Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Balancing Simplicity With the Exploding Challenges of Medical Device Security

Posted on December 3, 2018 I Written By

The following is a guest post by Gus Malezis, President and CEO of Imprivata.

The digitization of healthcare has allowed healthcare organizations to utilize robust technology such as network-connected medical devices to help improve both patient care and provider experience across the entire care continuum. Within this Internet of Medical Things (IoMT), medical devices can track and monitor patient stats, provide diagnostic information, help ensure lifesaving care delivery, and even make recommendations on treatment and clinical decision support – all while communicating directly with healthcare IT systems to ensure more complete and accurate patient medical records.

With these benefits of digitally connected medical devices, however, we now must consider and address a series of issues that are introduced with network connectivity and automated data integration; issues that relate to patient health and safety, cybersecurity, and compliance.

Simply put, advanced network-connected technology opens these devices to the risk of exploitation and compromised patient safety from both internal and external threats. Whether it’s an uninformed patient making changes to an unlocked infusion pump, someone stealing valuable protected health information (PHI) stored on an unattended device, or a cybercriminal using a network-connected medical device to gain backdoor access to a hospital’s entire network or disable the function of the devices (for the purpose of extracting ransomware), medical devices are now a source of risk for both healthcare organizations and patients. Compounding this issue is the fact that medical devices frequently run outdated operating systems and applications, all of which are difficult, or even impossible, to patch or otherwise protect with other standard security measures.

By 2020, the number of IoT devices is expected to reach 20.4 billion, and the number of IoMT devices is expected to reach 161 million. These numbers of incremental networked devices are truly staggering, which proportionally increases the risks of hacking, compliance, and health and safety. Clearly, healthcare IT can no longer afford to manage medical devices under current security protocols.

How locking down affects provider workflow

To address this threat and mitigate the risk posed by IoMT devices, organizations naturally look to implement security systems and tools that will safeguard the devices, enable only authorized personnel to interact and adjust/calibrate the devices, and safeguard access to patient records, clinical applications, and other sensitive data. Before implementing such solutions, however, healthcare organizations should consider several factors – particularly those relating to workflow.

Unlike other industries, healthcare can’t simply lock down information by building multi-layer security. Additionally, the focus is always on patient care, so minutes…and even seconds…truly matter, and clinicians need fast, unimpeded access to patient information. Layering in cumbersome security protocols has the potential to introduce new workflows, or create barriers to care. It is therefore critical that healthcare systems designers and architects consider several key factors when evaluating security options.

For starters, think about workflow integration: Any security tool should allow for optimal workflow efficiency among users, and that means the clinical staff and providers should not need to be “trained” on something new, or adopt a new workflow. Ideally, this means finding flexible and easy-to-use security tools that meet current existing workflows and preferences. Choosing easy-to-use options allows for security to be transparent so providers can focus on patient care, not on technology. For example, clinicians are accustomed to Tap-in and Tap-out (TITO) technology as a means of accessing HIT windows-based systems. This same workflow should be integrated and facilitated in anything new, thereby enabling secure and compliant access by utilizing a current and well known and adopted workflow. This is a win-win-win…the clinical staff win by using the same workflow, while IT, Cybersecurity, and Compliance teams also achieve their goals.

Another key factor is extensibility to other workflows: The need for security stretches across a number of different business and clinical workflows and applications. Healthcare organizations should look into a solution that provides the extensibility to meet all workflow needs, with the same consistent and transparent workflow model.

Addressing this challenge requires fast, efficient, and secure authentication for all devices that require security, including medical devices. For medical devices already requiring user authentication, appropriate security tools can improve efficiency by replacing the cumbersome manual entry of usernames and passwords with fast, automated authentication through the simple tap of a badge. Here we want to leverage the same consistent and transparent workflow model.

This way, organizations can optimize their use of interconnected medical devices to improve the delivery of care. They also maintain security and meet regulatory compliance requirements while ensuring efficiency for providers and giving them more time to focus on patient care.

Focusing on physical security and ID/Access control can enable the right balance — something that’s uniquely necessary in healthcare. A healthcare organization’s medical device access security plan should be part of a comprehensive identity and multifactor authentication platform for fast, secure authentication workflows across the healthcare enterprise. The medical device piece should combine security and convenience by enabling fast, secure authentication across enterprise workflows while creating a secure, auditable chain of trust wherever, whenever, and however users interact with patient records and other sensitive data.

As organizations are tuning in to the unique challenges of the IoMT era, it’s time to implement foundational security best practices with modalities that are tailored specifically to clinical workflows. Doing so achieves the balance necessary to ensure both security and flexibility.

