Securing healthcare IT with Imprivata

Mark McArdle is Chief Products and Design Officer at IT security leader, Imprivata. The company has worked within healthcare for two decades. Its Imprivata OneSign, FairWarning and virtual smartcard solutions are helping to secure NHS hospitals across the UK.

Mark is himself an industry veteran, with a cybersecurity career stretching back to the early ‘90s.

Health Tech World got in touch with Mark to learn more about digital identity and how the pandemic has accelerated innovation.

You have an extensive cybersecurity background. What attracted you to Imprivata?

Imprivata’s success is down to the way it has immersed itself in understanding the challenges and opportunities around healthcare IT.

It’s not uncommon for cybersecurity improvements to come at the cost of end user success and user efficiency. But Imprivata has always been focused on enabling clinicians to spend more time with the patient.

The technology should be secure but out of the way. That’s a pretty special combination.

How does digital ID underpin all of this?

The way we interact with technology in the workplace has evolved. We no longer all show up to a fortress-like office that’s protected with a perimeter fence system. We’re interacting with technologies that are in the cloud.

We now have a highly mobile workforce moving from facility to facility. The old approach of building big firewalls to keep the bad stuff out and the good stuff in just doesn’t work anymore.

If you are requesting access to a sensitive resource or any service, I have to know that you are who you purport to be. Digital identity is the first foundational step in building that trust model.

Once you have high assurance that you are who you say you are, the next step is to ask, where are you connecting from? Do I trust that system? Has it been compromised in any way?

That trust model goes up depending on the type of asset you’re trying to access and determines what you’re allowed to do.

What is the impact of this fluid digital identity system on patients and frontline stuff?

Through Covid we saw a massive influx of new clinicians. We were graduating nursing and doctors classes early and we were moving clinicians into emergency departments and into intensive care units.

And along with all of that mobility came the need for every single clinician to have access to the tools they need to do that job.

If you’re at ICU today and paediatrics tomorrow, you’re going need access to different applications and technologies. And managing all those entitlements is incredibly complex.

Our focus is enabling digital identity and then eliminating the complexity to make workflows as efficient as we possibly can to ensure that the technology serves the clinician.

During Covid, shared mobile devices became much more commonplace. So instead of running back and forth with scribbled notes, you’re now standing bedside with an iPhone or an Android device interacting with the medical record systems online without interruption to patient care.

Our focus broadened from the traditional shared workstation to enabling that same simplicity of access and high security ‘tap-and-go’ kind of authentication on mobile devices.

We’ve seen a broad adoption of shared mobile devices happening in the UK. And it’s driven by improvements in patient care.

How is the use of connected devices and shared devices enabled by digital identity?

Shared devices bring new complexities. We have patient data that is very sensitive, that must be managed responsibly all the time. A device that is not single use has to be cleansed and then provisioned for a new clinician each time it’s returned.

We built in the capability to ensure that a device is quickly available. A clinician just walks up to a dock full of iPhones, taps their badge, and the best device at that moment is presented to that user and  provisioned specifically for them.

The clinician picks it up and for the rest of the shift is no longer fumbling around typing passwords.

We’ve integrated Imprivata OneSign tap-and-go capability so that the clinician just enters the pin at the beginning of the shift. And from that point on, all the passwords are linked to their credentials stored in OneSign.

That’s very similar to models like iCloud and LastPass, but tied to our single sign on product.

It must be frustrating for busy clinicians to have to sign in on different system all the time. It must eat into their work day.

Absolutely. There are so many benefits to eliminating that complexity. It immediately buys them back more time. Up to 40 minutes a shift can be eliminated with Imprivata OneSign. And that’s time that gets spent directly with patients.

We also have to recognise that our clinicians have been through the wars with Covid. We want to do what we can to ease the burden and eliminate some of the frustration. That is a high priority for a lot of CIOs and chief nursing information officers as well.

How do you see this evolving in the years to come?

It’s on a path to significant growth. We’re seeing deployment of tens of thousands of shared mobile devices in hospitals. And I think we’ll see more traditionally Windows-orientated technologies shift to a mobile application form factor.

The next step is managing digital identity.

It’s not uncommon for a clinician to move up through the ranks at a hospital over 20 years. They accumulate enormous credentials over that time.

But from a cybersecurity perspective, you should only have the entitlements you need to do the job and nothing more. Anything more is a risk because if your account is compromised, or you go rogue, you could do a lot of damage.

So this management of digital identity is a high priority now, because it leads to better efficiency.

When someone is starting, it’s vital that they have all the accounts and access that they need to do their job. And when they leave the organisation or retire, everything’s turned off. And there’s no straggler accounts that represent a potential cybersecurity threat either.

The final piece is making sure that the clinicians and patients are protected, because there’s sensitive information there. And part of that is assuring patients that their data is being secured.

Access to NHS Spine is supported by Imprivata OneSign and a virtual smartcard. How does this work in practice?

It’s essentially taken all of the power and security of the physical smart card and eliminated the physical complexities of needing a card reader.

This was really accelerated by Covid, where a lot of clinicians worked remotely.

The virtual smart card was a way to provide the same level of security and authentication, but liberating the use of that to wherever the clinician is and tying that same virtual smartcard capability with our tap-and-go model that the clinicians know and love.

Imprivata has evolved in recent years from being healthcare IT-focused to being a digital identity company for mission and life critical industries. What encouraged you to evolve the company in this way?

What we’ve learned over 20 years maps beautifully to other segments that aren’t life critical, but they’re mission critical. It could be the food supply chain, law enforcement, aviation…

All of these industries have a lot of use cases where people are walking around with a device that needs to be secure and needs to enable them to do their job without technology getting in the way.

What do you have coming up for the remainder of 2022?

We just completed an acquisition of SecureLink in Austin, Texas. Securelink has solved the outside problem, which has been a significant issue for healthcare.

Things like MRIs, X-ray machines and exotic expensive kit are managed by third parties and usually connect remotely. SecureLink is an elegant way to allow access in a controlled and monitored way.

Now we have the 360° view for privileged access management for third parties well as internally.

We also continue to invest heavily in our privacy monitoring and drug diversion products.

FairWarning is helping control an opioid crisis in the US and also providing a level of assurance for patients that responsible things are being done with their data.