Health Tech

Why Traditional Cybersecurity is Failing Healthcare

By Dr. Sean Kelly, Chief Medical Officer at Imprivata

Put yourself in my shoes… a Code Stroke patient arrives in our busy ER. Time is of the essence. We need to rapidly diagnose and treat the patient to prevent long term paralysis or even death. But nothing happens until we can access their health records, review the relevant data, order a CT scan, consult our colleagues, and initiate treatment. And none of that can happen at all because our hospital has put in a new enhanced password policy. As well they should. Keeping protected health information (PHI) private and secure is of utmost concern in healthcare…but more on that later.

Right now, there’s a patient in need and I’ve fat-fingered my “17 character, must include a number and a special character, that can’t have repeating characters or be similar to any prior passwords, and changes every four months” password. Which happens a lot, obviously.  Or I’ve forgotten it. And now I’m locked out of the system. No CT scans. No life-saving drugs. Unless I use a colleague’s password to get in... What to do?

The battle between security and usability has long been a problem in healthcare. The workflow is extremely complex - with hundreds of users in different roles, often using shared workstations that become as busy as hummingbird feeders. Fast-user switching is integral to the workflow, as clinicians must access a dizzying array of health records and applications during a shift.

Despite seeming secure, long, complex passwords result in an inordinate amount of time wasted, frustration, delays in care, and staff burnout. And with so many that are difficult to remember, many users have to write them down or store them on a device - making them vulnerable to a breach anyhow.

This isn’t an uncommon predicament for healthcare workers: either spend more time logging into the EHR, or workaround the process to have quicker access. Technology was meant to enable healthcare, yet, in many aspects, it’s become a hindrance.  So, what can we do? Security can’t be ignored.

The stakes are higher in healthcare

A cybersecurity breach could take down an entire network, sending a delicate workflow into chaos and putting patients and PHI in a dangerous situation. A recent survey found that 32% of HDOs reported they had to divert patients to alternative healthcare facilities after a cyberattack, with 31% experiencing delayed procedures that resulted in poor patient outcomes. The volume and frequency of healthcare data breaches has nearly doubled in the last three years, making it clear that HDOs need to change their approach. The stakes are higher for healthcare, and the industry cannot afford to ignore this problem.

But what if we didn’t have to choose between security and compliance on one hand, and usability, and efficiency on the other? What if we could get more of both by giving up traditional complex passwords and perimeter security?  Rather, HDOs should implement a digital identity strategy to improve patient care and balance efficiency with security. As budgetary challenges plague the industry, investing in resilient solutions is critical.

The digital identity solution

Because digital identity focuses on securing the user and their credentials rather than the perimeter, it enables frictionless authentication, leveraging technology like proximity cards, secure low energy Bluetooth,  or biometric modalities like fingerprints, palm veins or facial recognition. When utilized for password-less single sign-on, clinicians see reduced logins. This enables security and compliance while improving clinical productivity and patient care. This is a win-win-win for the clinician, patient, and the IT security team.

“We hire thousands of people every year,” said Cletis Earle, CIO of PennState Health. “If you consider the fully burdened cost of an employee, assume each employee loses a couple hours productivity per day during their first couple weeks on the job, and do the math, the lost productivity costs are substantial.” With over 15 minutes spent logging into the EHR per patient, this is time that no clinician can afford to lose.  The cost savings, reduced risk, and improved clinician quality of life are substantial with this approach.

Enabling the future of healthcare

Traditional security causes workarounds that introduce risk and slow down patient care. It’s time for healthcare to modernize their IT strategy. Digital identity is becoming more widely adopted across the industry and should be viewed as the key to protecting medical information, ensuring proper access, and optimizing efficiency.

As healthcare organizations confront budgetary challenges and cyber threats in the year ahead, it’s important to consider the long-term benefits of identity-centered security. Ensuring future tools are helpful requires them to be accessible. Trust me, the next time you or a loved one ends up in the ER, you will want the clinical staff to have safe, secure, and efficient access to your records. Digital identity is the key to this success.



Sean Kelly

Author: Dr. Sean Kelly, Chief Medical Officer and SVP Customer Strategy, Healthcare

Bio: Dr. Sean Kelly is the Chief Medical Officer (CMO) and Sr. VP of Customer Strategy for Healthcare at Imprivata, where he leads the company’s Clinical Workflow team and advises on the clinical practice of healthcare IT security.

The editorial staff had no role in this post's creation.