Identity 360 blog

Just back from the HIMSS 09 conference in Chicago...

It was a great opportunity meeting with our healthcare customers and talking to prospective customers and partners.  In the last blog posting, I discussed what I thought some of the bigger trends would be at the conference this year.  Here is what I found:

Stimulus bill impact on Healthcare IT - The movement of the government to reshape the medical industry by creating a central repository of computerized medical records has everyone vying to figure out how they fit in - from the vendors to the healthcare providers. We covered the stimulus bill and the potential impact on data security in a recent blog posting called Stimulating Strong Authentication.

Virtualization - Heading into the show, I thought this would be a big topic, and that is what I found. As many providers have attested, healthcare organization need to provide physicians with the ability to roam from room to room, while maintaining a consistency of experience as they change locations within a shift. Strong authentication is a critical component of a VDI environment - it enables secure authentication into a desktop, locking up the station when the user session ends and is critical in reconnecting the user to his/her desktop session. We had tremendous interest from customers and partners at HIMSS, a great indication that this will be a hot topic moving forward in 2009. See my past blog post on this very topic to understand why.

Authenticating patients to their records - We've steadily have heard more chatter about the need for patient record authentication and eliminating the possibility of associating the wrong patient record with a patient. This is a big step towards improving data security but more significantly, reducing the possibility of having the incorrect information for a patient because of an identity mixup. As this is rolled out, we'll see an environment in which clinicians are not only authenticated into applications, but also patients authenticating to the right medical record. This becomes especially relevant as health information systems start to share information and the odds for name space conflict increases.

Share your HIMSS insights. 

HIMSS is right around the corner. 

It's one of our favorite conferences of the year, as we get to see many of our healthcare customers all in one place.  As I mentioned in my last post, if you're attending the conference this year, please plan to stop by our booth (#7339) and say hello, or check out the presentations by Imprivata's customers. OhioHealth and Southwest Washington Medical Center will be discussing the ‘Paperless Hospital' and ‘HIPAA Audits' respectively.  Details on times and location are available on our HIMSS 2009 events page.

With all the focus on healthcare now, what trends am I going to be looking for at HIMSS this year?  Here are a few topics that our customers have shared with us:

• Desktop Virtualization - The healthcare industry is at the forefront of adopting desktop virtualization. CIOs have embraced the technology as a way to reduce the IT costs associated with desktop maintenance and to improve user productivity. As virtualization continues to proliferate, it will be interesting to hear about how these healthcare organizations are applying strong authentication to manage user identities, roles and access policies in this new virtualized environment where policies can be applied to even control the type of desktops that a user can run. The coordination and enforcement of access policies across this virtualized environment is a critical next-step in the adoption of this technology.
• Electronic Medical Records (EMRs) - According to a recent survey conducted by the New England Journal of Medicine, only 9 percent of hospitals have adopted EMRs to date, with the exorbitant costs of the systems being the main barrier. As vendors try to figure out where they are in EMR development, I expect to hear how hospitals are taking an incremental approach to supporting EMR such as digitizing records on smaller scales before a major roll out. With so many things to consider, I'll l be most interested in learning how this "walk before you run" approach impacts data security and how organizations review their policies around providing stronger user authentication for to prevent data breaches.

So what topics and trends are you most excited about heading into HIMSS?  

Email me and let me know, or stop by our booth at the conference tell me what's on your mind.

We often hear of security getting in the way when it comes to clinicians wanting immediate access to patient data.  Since it's better to hear from one's peers, Imprivata asked some of its healthcare customers for tips on implementing single sign-on and strong authentication to eliminate password management headaches and how it facilitated making it easier for clinicians to get access to the records they need.

