In this special Speaker Series, Becker's Healthcare caught up with Gus Malezis, president and CEO of Imprivata.
Mr. Malezis will speak on two panels during the Becker's Hospital Review 4th Annual Health IT + Revenue Cycle Conference titled "Cyber and IT Security Today: The Best Approaches and Ideas," at 9:45 a.m. Thursday, Sept. 20 and "The Top Issues for CISOs Today," at 11:30 a.m. Thursday, Sept. 20. Learn more about the event and register to attend in Chicago.
Question: What sparked your interest in healthcare IT security?
Gus Malezis: Over the past 30 years of working in IT — in systems, networking and cybersecurity — the focus was to empower and enable customers for success in their strategic business initiatives. This is about being more than a supplier vendor: It’s offering true value to the customer. This focus on true value identifies strongly with healthcare, where technology can and does play a pivotal role beyond just efficiency and productivity, and can in fact deliver value to clinicians, patients and communities in the form of advancing care delivery and well-being. Said another way, for all of us at Imprivata, myself included, there is enormous satisfaction from helping our customers — clinicians and care delivery staff across the country and around the world — deliver a higher level and quality of service to people that need it.
Being more specific with technology, this focus extends to delivering a set of services that:
- are efficient, non-disruptive and ideally invisible to clinicians;
- enhance cybersecurity and prevent cyberattacks and malware disruption, and;
- respects privacy and delivers on compliance.
Q: How do hospitals' IT security challenges today differ from 10 years ago?
GM: In the past 10 years, with the advent of EMR systems and the focus on digital systems, data in healthcare has exploded in volume and significance to become a treasure trove of high-value information. All this is in an environment that has lagged a little — or substantially — behind in cybersecurity relative to other industries such as financial, government and retail. Hackers have recognized this weakness and that they can now access protected health information, personally identifiable information and payment card information in one stop. In the past 10 years, phishing emails with malicious links have become increasingly difficult for healthcare users to identify. Employees will often click on a malicious link believing it to be legitimate, and many of them will enter personal passwords or personal information once they’ve accessed that link. IT leaders can educate users, but they can’t expect all users in the healthcare enterprise to be technically aware of how to decipher a phishing attack. Compared to 10 years ago, it is now absolutely essential that hospitals put safety nets in place to safeguard users against these attacks.
The digital systems, data and connectivity aren’t going away, so the question becomes, how do you create an invisible security layer around patient data so as to (1) prevent or minimize exposure in the case of a security breach, (2) restore productivity in the case of systems disruption — like malware that encrypts and locks systems, servers and data — and (3) do so without encumbering or inconveniencing access for those that truly need that access?
Q: Physicians and front-line staff are often hesitant to implement solutions with additional steps, such as multifactor identification. What advice would you give a hospital CIO for obtaining physician buy-in?
GM: Hospital CIOs and health IT organizations can focus on clinician support by explaining the benefits of elevated security, ubiquitous access and convenience of clinical systems and data, while protecting valuable healthcare systems and data, and preserving clinical workflows. To deliver safe, effective and compliant patient care, providers are often required to authenticate clinical transactions such as medication ordering, witness medication wasting, computerized physician order entry and blood administration, among others. Of course, adding any layer of security introduces incremental steps and potential inefficiencies — at least that is often the perception — and that can frustrate providers and impede patient care.
The most effective solution will respect the clinician’s workflow and time investment, and implement technology designed at the factory to be efficient, return time, be invisible and require little to no training. The latest clinical technology transforms these authentication workflows by replacing passwords with fast, convenient methods such as the tap of a proximity badge, swipe of a fingerprint or smartphone-enabled hands-free authentication. These advanced solutions integrate with leading EMRs and other clinical applications and systems to give providers a seamless, fast and truly invisible in-process, or even continuous, authentication experience. They also create a robust security and audit trail for all transactions with PHI. This should reassure providers that they won’t get bogged down in workflows while ensuring appropriate levels of security. In this way, organizations can improve security and compliance while increasing provider satisfaction and allowing more time for patient care.
Q: What emerging IT security trends should hospital leaders keep an eye on?
GM: Among the many pressing issues of the day, one trend is garnering particular attention from healthcare IT leaders: trust. More specifically, establishing and maintaining trust in the ever-expanding healthcare technology ecosystem.
What does this mean exactly? Think about it this way: Imagine our world in five years, or even 10 years from now. What does that look like in terms of healthcare IT? For starters, we should have a system based on a highly-inclusive, highly-trusted, and complete PHI record. This EMR, it’s data and systems should be available from any one place, any location, via any device and be accessible at any time but only for those with the appropriate authorization to access and interact with it. It will be inclusive of all interactions a patient has had, with all relevant networks. It’s complete, it’s readily available — in real time, from any location — it’s trusted.
What do we need to achieve that level of trust? It starts with data integrity. When we look at an EMR, we must trust that the data provided is accurate and undisturbed — that it refers to the right person and that the data has gone through a chain of custody that ensures its integrity. That way, trust is preserved at the next levels of patient care. This includes the systems that support data integrity, most notably IT security.