We recently spoke with Andrew Harrison, principal product manager, international, at Imprivata about the future of EPRs. Andrew shared some key examples of best practices and gave his own insights into secure access for clinicians.
Balancing security and usability in EPR adoption
To kick things off, Andrew gave an overview of the current pressures being faced by healthcare organisations, outlining how they are “under constant pressure to drive digital transformation and ensure the technology being used is efficient and helps hospitals deliver effective patient care”. Elaborating on this, he noted how a lot of this pressure centres on “optimising for user productivity and maximising for security”, which he added needs to be done “quickly and consistently, often with very few resources”.
Andrew shared his thoughts on “balancing the scales” or helping clinicians be as productive as possible without compromising on security. “Seamless user access to EPRs is the panacea, and from experience, it has a huge impact on adoption, which in turn helps hospitals maximise their investment and reduce the cyber risk from insecure working practices,” he said, before highlighting that security threats can come from both internal and external sources.
Delving deeper into security, Andrew also noted how “medical devices don’t evolve very quickly because they are very highly regulated. So, the technologies that reside on these devices aren’t always up to date and hackers from the outside world know that”. This means that keeping these devices secure is even more important, and a key reason that any security procedure or workflow needs to be as easy and transparent to the clinician as possible. Because if it isn’t, they will simply find a workaround in order to get the information they need, so that they can treat their patient.
Effective strategies for faster and more positive user adoption
When asked about which strategies have proven most effective when driving fast user adoption, Andrew outlined that the key thing to do is “make it easy”. He elaborated, “a clinician’s job is to help people and patients get better, not to interact with technology. That’s just a byproduct of what we need them to do.” This is why Imprivata’s portfolio of products are primarily focused on access, Andrew noted, “whether that be access to a medical device or access to a mobile device or access to a traditional workstation”.
The importance of fast, secure access to the EPR and other clinical systems can’t be emphasised enough. Global findings from KLAS Research (as part of their Arch Collaborative programme), shows that the functionality of the EPR is only part of the equation when it comes to providing a good user experience, i.e. keeping clinicians and frontline healthcare providers happy. Other elements include simplicity, usability, performance and security. Focusing on the clinicians’ whole experience of their EPR system, the research classifies EPRs by clinician satisfaction, and interestingly the same EPRs are listed with both good and poor clinician experiences. This confirms that simply providing powerful systems isn’t enough, they need to be easy to use too, otherwise they are just a distraction.
This is where solutions that provide fast, secure access, ideally with just a badge tap, make a huge difference. For example, at Surrey and Sussex Healthcare NHS Trust providing almost instant access to shared mobile devices has enabled the trust to repurpose mobile devices for taking images of wound care (amongst other uses), which can then be instantly uploaded to the EPR for other authorised users to see. This has transformed workflows on shared devices to support care pathways, and has led to enthusiastic user adoption, and increased compliance.
Why fast, frictionless authentication matters for EPR adoption
Andrew explained how Spine access products have evolved in recent years. Typically, without a single sign-on (SSO) solution, logon takes 10 to 20 seconds—and at worst this can be minutes.
These days, trusts are able to tackle these timing issues with the use of smartcards, which connects clinicians to the Spine almost instantly.
However, smartcards are not without their own issues, namely that they “don’t really stack up in today’s world where people use many Apple iOS and other devices, whereas NHS smartcards really only work on Windows. To capitalise on the power of mobile devices for bringing information to the bedside, trusts want to move to EPRs that support all sorts of mobile devices, and a smartcard really isn’t the answer anymore”. Andrew noted progress made in this area to improve technology based on modern standards, highlighting the new version of the NHS Spine’s Identity Service, CIS2 as an example, as it now supports multiple authentication options instead of just Windows.
However, he did also recognise that introducing new systems and different versions of the same system can cause some problems as “clinicians are having to unlearn 15 years of Spine access behaviour”. This has led to Imprivata, along with other technology vendors, working with NHS England, and multiple Government agencies across Europe to develop new solutions for accessing national systems that balance the requirements of clinicians that need to access both local and national systems.