As we turn our attention to HIMSS 2009, we want to share our customers' advice, thoughts and concerns on how best to navigate through the employee access management obstacles:

"Make your users part of the process." Seek their advice and learn their needs. We set up a physician steering committee to help guide our identity management strategy. It not only helped us to find the right product for our users' needs, but it helped us when the time came to roll out to the users. They were invested and ready to adopt the new system.  Dr. Michael Westcott, Chief Medical Information Officer, Alegent Health

"Perform due diligence to find the best form of strong authentication for each of your user groups." Remember that different user groups have different requirements for access. Make sure that the solutions that you are considering are flexible enough to accommodate the access needs of all groups - today and down the road. Dr. Stephen Patterson, Chief Medical Information Officer, H. Lee Moffitt Cancer Center - Tampa, Florida

"Understand the workflow of your shared workstation departments." If more than one person will be using a given workstation, you must validate that the SSO solution will not harm or break the existing workflow. Some SSO vendors handle fast-user-switching well, others do not. A quick-and clean-log-off can be as important as a quick logon. Find and work with your workforce experts. They will be a huge part of your success-if you enlist their help at the beginning. Christopher Paidhrin, HIPAA and Security Officer, ACS/Southwest Washington Medical Center, Vancouver, Washington

The full 6-page paper, "A Healthy Dose of Advice for Managing Clinician Access to Patient Data" is a quick read that outlines 20 tips that you may find useful to get the most out of healthcare access management initiative.  Do you have any tips to add to the list?  If so post them in the comments section for others to see.

Also, if you're at HIMSS 2009 in April, come by the Imprivata booth.  And, check out Imprivata customers OhioHealth and Southwest Washington Medical Center when they talk about ‘Paperless Hospitals' and ‘HIPAA Audits', respectively.  More details are available on our HIMSS 2009 events page. 

Hope to see you there!

--David

We've found that the best resource for better understanding how to solve employee access management are our customers.  So over the past week or so, as a few of our customers have shared details of their OneSign experiences, I thought you may want to hear what some of them are saying and doing.

CSOonline.com's Joan Goodchild created a cool video-based interview with Bill McQuaid on how Parkview Adventist combined OneSign with fingerprint biometrics to improve productivity, streamline operations and minimize security risk.  Check it out here.  Key take-aways from Bill when deploying systems are:

1. Test, test and test again: with physicians and nurses you only get once chance to get them to buy in (which they did at Parkview)

2. Have a comprehensive training program: training up-front minimizes helpdesk calls later

3. Have a back-up plan: at Parkview, employees have several fingers scanned in case the biometric doesn't scan properly

Over at SearchCIO.com, Linda Tucci chatted with Chuck Christian about Good Samaritan Hospital's single sign-on deployment, capturing the hospital's experience using OneSign for the past four years.  Chuck shares advice on how he evaluated SSO solutions, how he got executive buy-in early on, and once installed, his ability to quickly change employee access (including complete shut-off) and how he deters bad security behavior by ensuring everyone is clearly aware of audit features.  The full story is here, and his advice is worth reading.

Anne Gabriel talks with OneAmerica's Jeff Hornung about the intersection of employee productivity, SSO and security for a story in Insurance & Technology.  Jeff explains his experience rolling out SSO to 1,500 users, and how that has translated into a 15 percent drop in help desk calls (and 50 percent for one specific application!) and enhanced employee productivity.  Next up for OneAmerica?  The life insurer will "leverage Imprivata's two-factor authentication and biometric device capabilities to meet changing needs and regulations" according to the article.

Tell us how you're using OneSign, and what's working for you.  We'd love to hear it.

David

The stimulus package recently signed by President Obama has been the cause for vigorous debate.  One by-product of the package that has not been widely discussed is a provision that would reshape the medical industry by creating a central repository of computerized medical records for all American's.  An increase in the level of electronic information of this magnitude exponentially raises the vulnerability of a security breach, which we'll focus on today.

While the program sets high goals of making records accessible, increasing healthcare efficiencies and reducing costs, security for a program of this magnitude needs to take a zero-gap approach - removing any security risk that could lead to a data breach. When you consider the number of sources for medical information, and the number of healthcare employees across the country, security for a project of this size represents some huge challenges.  

So where do we start?  From a data security standpoint, a lot can be learned from the hospitals and healthcare facilities, which have spent years focused on HIPAA compliance,  as well as from other countries that have embraced a similar approach to digital medical records.    

