To say that it’s a difficult time to be a clinician is putting it mildly. Between patient surges, PPE shortages, and long hours logged, burnout levels are higher than ever. At the same time, cybercrime has increased significantly, which means physicians and nurses now must contend with added security measures.
It’s enough to push anyone to the brink, said Sean Kelly, MD, Chief Medical Officer of Imprivata. “As a clinician, you’re typically already three or four problems deep. To knock them off their thought process and block them out due to security reasons is unacceptable.”
Kelly, who is also an emergency medicine physician at Beth Israel Lahey, recognizes that health systems face a conundrum in having to protect patient data without making the clinician’s job more difficult. However, he also believes that the two don’t have to be mutually exclusive.
“When it comes to usability versus security, you shouldn’t have to sacrifice one for the other,” he noted. Creating a system that safeguards data while enabling providers to focus on the patient “is key.”
During a recent panel discussion, Kelly and CISOs Steve Dunkle (Geisinger Health System), Mitch Parker (Indiana University Health) and Art Ream (Cambridge Health Alliance) discussed the challenges their teams face, and how they’re working to overcome them.
According to the panelists, the first step is in recognizing how detrimental even a small disruption can be when it comes to patient care. “When you have a delay, even for a second, that’s one second more than your customer is going to tolerate — especially in an emergency room,” said Parker, who has been through timing tests with physicians. “If you’re adding seconds, it’s not a viable solution. Period.”
Dunkle agreed, adding that CISOs and other leaders need to be respectful of clinicians’ workflows, and recognize the frustration that comes with having to reset a password during a critical moment. “We need to be sensitive to that,” he noted.
One way to do that, according to Ream, is through “doctor walks,” where members of the security and systems groups round through different facilities and witness how transitions affect clinicians’ workflows. “I try to advocate to our tech services group to get on the floors, or stop in at the nurse’s station just to talk.” Once a relationship has been established, it will be easier to test technologies in a real-world setting, and get an accurate assessment. “When you get in those busy areas where things move faster, they’re more receptive to tell you what works and what doesn’t, even if it disrupts their day a little.”
The other key advantage to rounding? It can alert security teams to problems they otherwise wouldn’t have known about, such as malfunctioning equipment. CISOs can’t expect users to stop what they’re doing and call the help desk. “They don’t have time to do that. They’ve already moved on to something else.”
Another thing busy clinicians don’t have time — or any desire — to do is click around searching for passwords, said Kelly. “We don’t want to be doing clerical work. We want to spend our time caring for patients.” An example is Imprivata’s OneSign, which uses a ‘tap-and-go’ approach to authenticate and authorize access. With this technology, physicians and nurses can tap a badge and automatically become logged in, rather than having to dig up a password or even deal with biometics. “We walk in, and right away, the care process has started. There’s a connection, and human contact,” he added. “Let the technology work for you, instead of against you.”
And although having that type of secure authentication is critical within the hospital, it’s become just as important in the remote setting, particularly during the past nine months.
Confirm ID, a component of Imprivata’s digital identity framework, enables organizations to centralize access and multifactor authentication across the enterprise, and improve security and compliance for the workforce that was sent home in droves.
“The biggest advantage to multi-factor authentication has been with the shift to remote access,” said Parker. “Securing that is paramount, especially with the huge amount of phishing emails and spear phishing attacks physicians receive.”
At Indiana University Health, a sizeable portion of clinicians are working — and even seeing patients — from home. For CISOs and other leaders, it’s absolutely critical to secure that flow and have a solid mechanism in place to protect against breaches. “They’re going to happen; it’s inevitable. You need a good process to make sure people are who they say they are, so that they can continue to log in and do their jobs with minimal interference.”
Another key advantage with this type of defense strategy? The ability to identify upfront, rather than “hitting someone with multiple password reentries every 15 minutes,” said Dunkle. “To me, that doesn’t make sense.” What does make sense, is verifying identity in the most efficient way — especially given the fact that most users have become accustomed to using two-factor authentication for online banking.
In that way, consumerism has paved the way for healthcare, according to Kelly. “It has conditioned the market,” which means leaders don’t have to spend as much time explaining the why to clinicians. Instead, “you can spend time actually making it better.”
Fortunately, there are a number of ways leaders can do just that, according to the panelists, who shared the best practices for leveraging authentication solutions to improve security and user satisfaction.
- Be present. One of the most important aspects, according to Parker, is consistent communication. “You need to make sure you’re always there to answer questions, and that you’re consistent and clear in how you communicate with your physician community.”
- Listen. The best way to understand the challenges users face is by listening, noted Dunkle, which can go a long way toward building a stronger relationship. At Geisinger, his team makes it a point to sit down with clinicians at a convenient time (usually during the evening, “when things are winding down”) and talk through scenarios that cause frustration, which can help both sides gain valuable perspectives. For providers, “it becomes clear that some of the changes they want aren’t that easy,” he said. “You can’t just remove a password without cascading effect, because we’re an integrated system. Talking that through can help considerably.”
- Transparency matters. Rather than trying to shield physicians and nurses from the complexities of cybersecurity requirements, Kelly advised being fully transparent. “We get it. We deal with it all the time. That’s part of our burnout and frustration.” Whether it’s HIPAA, DEA regulations, or any compliance issue, it’s important for CISOs to present the facts to providers in a way that they understand. “It’s important to lay it all out and say, ‘you need to be credentialed properly, you need to have two factors, and there needs to be an audit trail. That’s the bad news. The good news is we’re doing our best to make it as easy as possible.’” And it doesn’t stop there. “Ask them, ‘What’s your opinion? How can I help?’ It takes 30 seconds, and it can make a big difference.”
By having difficult conversations, leaders can get to the root of the problem and start to fix it. But it begins with being honest and vulnerable, according to Kelly. “We understand that certain things are in your control and certain things are not. You just have to explain it to us that way.”
Of course, it’s not enough to talk the talk; CISOs need to walk the walk — literally. “If you want to establish credibility, you can’t just go to physicians when there’s a problem or when you’re trying to force something on them,” Kelly added. “Walk the floors with them when you don’t have to, and fix the problems you can fix. That way, they become your allies. It’s building that credibility, it’s listening, and it’s affecting everything you possibly can to make their jobs easier.”
To view the archive of this webinar — Analyzing Multifactor Authentication as a Solution to Your Security Challenges (Sponsored by Imprivata) — please click here.