Digital identity experts, Imprivata, recently joined us for the latest edition of HTN Now – to offer their expertise and experience in a webinar alongside Andy Kinnear, Partnership Director at Ethical Healthcare.
HTN spoke to Andy Wilcox, Imprivata’s Senior Product Marketing Manager, and Wes Wright, Chief Technology Officer (CTO) for the company, just before the live event – to find out even more about digital identity, as well as what else they’re currently working on.
Hi Andy and Wes, tell us about your roles at Imprivata
Andy: I’m the Senior Product Marketing Manager for International Markets. My role is really to work very closely with our customers to understand how our products are used, how they fit it into the market, what kind of activity they support, what kind of benefits they bring. And then to be able to relate that internally, to also be able to align our products beyond individual user requirements to things like national requirements, legislation, regulation and accreditation – and ensure that we’re positioning our solutions correctly in the market.
Wes: I’m the Chief Technology Officer. It’s two major roles, actually. [The first is] I try and take a look from the customer side. I try to maintain most of my customer relationships that I had when I was one of them and try to talk to them as much as possible, to try and discern where they’re going, what they need from an Imprivata perspective and using my background to anticipate what they’ll need – so, product strategic direction.
[The second part of the role is] corporate strategic direction – the digital identity framework. I spend quite a bit of time just talking with the customers to help our sales folks understand what resonates with our customers. It’s a very strong customer-facing role, which is kind of unique for a CTO position.
What projects are you working on at the moment?
Andy: One of the key things that Wes and I are quite involved with at the moment is our digital identity framework, which we introduced last year. We’ve been in the industry for what must be coming up to 20 years now – healthcare, IT security, identity and access management – and we’ve learnt a lot from the customers and partners we’ve worked with, about how important identity has always been but is also increasingly becoming within the technology space in general and in healthcare.
It’s about how we encapsulate all of these different areas that identity touches within an organisation and helping those organisations to view identity in a much more unified manner. And to be able to communicate and guide internally a direction that says, ‘identity is a fundamental part of what we do: for us to be successful with technology in the organisation, identity needs to be a lynchpin of that strategy’.
The framework is a kind of map to that, the guide to an organisation. So that’s one of the really critical things we’re working on at the moment. We’re working on a maturity model for it as well – rather than just being a framework you look at, it’s a tool to evaluate where you are in terms of how you look at identity within a particular category. And then use that as a driver to build a roadmap for addressing any of those challenges that exist, or any improvements to increase maturity. That’s probably the most important piece of work that I’m doing at the moment.
Wes: Andy and I actually are – from an international perspective – hand-in-glove on the digital identity framework. There are some other things outside of that – we’ve made a couple of acquisitions over the years. One of the things for me – using my background of 25 years on the health delivery side – is to figure out where those product integrations will bring the most value to our customers.
How will the digital identity framework help organisations?
Wes: It’s aimed at healthcare IT workers, for them to build a strategy or roadmap for their digital identity strategy. It’s one of those foundational things. The better digital identity strategy they have, the better and more efficient and IT-transparent the digital identity interactions will be for the clinicians. Really, it’s a building block to get to clinician satisfaction.
We like to call it ‘the lock and key to the front door’ of healthcare. The easier we can make opening that door for the clinician, the less burdensome it is to them and the more transparent. Hopefully it helps with the burnout problem we’re experiencing.
Andy: I would absolutely agree. Just drilling into the micro-detail of a clinician, think what the implications of access to multiple systems and devices are. We all acknowledge that we can’t just leave a computer open or an application open with confidential information accessible through it.
We have to provide some kind of barrier to that. The easiest and simplest way is a username and password – we’ve all grown up with that over the last 30 years or so. But that’s not feasible for a clinician who’s on the back of a 10-hour shift, who’s just trying to access a patient record, to record a prescription or add a note or some observations. Asking them to enter a 15-character password, which is a combination of uppercase and lowercase characters and numbers – there’s that human factor of frustration.
What you need to do is make sure clinicians can have access to the tools they need to give high-quality care, and with the right levels of information governance and information security but making it as seamless and efficient as possible. Having that broader strategy is about ensuring clinicians can come and deliver the highest possible care they can, which technology facilitates – but without any of the barriers to accessing it. [A digital identity framework] is the keys to the kingdom, in a way.
We worked with Royal Surrey NHS FT last year on a new project, where they wanted to give clinicians access to communicate on COVID wards with the team who were in the non-infection areas, using mobile devices. Imagine a clinician trying to log into a mobile device with a keypad and tiny text, while fully gowned up in PPE and masks. Being able to take a badge and tap on the device was fundamental. That’s what having a very forward-thinking view on identity gives you.
Another example was in Bolton NHS FT, where they wanted to deliver a shift from a paper-based observations process to an electronic one – and they wanted to deliver that on Samsung tablets. The clinicians said no because it was too clunky and disruptive. The only way they would do it was when we introduced the ability to tap their badge to access a device and then single sign-on to the applications. It’s key there that identity is actually an enabler to digitising processes that are perceived to be simpler in manual form.
Wes: By increasing your security you actually make the workflow easier for the clinician. That’s what Andy is talking about. By introducing the Imprivata tap-and-go solution, you’ve actually made it easier for the clinician and more secure. It’s a neat thing to be able to say, frankly.