We've seen customers such as OhioHealth go completely paperless, with digital record keeping replacing extensive paper file commonplace in the industry.  OhioHealth took an innovative approach to securing patient data from the access standpoint, leveraging single sign-on as the core of its digital authentication strategy.  Ensuring employees access the applications and information they need, after having first authenticated via a biometric device or strong password. 

Controlling the access is only part of the equation.  Once in, there is a need to monitor and control how the information is being used; preventing a breach once initial access has been granted.  While the proper steps may be taken to authenticate a user, what happens when the clinician walks away and leaves the computer in a compromised position?  And, when a life or death critical order needs to be placed, or a prescription filled, the proper doctor, nurse or clinician must be tracked to that activity.

Making the medical records of 100s of millions of citizens accessible is certainly a step forward, yet keeping them private is a tremendously complex problem - one that will need to be addressed before the program can move forward in earnest.   

What are your thoughts?   Email me and let me know.

In our last blog posting, we discussed three priorities all organizations should focus on in 2009:  security, productivity and manageable IdM projects.  Today we're looking more closely at enterprise security.

Businesses continue to grapple with economic realities, making hard decisions to stay competitive during the downturn.  These decisions can have a negative impact on IT security  - as IT staffs are re-organized, budgets slashed and  security professionals tasked with doing more with less while addressing data security.   Unfortunately, as this is happening, the number of vulnerabilities they're tasked with covering is growing.  The latest news about the logic bomb at Fannie Mae just reinforces the need for additional vigilance as organizations down size.

The challenges can be overwhelming, but they're not insurmountable.  So where do you start?  The important thing is to have a plan - think through the challenges and anticipate possible problems.  With that in mind, here are three areas you can address to make sure your company is secure:

Identify and deal with your greatest areas of risk

It may sound simple, but it represents a shift in philosophy and mindset, moving away from comprehensive, enterprise-wide projects that take years to fully implement with little to show for in return.  Given the constraints in staffing and budgets, IT staffs need to focus on the immediate areas of security risk and make sure those gaps are closed.  For example, if you're undergoing a company-wide reorganization, start by asking yourself:  Can we immediately revoke access of former employees, and alter access to employees whose job functions have changed? Are we fully aware of all access points of dismissed consultants?  If the answer is no to either of those questions, then you're at risk and have identified your first project. Assess what potential damage can be perpetrated if revocation is not immediate or all inclusive. 

To understand the risk you face, just look at the case that came out last week about the former employee of Fannie Mae who was charged with implanting malware on the company's network that could have potentially caused millions of dollars in damages.  While the case is still pending, the fact remains that this former employee, in the time between when he was informed of being laid off and when he left the building, was able to plant a logic bomb that could have wiped out data on 4000 servers  .   This remains one of the biggest security risk facing organizations - one that can be dealt with quickly and efficiently with the proper systems and processes in place.

Know who is getting on your system

Trust has never been a sound security strategy, especially when you consider the number of insider related security breaches over the last year.  The nature of business dictates that you need to know what your employees are accessing, providing the ability to track users and audit usage.  Having confidence in who is getting on your system means believing more than just who someone is as a username and password. It means relying on strong authentication and using a comprehensive model of device-based authentication to prove the user's identity. The dramatic reduction in the cost of fingerprint biometric scanners, card scanners and tokens allows for corporate wide deployment of new technology that is now mainstream. Think about this in the context of what happens if the wrong person is getting onto a computer, the network, an application or conducting a transaction within an application. It's become best practice in many businesses to require biometric authentication or building smart cards for enforcing user authentication and access whenever sensitive information or applications are at stake.

Have demonstratable ROI for your project

The general consensus of the CIOs I've spoken to recently is that they are being selective in the  security projects they tackle in 2009 - undertaking only those projects that can yield immediate results either to improve business productivity or reduce security risk.  We discussed this recently with some of our customers in a webinar roundtable discussion.  If you weren't able to attend, I encourage you to download the webinar to see how they're addressing the security challenges in 2009.

So what challenges are you facing? 

What steps are you taking to tackle security in 2009? 

Feel free to email me if your organization is facing a different set of challenges in the coming year.