Omar Hussain is president and CEO of Imprivata.
Tell me about yourself and about Imprivata.
I’ve been in the software business since 1985. I was introduced to Imprivata by the investors in 2002 when they were looking at it as a company to invest in. I met up with the founder, David Ting, and have since then had the fortunate privilege of being with Imprivata as we’ve grown the company and the business.
I’ve done a bunch of tech jobs: CTO, CEO, marketing, including all the usual career paths that you have.
UPDATE: in reviewing the recording, I found that I cut Omar off before he described Imprivata’s business. Just to clarify, the company offers user access solutions that include single sign-on, authentication, virtual session security, and privacy auditing tools.
The company is in markets other than healthcare, correct?
About 65-70% of our business is healthcare. We have financial services and public sector. Public sector covers everything from police departments to parole boards to departments of transportation, etc.
How was the HIMSS conference for the company?
It went very well. It was a great conference.
I thought it was good for us. In the last year, we’ve set up a healthcare division that really started to focus on healthcare as an industry for us. It’s good to now reach that stage where you have enough size and enough presence and enough customers that it’s a real show. You’re not just floundering around trying to meet with everybody. People like to come and meet with you, so that’s good.
CPOE utilization in hospitals is really low. How much of that relates to convenient physical access to systems?
Probably the number one problematic issue is physician convenience. If you think about it, this industry was paper based 10 years ago. Now, whether it’s in the US, UK, Benelux, or France, everybody globally is moving toward some kind of electronic record system. Because of patient privacy and patient safety concerns, there are all these government regulations around access controls.
Those access controls add minutes to a basic interaction that takes very little time. I joke about it, but if a physician or a clinician is spending two minutes logging in, logging off, and doing all the various things they need to do to access the records and they’re only spending eight minutes with the patient, that’s a lot of time as a percentage.
I think that’s where the big difference comes in. People have been so used to just signing a prescription using pen and paper, and in some cases not signing it … a nurse can sign it, you know?
People always think that clinician workflow is driven mostly by the applications that they use and how those applications are designed. What you’re saying is that how they log in and interact with those applications is equally important?
I don’t come from healthcare. I had to come from different technology companies that have been in different industries. The one thing you notice is that when we talk about workflow in any other industry, the user or the employee is constant and the work moves around them in the supply chain. Here, the user or the doctor is the one who walks, who changes around, and the service they provides stays constant. The workflow is very, very unique in healthcare.
I think when you look at what physicians are trying to do, missions are focused on the ultimate result — improving patient care as an outcome. Everything else is either an encumbrance or part of the problem, not part of the solution. Systems that can alleviate those encumbrances, make things smoother and easier, and streamline them have a lot of value to physicians.
It seems as though mobile device growth has changed the physician tolerance level. Do you see that having access to iPads or iPhones and using applications on the fly is changing the expectation for readily available applications that aren’t inconvenient to use?
Absolutely. The net of it is that they provide benefit to the physician. Any technology, particularly when it comes to certain markets or certain temperaments of users — if they can get benefit out of it, then they’re going to use it a lot more.
The benefit of a mobile device like the iPad or any other tablet or a mobile phone is that if you need to really access some information, now you can get some basic patient vitals, basic patient record information without having to go find a computer, dial in, log in. Hugely convenient. That’s why the adoption is going up, that it’s accessible the way they want it, when they want it.
One of the reasons our customers like what we do is … great, you have stronger security or you have better security, but it’s not security they’re buying. They’re buying the fact that nobody has to remember a password. It’s all automated. They can log in and move from one terminal to another terminal.
The doctor doesn’t care about security one iota. In healthcare, the structure is very different. There’s God, there’s the doctor, there’s the patient, then there’s physicians, then there’s the human race, then there’s IT. At the end of the day, all the doctors care about is taking care of the patient.
I’m telling you, nobody has ever bought our system because it’s secure. They’re buying it because makes their life easy, they don’t have to remember the passwords, they don’t have to log in multiple times, they go from one workstation to another workstation and the session is still hot and live, they don’t have to find the patient again. That’s why they buy it.