Implementing user feedback to improve access
Next, Andrew shared his experiences of involving clinicians in digital transformation projects and how this drives user adoption and success. He said that “sometimes if you show people the light, you get a tsunami of requests,” and how this is especially true when conducting phased rollouts, which enables the project team to take account of the nuances in different care settings and adjust the solution accordingly. Andrew talked about how this can create a “whisper effect” where people have liked what’s going on in other wards and departments and want to use the solution too because “it makes their day much easier”. He went on to explain how the industry is moving away from usernames and passwords, meaning that “clinicians are now being asked to deal with lots of apps and tokens to access different systems”, which is why organisations tend to look for a “convenient authentication experience that spans across all devices, especially shared devices”. Again, this is the approach that delivered such great success at Surrey and Sussex.
Evolving to support mobile-first EPRs
When asked about what the future of EPRs might look like, Andrew said that a “single source of information is needed for clinicians to facilitate great and effective patient care”. He noted how this should be “instantly accessible on any device that a clinician may use” and how this would align with Imprivata’s overall mission “to make that access ubiquitous everywhere”. Andrew emphasised how important it is “to provide a quick and convenient way of accessing patient information, no matter where you are and no matter what device you’re using”.
Andrew pointed out that one key problem is that “all the big authentication system providers tend to apply the same lens to healthcare as they do to office workers, where they’re designed for one user with one device at one desk. But doctors and nurses don’t work like that because they share devices”. As such “these authenticators don’t really fit the bill for healthcare”, to which Andrew suggested that hospitals need to “think about if the solution works on mobile devices, medical devices and all of the other pieces that are unique to the healthcare industry”.
By focusing on holistic identity and access management for all users, including vendors and privileged users, trusts also maintain organisational security. For example, privileged access management solutions allow IT administrators to do their jobs, which often require accessing privileged or sensitive information, “without having access to passwords for all of the special systems and network servers” within the organisation.
He outlined how it is also possible to “provide a way to give third parties secure and controlled access to the resources they need and nothing else”, which helps to prevent any security breaches. This is increasingly important as recent research by the Ponemon Institute on The state of third-party access in cybersecurity, reveals the scale of the problem facing healthcare when it comes to managing access to clinical systems. The research found that 51% of UK organisations have experienced a data breach or cyberattack over the past 12 months that involved a third-party accessing their network.
The Synnovis breach in 2024, demonstrates just how serious the consequences can be with reportedly over 6,000 appointments and procedures cancelled in the UK in just five weeks.
Using tools such as vendor privileged access management, “trusts can see exactly what each vendor-user is doing” for increased security, which Andrew sees as being essential for the future of system access.
When looking at the future of access for England in particular, Andrew highlighted the unique duality of each clinician having two identities. Many hospitals have different procedures for accessing local systems and national systems (i.e. the NHS Spine). This means that clinicians have two sets of credentials to remember and manage. This all adds additional stress to their day when they really just want to focus on their patient.
Because of this, Imprivata has been concentrating on “converging these dual identities so that clinicians have access to both local and national systems all in one go”.
The final thing Andrew noted was the trend towards ‘optimising’ mobile deployments to gain maximum return on investment, as well as to get the most value from mobile devices. “While a couple of years ago, Trusts were talking about plans to deploy mobile devices, now we are hearing far more about how they can take the next step to optimise and extend their use of mobile.”
Imprivata’s own research in collaboration with Dr. George Gellert, MD, MPH, MPA, a public health physician and epidemiologist, found that use of mobile devices while promising is not without risk and challenges. In his paper, The Love-Hate State of Mobile Device Management in Healthcare, Dr. Gellert discusses the reality of using mobile devices, highlighting that to maximise return and value, it is essential that they are optimised for both security and efficiency.
We’d like to thank Andrew for sharing his keen insights into EPRs and how the use of shared mobile devices is a key trend in enabling clinicians to deliver the best possible care.
For more information on Imprivata join their bite-size webinar series running Tuesdays and Thursdays at 14.00 – 14.30 GMT.