About Gus Malezis
Gus Malezis is the President and Chief Executive Officer of Imprivata. Gus is widely recognized as a visionary leader in the information technology security industry where he brings more than 30 years of experience driving innovation and growth while building market leading organizations. Prior to joining Imprivata, Gus was most recently the President of Tripwire, a leading global provider of endpoint detection and response, security and compliance solutions. In his career, Gus has built a strong track record of delivering growth and innovation for leading technology and security companies such as Tripwire, McAfee, and 3Com.

The Guide to HIPAA Compliant Text Messaging

Posted on January 23, 2014 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’ve written regularly about the need to move to HIPAA compliant text messaging, because Texting (SMS) is NOT HIPAA Secure. To add to that, I recently wrote a post on EMR and EHR about Why Secure Text Messaging is Better than SMS. I throw out the whole “fear of HIPAA” component and paint a picture for why every organization should be moving to a secure text message solution instead of using SMS.

While I think a business case can be made for secure text messaging in healthcare over SMS without using HIPAA, the HIPAA implications are important as well. In fact, imprivata has put out The CIO’s Guide to HIPAA Compliant Text Messaging where they make a good case for why HIPAA compliant text messaging is important and how to get there.

The whitepaper suggests that you have to start with Policy, then choose a Product, and then put it into Practice. Sounds like pretty much every health IT project, no? However, the guide also offers a series of really great checklists that can help you make sure you’re covering all of your bases when it comes to implementing a secure text message strategy.

Of course, the biggest challenge to all of this is that everyone is so busy with MU stage 2 and ICD-10. However, when the HIPAA auditors come knocking, I wouldn’t want to be an organization without a secure text message solution. The best way to battle non-HIPAA compliant SMS messaging in your organization is to provide them an alternative.

Full Disclosure: I’m an adviser to HIPAA compliant messaging company docBeat.

Is Meaningful Use a Floor or Ceiling?

Posted on June 9, 2011 I Written By

I was witness to an interesting discussion earlier this week at the Wisconsin Technology Network’s Digital Healthcare Conference in Madison, Wis.: Is meaningful use a floor or a ceiling?

One panelist, Judy Murphy, VP of information services at Aurora Health Care in Milwaukee, said Stage 1 meaningful use has caused the health system to alter its own IT plans by activating a patient portal and moving more toward interoperability sooner than intended. “We wouldn’t have decided to give electronic copies of clinical summaries at discharge [without meaningful use],” Murphy said.

But Murphy believes it’s a floor for many of the criteria, such as the requirement that 30 percent of patients have at least one medication order entered electronically. “No one would go into an implementation shooting so low,” she said. As a member of the Health IT Policy Committee as well as the Meaningful Use Workgroup of the Health IT Policy Committee, Murphy actually had a hand in shaping the standards. (Remember, though, the original proposal called for 10 percent for hospitals and 80 percent for physicians. The final Stage 1 rule set the threshold at 30 percent for both.)

Gartner analyst Vi Shaffer offered a counterpoint. “Meaningful use is not the floor,” she said. “All the existing quality measures that have been out there so long should be considered the floor.” Shaffer expressed frustration that so many 12-year-old National Quality Forum performance measures still haven’t been met.

According to Shaffer, the idea behind meaningful use is to “lift people up,” particularly when it comes to safety-net providers like critical-access hospitals. Shaffer said policymakers didn’t want to see “oligopolies” in local markets because smaller providers were forced to merge with large health systems because of EHR requirements.

Session moderator Dr. Barry Chaiken, chief medical officer at Docs Network Imprivata, and a former HIMSS chair, said he believes health IT will raise the norm for all providers and “lock in” better behaviors, suggesting that in some ways, meaningful use could be a floor.

By holding the conference in Madison, WTN was able to land the publicity-shy Judy Faulkner, CEO of Epic Systems in nearby Verona, Wis. Faulker noted that Epic shows a simpler version of its core EHR in overseas markets because the company had to add some functions for regulation and liability purposes in the U.S.

While plenty of providers are viewing meaningful use as a ceiling right now–perhaps an unattainable one–Murphy believes acceptance will come rapidly. “I think in 2015, we’re gonna look and say, ‘How did we even have healthcare without computers?'” Murphy said. She then said she had heard that HCA would attest this year to meaningful use at all of its U.S. hospitals.

Being the occasionally motivated reporter that I am, I tweeted this statement, asking for verification. Wouldn’t you know, HCA replied with this tweet: “Nearly all HCA facilities should achieve requirements 4 Stage I this yr. An exciting, important step for high-performance hcare!”

So maybe meaningful use is not a floor or ceiling, but the new norm.

What are your thoughts?

CORRECTION, June 13: Chaiken’s one-year contract with Imprivata is over, so he’s no longer affiliated with that company.