I wanted to ask you about the OneSign Anywhere product. Describe how that works, especially the mobile device part of it
Essentially, it’s the same thing as what we provide on a desktop or on a COW or on a workstation, but it’s from a kiosk environment or a mobile workplace. If you have an iPad, another mobile device, or a monitor sitting somewhere and you’re on vacation and and you want to go access information, you can authenticate, you can get in, and you don’t have to know your user names and passwords and all the access is provided.
It’s basically fulfilling our vision to provide streamlined, simplified access securely from anywhere and from any device. Another step in that direction. It’s taking inside-the-firewall or inside-the-building access to outside. You’re just eliminating the need to go through VPNs and log-ons and all that. Minimize clicks — that’s the secret to success.
What are your thoughts about biometrics?
Biometrics is an interesting technology … works in some cases, doesn’t work in other cases. If it fits the needs of what people want to do, and then it’s got high value. If it’s for additive security, well, the hospital is not the Department of Defense. They don’t really care.
A lot of our customers who use biometrics actually use the identification capability where they don’t even have to type a user name in. They just put their finger down and it recognizes who you are. It’s interesting. When we first started rolling it out, we thought people wanted authentication. No, no, no — they want the least, the easiest, the simplest way to access information and yet comply with all the regulations and be able to say it was secure and protected and traceable.
With the new requirements under HITECH to raise the bar of knowing who’s on the system, are you seeing higher demand for products like yours? There have been several recent cases where privacy was breached because of a technical flaw of having a user walk away from a logged-in session.
What I think is naturally happening is just the evolution of the market. HITECH is just one of many mechanisms because we see this globally. We have customers all over the world and we see this. Wherever EMR adoption starts to take off, there is some level of regulation that says you got to know who accessed what information, who could have access to it, who saw it, who did what, who monitored it.
You have to be able to have some level of protection around that. That’s just basic, whether it’s financial information, whether it’s health information … it doesn’t matter. Banks have been deploying this for years. It’s just that in healthcare, it’s slightly different.
If you’re a bank teller, you’re going to log in once in the morning and you’re stuck with it all day. If you’re a doctor, you’re going to log in maybe 30, 40 times in an hour based on the number of patients you might see. You have to streamline that.
What we’re finding now more and more is that as systems are getting rolled out and deployed, you have concerns by patients. You have government regulations to ensure that there are some level of patient privacy and patient safety being enforced. That’s where authentication becomes important. That’s where you have access controls. That’s where sort of monitoring becomes really important. You see these cases all over where people have accessed information and you don’t know who saw the record or who let go of the information. The normal problems of technology.
What’s the status of proximity-based security and your Secure Walk-Away product?
Proximity can be used two ways. One is a simple prox card, where in lieu of your finger or your user name and password, you can tap a card and instantly you’re in. That card could also be used to access your building systems, but also be leverage to be a factor of authentication into your technology systems. People love that because it’s really fast. Whichever user comes taps on the RFID device and instantly their session is alive and well. It’s very convenient, and yet secure, and it has authentication around it.
The Secure Walk-Away problem was really around the fact that in healthcare, nearly everybody uses a shared workstation. Very often, people are called away from that workstation. In order to secure it, they actually have to do some act to secure it. They have to hit a key, a hot key, an F1 key, or hit Control-Alt-Delete. They have to do something to lock that system.
Secure Walk-Away deals with the problem on unattended desktops. Where someone walks away from that desktop, there’s a little camera that knows, due to heuristic algorithms, that there’s no one in front of that camera, or that the user that originally logged in to the camera is no longer in front of it. It shuts the screen down or puts up a block. The information is still live. If I come back to it and I was the original user, I don’t have to re-log in, retype in anything. I left it exactly where I was. But if a new user comes up, they have to shut it down and re-authenticate.
The problem that’s trying to solve is not just around patient privacy, but a lot of it around patient safety, where I could have been entering information on patient A, I got called away, you came into the same workstation and you changed it to patient B. You’re entering the information. I come back two minutes later thinking that it’s still the patient I was working on, patient A, and I enter in some information that’s wrong. I’m entering the wrong information against the wrong patient. This helps protect against that.
It’s a very, very complicated problem. We’ve been working on it for many years. We launched it and it has been a great success. A lot of hospitals are looking into it right now. We have a bunch of pilots going on right now with a bunch of customers, and it’s been a big success. But again, it’s one of those unique technological problems that you have to solve for a very unique environment — a hospital and the shared workstation in it.
