO and IT/Web security, made the event a powerful experience not to be missed.…

Catching up on some news from last week and I thought Tim Greene’s article in Network World was an interesting piece on the Russian spy ring story that is currently grabbing headlines. One of the most glaring errors made by one of the spy defendants was leaving an imposing 27-character password written on a piece of paper that law enforcement officers found while searching a suspect's home. They used the password to crack open a treasure trove of more than 100 text files containing covert messages used to further the investigation.…

As we turn the page to 2010 and look to delve into the top–level security concerns that lie ahead, we’d be remiss not to reflect on those security events that helped shape 2009 into the ‘year of the data breach,’ and take these as learning experiences for the New Year.…

Security expert Bruce Schneier pulls out an interesting excerpt from an essay “When Security Gets in the Way” that is sparking great discussion on his Schneier on Security blog. The essay, from Don Norman’s jnd site, debates security vs. usability, and addresses design considerations for enterprise security systems. This article captures important concerns often discussed in security circles on how to make security stronger without disrupting user behavior. It’s a delicate balance – we often say the most secure computer is the one in a locked room not powered up but that would hardly be usable. At Imprivata we have always believed that usability and security don’t need to be mutually exclusive.…

The term 'security policy' used to mean different things to different people. For the facilities management department, it covers physical access points and teaching staff to lock office doors and file cabinets before leaving for the night. For the IT manager, it means keeping up to date with the latest patches and ensuring that users can only access the applications and data that they are allowed to. However, this situation is changing with IT and physical security being managed together. Although they come from separate disciplines, what these two areas have in common is policy.…

By combining the benefits of roaming desktops with the simplicity of No Click Access delivered by Imprivata OneSign, clinicians can now access Citrix XenDesktop or XenApp with the tap of a badge or swipe of a fingerprint - enabling clinicians to dedicate more of their time with their patients and less time with the computer.…

Security compliance often requires complex passwords – causing user frustration and helpdesk calls. Jon Wu, System Engineer at Verity Credit Union, joined me for a webinar on how SSO helped Verity increase user productivity and customer satisfaction. Below is the transcribed Q&A from the webinar. View the full webinar here Question 1: Did auditing play a role in your decision to buy single sign-on, and has it helped with reporting on user access? Answer: Yes it did. When we first mentioned that we would be getting a password program, users were nervous. They thought, “is this password program going to remember all of my passwords and keep it secure?” When we presented to Imprivata, they said no problem, it’s all taken care of. From end to end the passwords are encrypted. Imprivata takes care of both situations, and we don’t have to worry about it being exposed in any way.…

Healthcare has the reputation of being highly resistant to change, that paper based systems are the best solution and that clinicians will simply not use any replacement. Why else would a hospital have to prove that they are meaningfully using new technology in order to receive the HITECH funding? Couldn’t we just trust them? So who’d have thunk it that in a survey of 477 IT professionals across multiple industries, it’s healthcare that are leading the way in the deployment of desktop virtualization!…

As we all know, the CJIS policy is now final and mandates that all agencies must have enforced unique IDs strong passwords by September, 2010, and that all agencies must comply with the CJIS Advanced Authentication requirement by 2013. However, if your agency has performed a system upgrade after 2005, the 2013 deadline advances to the time of the upgrade. If your agency is audited and found not to be in compliance with the CJIS policy, it could face losing access to CJIS systems.…

I often have conversations with customers about the level of effort that is required to support OneSign once it is deployed. We usually talk about the resources that are required to work on testing new application profiles or changes to existing profiles, but if you back up one level, you will see the X factor.…

Last week, ecfirst's CEO, Ali Pabrai joined me for a live webinar that discussed a checklist for healthcare IT Security compliance. If you missed the webinar, you won't want to miss this -- we've gone ahead and transcribed our answers from the Q&A session. Question 1: Where can I go to find out exactly which set of rules / regulations apply to my business? There are so many different ones which change often that it's difficult to stay current. Answer: That is one of the areas that must be addressed in a comprehensive risk analysis activity. It’s critical to keep up with HITECH Act changes. The best source is the OCR site at www.hhs.gov. Also, it’s important to keep up with State regulations, especially CA, Massachusetts, etc.…

Following the announcement that NHS Scotland had selected Imprivata to provide single sign-on for all of its health workers across Scotland, the Scottish Government has published an update to their e-health strategy for 2011-2017.…

Recent survey results released show only 50.7% of U.S. hospitals with implemented electronic medical records (EMRs). While transitioning to a paperless system seems to be a logical evolution in the health care system, the rather slow rate of EMR adoption does not surprise me. Even with the passage of the Health Information Technology for Economic and Clinical Health Act (HITECH) in February 2009 which attached a monetary incentive to implementation, technologies that do not seamlessly fit into clinicians’ day-to-day activities, improve patient care, and enable them to work more efficiently fail to achieve widespread acceptance. In order to improve EMR adoption rates in the U.S., we must provide doctors with tools that do not disrupt time spent with the patients, while enhancing their ability to access vital information quickly and efficiently.…

The highlight of today was undoubtedly the customer panel in the session Healthcare and the Journey to the Cloud- State of the Industry.…

There' s been a lot of talk and focus on the Meaningful Use provisions of the HITECH Act. I worry that we're becoming too focused on the details of Meaningful Use, and losing the bigger picture. The government instituted the Meaningful Use criteria and incentives because they believe that electronic medical records can improve quality of care and access to care – but only if the EMR solutions are actually deployed and used. Hence Meaningful Use.…

Many agencies that I’ve spoken to are not aware of the Advanced Authentication requirements of the FBI CJIS Security Policy 5.6.2.2 and are therefore not aware that they may be in breach of this requirement. This video will quickly enable you to find out whether you may be in breach and how Imprivata can put you back in compliance.…

Last month, Kristi Roose from Mahaska Health Partnership joined me for a live webinar that discussed deploying SSO and Strong Authentication, and the steps you can take to get to Meaningful Use faster. If you missed the webinar, you won't want to miss this -- we've gone ahead and transcribed our answers from the Q&A session. Question 1: How long did it take to roll a unit out to all the departments and how long did it take to see acceptance to the change? Answer: We approached these rollouts one unit at a time, and the time frame depended on the number of users. Usually it took about 1-2 weeks per unit to make sure that everyone was comfortable with the product. Once the unit was rolled out acceptance was immediate; customers were grateful for the product and relieved to be able to access data more easily. It was a relief for their workflow. …