Andy: I’ll give you an example of a hospital I went to – I won’t name names. We were shadowing a nurse and he was called away from his workstation to go and see a patient. To lock the workstation, he switched the monitor off. That was such a stark example of someone perceiving themselves to be secure. But actually, all he’d done was switch the monitor off, and someone could come along and switch it on and have full access to his account and ability to access the records.
It’s really important. Security is more than just a log in. It’s about behaviour, as much as anything. You’ve got to find ways to encourage good behaviour and not let people find workarounds or simple ways to address complex problems – like sellotaping passwords to the back of a keyboard. It’s about increasing security, but in a way that fits in with the environment you’re trying to deliver into.
What does Imprivata offer from a cyber-attack perspective?
Wes: From a single product perspective, our ‘confirm ID for remote access’ makes you re-verify your ID. If you looked at it from a single product, that’s the one that helps from a cyber-attack perspective. Anyone coming in from outside the organisation has a double authentication process.
But really, going back to the digital identity framework, at Imprivata we think that identity is actually the number one control nexus for everything that happens within the network.
It’s not just a piece or a product within your digital identity strategy that provides the defence for cyber security – it’s really the holistic solution. There are probably about 20 different products you could buy standalone and cobble together a digital identity strategy, but then you’re looking at 20 different places trying to find something that’s anomalous. When you have a unified system that talks throughout that spectrum of digital identity, it’s easier to find anomalous behaviour.
We think that digital identity is the primary methodology from which you can defeat some of the cyber-attacks that are going on. But it has to be done properly. That’s why we developed the framework. If done in this manner, it provides that cyber defence without interfering with those clinical workloads. That’s Imprivata’s contribution.
Andy: The human factor – removing the need to remember passwords or removing the need for clinicians to use passwords all the time means you can implement things like stronger password security. We have multi-factor authentication solutions which can give you that ‘two-factors to access’ levels of security. Moving people away from generic accounts, simple passwords and poor behaviour is a critical element. That’s where the framework is crucial – in helping organisations to instil good behaviour.
Do the same ideas apply for ‘insider threat’?
Andy: I’ve been working with a trust in the UK very recently and this exact topic has come up. They were talking about changing culture internally and they used one of our recent acquisitions – a product called FairWarning – which looks at privacy protection intelligence and record access.
That’s not going to solve insider threat directly – it will give you the warnings and indicators but to some degree that may be closing the stable door after the horse has bolted. What you need to do with that is use it as a tool to help change behaviour. Having a tool that says, ‘look if you do something that you shouldn’t, we are going to pick you up, so let’s get to a place where everyone behaves correctly and understands this is private information you shouldn’t be accessing unless you have a legitimate reason’. That takes time to instil. Once staff knew there were tools in place to pick it up, they were actually proactively phoning the IT team up and saying, ‘we accessed this record, this was the reason’.
Wes: One of the sayings we have is that wherever there’s a digital identity event in healthcare, we’ll be there. We think we can make that event less intrusive to the clinical practice. We want to get a 360-degree view of what’s happening. Bringing FairWarning in [meant] all of a sudden, we got visibility of what’s happening with that digital ID – from access to authentication, to what you access inside of that record. We think that is a super powerful story around that insider threat. When folks know you can see everything, then they behave more properly.
Do you expect remote healthcare delivery to continue?
Andy: From the NHS we’ve seen some real benefits to delivering care remotely. Are we delivering the best possible care for patients? If the answer to that – through a blended working environment or service delivery – is yes, then we should absolutely continue to support and deliver it. If at any point the answer to that is maybe or no, then we need to question whether we’re doing it correctly.
Wes: That huge shift to telehealth – I hope we’ll continue to see that. I think there’s a lot of healthcare that can, and frankly, sometimes should be delivered via virtual methodologies. From a work from home perspective, I’ve been a huge proponent for many years. I think that is something that is going to be here to stay.
If there’s a silver-lining from the pandemic, they’re the two that I would call out – the absolute increase in virtual care and the demonstration that working from home you can still be as, if not more, productive.
What else is coming up for Imprivata in the next few months?
Wes: We’re really excited about the digital identity framework and how that can help our customers. And at getting the word out that digital identity shouldn’t be a point solution – that you buy pieces and parts from different vendors and then try to cobble it together yourself. With the pandemic, our customers have seen where digital identity has helped them and where digital identity has gotten in the way of their care for patients.
Andy: On an operational tactical level, we’ve got some exciting stuff coming up with Microsoft. We’re shortly going to be making our solutions available in the Azure Marketplace. We’re excited that FairWarning is coming to our fold and that’s going to be a key solution under the Imprivata banner for the rest of this year.
We’re also doing a really exciting project with Bolton NHS FT around our solution called Identity Governance. It’s a solution that manages the Joiner-Mover-Leaver process, which is a key challenge for the NHS.
What about government funding for Single Sign On Implementations – is there a business case for organisations?
Andy: Absolutely. It was announced before the pandemic and it got forgotten about a little bit. The point Matt Hancock raised at the time about why the funding was being brought forward, the challenges and problems it was there to address haven’t gone away. When you think about the pressure the health service has been under in the past 12 months, we need to be finding ways to make things easier for our clinicians to deliver care. And we need to be removing barriers, so there’s absolutely a prime business case for this.
Find out more about the digital identity framework at imprivata.co.uk.