Risky processes, uncontrolled access, and frustrated clinicians: Tales from the frontlines with Claire Reilly, RN MSc

Healthcare organizations across the globe experience obstacles that block technology ROI and hinder patient care. This blog post explores many of the unnecessary difficulties faced by a typical hospital participating in our Clinical Solution Assessment engagements. 

Desktops left unsecured, lost mobile devices, and hospital information shared on personal emails are just a few of the concerning findings from our Tales from the Frontline series. The series examines consolidated and anonymized findings from our Clinical Solution Assessments at various healthcare delivery organizations and provides valuable insights into the common reasons why organizations might not be getting the full benefit of their technology investments.

No value without adoption

In our Clinical Solution Assessments, clinicians often explain that they come to work to save lives – not to adapt their workflows to technology. They won’t ignore the needs of patients to resolve problems with a device or tool; they’ll simply move forward without it.

These assessments confirm what Imprivata has long known – clinicians are highly unlikely to adopt technology that isn’t seamless and efficient. And no one can get value from unused technology.

To illustrate the types of challenges we hear about time and again, I’ll use the name CityPoint Hospital – a fictional example that’s very real in terms of aggregated experience.

Mobile device mayhem

Phone with stickyCityPoint Hospital owns 1,500 shared mobile devices they keep stored in a cabinet within each unit. However, the devices inevitably travel around the hospital throughout the day, ending up somewhere different than where they began. It’s a natural outcome considering the territory covered during most shifts. Still, these migrating mobile devices result in other users finding a shortage when they open the device cabinet at the start of their own shifts.We noticed some users resorting to placing stickers on shared mobile phones to prevent other clinicians from taking the devices away. One nurse told me, “I would come into my shift and there would be 8 devices available for 12 nurses. Nobody knew where any of the phones were.”

Furthermore, if a device’s battery was low or dead, it was the clinician’s responsibility to switch it out – a simple task, but one there simply isn’t time for during the average hospital shift.

Cluttered desk with phones
“If a clinician can’t get a working phone at the start of their shift, they move on with their day without it”. 

When CityPoint clinicians do get their hands on a working mobile device, they view it as a great tool for swift clinical communication – both texting and calling. Mobile devices offer seamless communication among care team members for ongoing patient care collaboration, and portable access to data that’s crucial for clinical workflows. Ensuring seamless access workflows for mobile devices supports good outcomes for patients while helping to reduce clinician burnout.

More mobile obstacles

But the uncertainty of whether clinicians can get their hands on a functioning mobile device is just one of the reasons that CityPoint Hospital doesn’t reap the full benefits of their mobile program.

I noticed that clinicians need to log in to four key applications when starting their shifts, with each application requiring a username and password. If the application contains protected health information (PHI), clinicians not only have to manually enter their username and password for access, but the applications also time out every 15 minutes. If an application times out without the user immediately reauthenticating, the clinician will stop receiving notifications from their communication app, which can hinder and delay patient care.

Rows of vulnerable desktops

As I walked through CityPoint Hospital’s emergency unit, I noticed many desktops left unsecured with clinical applications still open. This is a clear privacy issue and cybersecurity risk, and yet the reasons behind it are easy to understand.

Clinicians use numerous applications throughout each shift, and most require unique username and password combinations. Because manually logging in to desktop workstations and multiple applications is such a long and tedious process, clinicians often choose to leave workstations vulnerable to unauthorized access to avoid having to log in again. And since these are shared devices, leaving applications open for anyone to step in and use also makes it impossible to accurately audit user activity.

Clinicians risk shortcuts for the sake of their patients

One physician is so determined to keep her computer on and unlocked while she goes to see patients, she bought an agitator pad to keep the mouse in continuous motion. Another nurse finds dashing back and forth between patient rooms and desktop workstations so inconvenient, she’d rather complete intakes and take vitals for all patients on paper before returning to enter the information into the EHR.

Some nurses address the problem of having to repeatedly log in and out of workstations by lugging laptops around the unit throughout their shift. Others choose to remain logged in on a desktop, but turn off the monitor in hopes of protecting sensitive data.

Ultimately, the inconvenience and wasted time engendered by security precautions increase overall frustration and distract from tasks that demand a great deal of energy and focus.

The clinicians I spoke with understand that the security shortcuts they take are risky, but they also believe that the need to deliver efficient patient care supersedes those risks. Clinicians are acutely aware of how every minute they spend accessing applications and data is a minute stolen from patients.

The burden of endless manual logins

In the hospital’s ambulatory department, a clinical pharmacist shared that she must manually re-authenticate her access hundreds of times per day. Although she works at the same workstation all throughout her shift, she’s repeatedly required to authenticate for frequent tasks like dose verification and counseling attestation.

An inpatient pharmacist expressed the same sentiment, sharing that he manually reauthenticates with a password around 100 times per day for IV prep and compounding. A CityPoint clinical pharmacist told me, “One time, I spent an entire night in the OR pulling medications for an anesthesiologist, because he was unable to reset his password so he could pull medication.”

The risks of uncontrolled access

CityPoint Hospital kept documents stored in Google Drive for ease of access. I noticed that some clinicians logged in with their personal Google accounts, while some units created their own Google accounts to access information using a shared password. In several units, I found personal documents stored locally on desktops.

I also learned there was also no process in place for deprovisioning users. Clinicians who had left the hospital months ago could still access hospital documents via their personal Google accounts. In one unit, managers were responsible for emailing IT to revoke application access when employees left the organization.

There was also no set process for provisioning new users. I spoke with a nurse who recounted one of the many times this caused problems after a new team member joined. “Our patient workload was overwhelming,” she said, “so we were thrilled to welcome a new nurse to our team. But during her first few days on the job, she was unable to access the EHR. As a result, she spent most of the week just observing us work.”

Another CityPoint pharmacist shared that she often had students come in for internships. But because the interns couldn’t get EHR access from day one, she’d have to let them use her own credentials. Sometimes the students were forced to keep using the pharmacist’s credentials for over a week.

No one is comfortable with this widespread, uncontrolled access, but clinicians don’t have the power to do something about it – no matter how risky the situation may be. A clinical informatics specialist shared how she was shocked to discover that she still had the privileges of a floor nurse, even though she hadn’t stepped on the floor in three years.

The solution they need

CityPoint Hospital’s inconsistent and complex processes for access, authentication, and reauthentication into applications and devices substantially inhibits their clinicians’ ability to use the EHR. The organization’s security measures make for a poor clinician experience, essentially putting technology in the way of patient care. The productivity of new users is hampered by delayed access to the EHR and other essential applications, while the continued privileged access held by departed users poses a significant security risk.

There are solutions and strategies to overcome all of these problems. With the right tools, CityPoint – and you – can simultaneously enhance security and efficiency, with safe, convenient, and seamless clinical workflows.

Book a meeting to learn how Imprivata can improve user experience across workflows at your organization – driving clinician adoption, reducing burnout, and optimizing the EHR at scale.