Webinar Q&A: Mercy Health System Speeds Access to EpicCare and Increases Clinician Satisfaction

Mercy Health Systems’ Manager of IT Systems, Ben Exley, recently presented as part of the American Hospital Association’s (AHA) Signature Learning Series. Mercy was facing a “big bang” roll-out of Epic to 3,800 users, and wanted to ensure that the clinician adoption of the new system would be as smooth and seamless as possible.

In addition, Mercy was looking to solve the dreaded “password problem” – the helpdesk was swamped with calls from clinicians who were struggling to remember the 8-10 user names and passwords that they were using to log in and out of systems 20+ times per day.

The audience for Ben’s AHA session was very interactive, with a great Q&A session. Ben was joined by John Clark, product manager at Imprivata. The summary of the Q&A is below. You can also read a case study version here.


Was Mercy Health able to achieve the integration with Epic and the controlled substance prescription writing easily?

Ben: As far as controlled substances go we are in that strategic wait, Epic hasn’t certified with Surescripts and the prescribing vendor.  As a corporation we are deciding if we want to do fingerprint, RSA secure tokens or something else.  We have it in a proof of concept stage, but not rolled out for e-Prescribing since that’s not really an option yet for us.

John: The most critical factor is that your EMR vendor is ultimately the one that has to be certified in order for you to start doing e-Prescribing of controlled substances.  The Imprivata piece is just one component so that is still something that Epic is working on.

How quickly do you have Epic logging out to assist with HIPAA compliance? Do you delete the data that is in progress or do you suspend that work, and are there any clinical problems with that?

Ben:  The first part of that is timeout, which will vary by organization to determine what is reasonable for a time out.  We’ve settled on 15 minutes of inactivity which might be too long for some people.  Some organizations might think that should be shorter, some maybe longer.  You have to do what’s right for your organization.  For data that is in progress, if Imprivata secures or logs out a user who is in the middle of entering a note, the rule of thumb is it’s going to depend whatever note or order that was.  You probably would want to double check with Epic on exactly what’s going to happen in exactly that situation, but that’s been our rule of thumb we go by. 

Was there a previous SSO before your selection of Imprivata and as a follow-up question what specific process did you go in selecting Imprivata as your SSO solution?

Ben:  We did not have anything that we were replacing so this was a brand-new technology for us.  To sum it up, we did the vendor RFI process, we did the research on who and what was out there through the RFI process and those that responded we evaluated.  We narrowed it down to Imprivata and one other vendor for an on-site for a lab and proof of concept.  What really differentiated Imprivata was that instead of profiling the applications for us, they showed us how to do it ourselves.  We got a good sense of how easy it was to profile applications, which was big differentiator for Imprivata. We knew we could do this ourselves without a ton of work.

What is your planned configuration for the ambulatory patient rooms and your timeline for implementation?

Ben: We are looking at this strategically now.  I suspect that we will end up doing a biometric authentication like a fingerprint reader that will be available for those e-Prescription options.  Whether our physicians are going to sign in the rooms or going to sign in their office I don’t know yet but obviously there is going to be a push to have them sign into the rooms, so we’ll probably put those in a lot of places.  You want to be sure, that’s certainly an expensive hardware and infrastructure investment to put in a lot of rooms, so we are waiting right now to make sure that the Epic side of it is going to be ironed out before taking the next step.

What applications and systems are your physicians using through the SSO?

Ben:  Epic is the big one, but we do have other systems that our physicians interact with where we have enabled SSO for easier login.  We SSO-enabled their web-based email, and they can also get our immunization registries through the State of Wisconsin and their dictation systems.  A lot of what our physicians do has migrated centrally into Epic, but a lot of our nurses still use many different applications during the course of their day.  This includes lab system, ordering items from our materials department, the time keeping system, etc. 

The Windows screen locks after 15 minutes, how does SSO help that?

Ben:  SSO gives us the opportunity to put in a timeout to better manage a workstation based on where and what type of workstation that is. For example, a shared workstation in a public area or a single-user workstation in a locked office will have different requirements for lockout times.  There are a lot of pieces to that puzzle—Epic has one timeout and if you use Citrix, they could have a different timeout.  We set SSO to have the shortest timeout, and go from there.

Are you able to integrate with Citrix and have you used or tried Citrix password management?

Ben:  We did evaluate Citrix password management as part of our process, being a Citrix shop already when we started this.  They were not one of our finalist vendors.  We just didn’t feel like they would have a lot of features that we wanted.  That might be different for different customers.  It does work through Citrix, but we use Epic nearly exclusively.  John can probably talk a little bit more about Imprivata’s partnership with Citrix too.

John:  When we spoke Ben, I think that one of the things Mercy really needed was a shared, generic, kiosk workstation that allowed users to switch back and forth on those endpoints. You needed to be able to switch the user’s identity automatically within the Citrix session so that you could make sure you signed the right people in. That’s an advanced feature that Imprivata has developed that not all the other vendors out there support.  It is a key workflow requirement from almost every hospital/healthcare organization that we talk to now. Fast user switching on generic workstations, and keeping in the fact that the Citrix’s user’s identity never changes because it’s a generic Citrix session or an anonymous session.  Imprivata® OneSign has special capabilities to switch the user’s identity within that generic Citrix session.

Do you or did you have any issues with lost or stolen badges?

Ben:  We did and I’m sure we will continue to.  Imprivata allows us to set a grace period and from one minute up to large values where within that grace period you are allowed to use your keycard and only your keycard.  When that grace period expires, you are going to get prompted to provide your second factor and in our case we chose to use clinician’s network password along with the keycard. 

For clinicians, at the first tap of their ID card of the day, they are prompted to provide their Mercy network password and that allows us to double-check and verify that it’s really still the same user using that keycard.  You can make that a shorter time period and make people verify more often—Imprivata offers that flexibility to set your own timeout limits.  That limits the amount of possible harm that could happen if a user’s keycard is lost or stolen.  In Mercy’s case, it is only going to be active for at most 13 hours, so if it is lost or stolen, access will be very limited. 

Do you have software as a service (SaaS) applications integrated with Imprivata’s SSO solution?

Ben:  Yes we do. For the SaaS vendors who are better at communicating with us about upcoming changes, we felt pretty comfortable about developing SSO for them.  The SaaS vendors that we are a little bit leery about are the ones that have a habit of switching up their login look and feel pretty often.  We do have several SaaS applications SSO-enabled, and they are working well.

How much IT development time is required to enable SSO for a given application and does that integration have to be re-established or re-built whenever there is an upgrade to that application?

Ben: It depends on the application.  If it’s a web-based application it is generally pretty fast.  You might be able to knock out the basics in an hour.  If you spend five hours on it and if you have the ability to recreate all the possible password expired workflows, password failed workflows you know it could be as simple as ready to go live in probably five to ten hours of development.  The timeliness really comes down to the application and how easy it is to experience all the different workflows so that you can record them and essentially train SSO in how to act.  Some applications are more difficult than others of course we have some crazy, crazy things where we have some applications where one EXE launches when you launch the program and when you login in it launches a completely different executable file that doesn’t seem to be related at all, but we’ve made them work.  Some require more time than others but we haven’t run into one yet that we absolutely couldn’t make work.

Have you conducted any time studies to see how much time a clinician can save using Imprivata to access Epic and what Imprivata functionality are you using to achieve those clinician savings?

John:  The Ponemon Institute  did a study of several hundred end users out there to try to get some quantitative measurements of this, and the savings were quite significant. Ponemon found an average savings of 15 minutes per day per clinician, which is really amazing when you think of how many clinicians work in one hospital alone. I encourage you to take a look at the study.