Some of the earlier attempts to fix that problem were based on a badge tag. How is the camera better?
There’s been the sonar, which is like the system that is used in flushing systems, where you walk away and then it automatically flushes. There were the mats that came out at one point, pressure-sensitive mats where you were stepping on, and then there was the other RFID situation. People have been trying to solve this problem for a very long time.
We think we have created enough innovation to truly take a different approach that removes the authentication and the access from just doing one task, which is securing an unattended desktop. When you’re logging in, the camera sitting on top doesn’t know it’s you. It’s not authenticating you; it’s not doing anything. All it’s doing is taking a snapshot of you and associating it with your authentication. It has a set of algorithms that say, you know, if you turn your face to the side, you’re in a zone. If you walk away from that zone, it’s going to lock it up. When you come back, it’s going to recognize the characteristics and let you back in.
We have to continue to make innovations to it. We’ve already had lots of ideas that people have asked for us to add to it, so we’re pretty confident it’s going to be a big success. But at the end of the day, it’s a problem that’s existed for a long time, ever since they started to introduce workstations in healthcare. We’ll keep innovating until we can solve it.
How are hospitals are using Privacy Alert?
Privacy Alert is patient access monitoring. If someone comes in and says they didn’t have access to these records or if some celebrity or patient comes in and says, “I don’t want my records seen by anybody who’s not on my care team,” then you can monitor access. You can put in controls that raise the flag that says, “OK, this nurse is not on your team and has been accessing your records.”
This is directly as a result of some of the provisions that some state laws have passed, that has been in the recent HITECH Act that you mentioned. All around the fact that they have to be able to monitor who has access to which patient’s records.
I think that this all started with California, where they had issues around people seeing Octo Mom’s records and you had issues people seeing Maria Shriver’s records. There were a lot of celebrities that would go in and then the information would come out and then the hospital would deal with lawsuits. I think that spread. I think California was the first state to pass a law around this. Over the last few years, it’s become more and more widespread and adopted nationally. It makes good sense. Anywhere else, you’d be able to tell that.
As I said earlier, this is a logical evolution of an industry that is taking a lot of sensitive information and is now making it accessible in order to improve its own efficiency. The problem is that you are in an industry where it’s very difficult to do that, because the primary motive is not producing a product, but saving someone’s life or taking care of a patient.
If you can’t find mechanisms by which you can embed security into the workflow, streamline it, and eliminate the encumbrance that security brings to the process, then that’s where utilization doesn’t happen. That’s why you have all these CPOE systems that clinicians aren’t using because it’s a pain. You have the EMR system that people don’t log in to because they don’t want to use it.
One of our customers found that the average nurse was logging in 70 times a day. Each log in was taking them about two minutes and sixteen seconds. After they bought our solution and had it deployed, they had it down to seconds. This IT guy was telling me he’s never the CNO praising him on anything, and now it’s like a little love-fest going on because it’s convenience.
They have a job to do. They want to do their job and now you’ve rolled out a system that adds another layer of steps. Instead of me seeing 100 patients, I’m going to see how many patients less because I’m spending two hours just getting in and getting out of systems? I think that’s where the value of what we do comes in front and center.
My last question reflects on that. If you look at the big picture of getting physicians or other clinicians to use technology, what strikes you as being the most important factors over the next few years?
I think it has to become simple, easy, and intuitive into their workflow. One of the reasons why Epic has been so successful and some of the new vendors that are coming into the spaces are innovating is they’re not taking a traditional approach. They’re saying, “Hmm, this problem is a lot more complicated. How can I truly make technology an integral and simple part of the clinician’s day-to-day work life?”
The more those innovations happen, the more you’ll see the utilization go up. Everybody at the end of the day wants to see and needs to see more patients, not just for business or productivity reasons, but because globally we have an aging population. Only so many physicians in the world, right? There are only so many resources, so you need to make things more efficient.
I think if there’s any industry that’s going to benefit by technological adoption, it’s going to be healthcare, dramatically. What’s going to drive it is easy, simple, and integrated solutions. People are not going to buy just raw technology. They’re going to need something that really offers a benefit. Otherwise, they could just use paper. It’s much easier to take the vitals, write them down, have a doctor come up, read them, sign off, and go.
Any final thoughts?
Love HIStalk. You’re a great writer. It’s fun to read.