The recent Ponemon Institute benchmark study on patient data privacy and security practices sheds some much-needed light on the practice of data protection within our nation’s hospitals. According to the study, today’s hospitals have little confidence in their ability to secure patient records, revealing just how vulnerable they are to data breaches – a concern for all patients. Highlighted are some of the key findings...…

The HITECH Act, HIPAA, as well as mandates from State regulations (e.g. Massachusetts 201 CMR 17.00), are raising the minimal requirements that organizations such as healthcare-covered entities and business associates must implement to prevent unauthorized access. Further, the Connecticut Attorney General’s lawsuit against Health Net of Connecticut for failing to secure approximately 446,000 enrollees’ Protected Health Information (PHI), and to notify State authorities and enrollees of a security breach, is a reminder that breaches are not just a risk to information, but a risk to the organization.…

I read a good article on FierceEMR recently surrounding a PricewaterhouseCoopers survey on electronic medical records (EMRs) that indicated that the secondary use of this information may be an organization’s greatest asset over the next five years. An overwhelming 76 percent of respondents agreed, and pointed to the abilities for mined data to decrease healthcare costs, predict public health trends and improve patient care. EMRs, with vendors such as Allscripts, NextGen and QuadraMed blazing the trail, have been a huge focal point of healthcare payers and providers, pharmaceutical companies and the general public with healthcare reform a primary platform of the Administration.…

I was reading about the recent access management related breach at the California Water Services Company, where an auditor resigned, but illegally accessed computer systems to steal more than $9 million before leaving. While the company should be lauded for catching the fraud before the wire transfers could go through and irreparable damage could be done, it should serve as another cautionary tale in what has become a recurring theme on the application security front. This is just one more saga in an every growing litany of tales of breaches that we’ve hearing about.…

I was recently asked to comment on the future of biometrics so I wanted to share my thoughts here after distilling them down into four buckets... What's Next in Adoption, What's Next in the Tech, What's Next in the Enterprise, and What's Next in Consolidation.…

After the recent 2008 HIMSS Conference, we conducted a survey of 171 healthcare IT decision makers to identify some of the trends they face relating to identity management. I wanted to call out a few interesting data points...…

On Wednesday, November 10th at 1:00 PM EST, I am fortunate to host Kristi Roose, IT director at Mahaska Health Partnership on a webinar where Kristi will share her insights on how to successfully deploy an EMR and help satisfy the requirements of meaningful use and the privacy and security standards embedded in the HITECH Act.…

Coming out of HIMSS 2010, it was clear that patient data security was a chief concern, but so was the need for improved clinician workflows. For all the requirements driven by new laws and the stimulus bill, what was overlooked was the impact of security in the real-world hospital environment from a user perspective. Forcing someone to change habits and daily routines is difficult, if not impossible, to do. Therefore, it is integral to the successful adoption of these security endeavors that they be paired with improving workflow. If change makes people’s lives easier, it’s easier for them to embrace. It doesn’t need to be an either/or argument.…

I just left the annual Cerner Health Conference in Kansas City, where clinical and technical users of Cerner software gather to share ideas, best practices and technology solutions that are molding the future of healthcare.…

The National Institute of Standards and Technology (NIST) recently put out a draft “Guide to Enterprise Password Management” for public comment for feedback and improvement. While it gives a lesson in password management history, it doesn’t quite break new grounds on prescriptive opinion. Dave Kearns provided useful analysis of the NIST paper in his recent Managing Passwordsarticle on Network World, and a couple of nuggets of wisdom jumped out at me:…

Since 1996, HIPAA has become one of the most important and highly publicized pieces of healthcare legislation in the United States. Over this time it has also become one of THE biggest topics of conversation within the healthcare and security industries and with good reason-HIPAA involves two major issues, patients and privacy. What's truly amazing to me is that behind the scenes, one would naturally have to assume that the majority of healthcare organizations are being driven by the worry of the potential penalties that might be levied on them by the Department of Health & Human Services (HHS) for their failure to fully comply with HIPAA...…

I work in the field for Imprivata, working with customers day in, day out. And the single most heard question I get relating to our products is: 'which authentication technology should I use'. Fingerprint? Yeah that's good, I will never forget my finger, right? Or a prox card? Even better, because I can use that to open doors, pay at the lunch cashier, and so forth. Nah - maybe a smartcard is better. Or a one-time-password token. Or ... Of all of the suggestions I made above, none of them is ideal. All of them have pros and cons, and really, all of them have very different characteristics. In my mind, there are three/four things to ask yourself when choosing an authentication technique...…

VMworld 2010 in San Francisco this week was an amazing event, with more than 17,000 attendees converging on the Moscone Center to share innovations, ideas and experiences with virtualization technologies. While the healthcare industry was well-represented at the event, we were excited by the variety of conversations with people from other industries such as credit unions, retailers and life sciences. People at the event showed both an enjoyment for sharing their use of virtual environments with their hunger for new innovations to improve the experience. Some key themes that seemed to trend across the event included...…

While many of us were down at HIMSS 2010, on March 1, 2010, Mass 201 CMR 17.00 officially went into effect: 17.05: Compliance Deadline (1)Every person who owns or licenses personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00 on or before March 1, 2010.…

This week I had a chance to talk with Network World’s director of programming Keith Shaw about the various ways that employees breach data security – both intentionally and inadvertently. The podcast interview captures a number of ways that employees breach enterprise security, whether by accident or with malicious intent. Here are some of the highlights...…

HIMSS is right around the corner. It's one of our favorite conferences of the year, as we get to see many of our healthcare customers all in one place. As I mentioned in my last post, if you're attending the conference this year, please plan to stop by our booth (#7339) and say hello, or check out the presentations by Imprivata's customers. OhioHealth and Southwest Washington Medical Center will be discussing the ‘Paperless Hospital' and ‘HIPAA Audits' respectively. With all the focus on healthcare now, what trends am I going to be looking for at HIMSS this year? Here are a few topics that our customers have shared with us:…

Physical logical security convergence has garnered increased attention over the past year, and we've had countless conversations with both IT departments and physical security teams about the people, process and technology issues that come with the territory. Integrating teams and policy, not just the technology, needs to be well thought out. Increasingly, the path of our conversations with prospects and customers interested in converging physical and logical access focuses on where to start that type of project.…

Next week, Tuesday 27th of May, we will be speaking at the ICT & Healthcare seminar in Ede, the Netherlands. Topic of our discussions will be clear and simple: how can we restore the 'Identity balance'. With this topic, we aim to explore how customers and partners can work with healthcare organisations to strike the right balance between...…

Catching up on some reading after a few weeks on the road, most notably at VMworld 2010, I read Joseph Goedert’s Health Data Management article on the Privacy and Security Tiger Team’s recommendations for privacy issues that were sent to The Office of the National Coordinator for Health Information Technology (ONC). The core recommendations focus on how to empower patient consent and how to ensure appropriate use and exchange of personal health information (PHI) by care givers and business associates – all in the name of good data stewardship – as ONC encourages adoption of healthcare IT.…

This year’s HIMSS was quite an active conference, with healthcare IT a national focal point with new legislation and stimulus funding being funneled into reform and modernization initiatives. To kickoff the conference, Imprivata chief medical officer, Dr. Barry Chaiken, who is the current chair of HIMSS highlighted the need for healthcare IT solutions to drive positive industry change. Here are some pull-outs from an InformationWeek blog covering the event that capture the sentiment well...…