HIStalk Interviews David Ting, CTO, Imprivata
David Ting is founder and CTO of Imprivata of Lexington, MA.
Tell me about yourself and the company.
I’m the CTO and founder of Imprivata. We focus on healthcare IT security and streamlining clinical access to computer systems.
What are the technology trends in positively identifying users and patients?
Government regulations are increasingly tightening up from both a privacy perspective to meet HIPAA requirements as well as the new requirement, which is how you tie a prescriber’s identity to an electronic prescription, or in fact, any other transaction. This started years ago with Ohio’s positive ID program, where every electronic prescription has to be confirmed by a provider who is authenticated using some form of two-factor authentication.
More recently, the DEA has allowed controlled substances to be electronically prescribed, again provided there is a means for the e-prescribing systems to confirm that prescribers are using two-factor authentication. The DEA’s requirements are much more rigorous. They consulted with NIST — National Institute of Standards and Technology — to provide the recommended procedures for not only the second-factor authentication, but also identity proofing. NIST is very prescriptive in terms of the methods that are allowed. It has to be a combination of well-known authentication modalities that we all know – something you know, something you have, or it could be a token or something biometric.
We have done a fair amount of work over the past few years making sure that two-factor authentication is integrated into the clinician’s work flow. Our Confirm ID product packages a lot of the compliance requirements of the two-factor authentication capabilities into one product that a number of EMR vendors are using. Today, it’s something that you know like a strong password, a fingerprint that has to meet specific NIST requirements in terms of both of accuracy of the match as well as the imaging capabilities of the scanner, and something that you have, which could be a token, something that generates a passcode, or a cryptographic smart card.
The trend clearly today is on wireless authentication and the ability to leverage the mobile phone, and in the future, secure wearable devices that can all vouch for your identity and serve as one of the “what you have” tokens or components of the authentication process. That is a trend that we are very actively working on and see a lot of promise in — simplifying that task for the clinicians so they don’t have to remember something and don’t have to take a one-time passcode out and transcribe that eight-character code into a form.
Those are the technologies that we believe will become dominant as policies get tighter and government regulations become more prescriptive.
Is the age of passwords just about over?
Passwords have been around as long as computers have been around because it was the simplest form of authentication. In today’s world, we have too many passwords and passwords are too easily compromised. Anything from shoulder-surfing to keyboard-sniffing technology can easily lift them. Increasingly, the new phishing attacks that are being launched in a wholesale manner are much more sophisticated. It’s very, very hard for the average employee to distinguish between a legitimate request from the IT staff and a malware attack.
The only way you’re going to defend against that is to use “something you have” or “something you are.” Something that can’t be electronically stolen — it has to be physically stolen. Apple has done a great job with the Touch ID on the phone. Unfortunately, it doesn’t meet the DEA requirements of “something you have,” but it is a step in the right direction.
I believe the phone, together with Bluetooth technology, will become a very powerful mechanism for eliminating the need for password. That together with some form of simple but DEA-approved biometric medication could become very useful. Increasingly, facial recognition is being used, as is palm vein scanning, for a lot of patient identification.
The technology will improve. With the advent of the 3D cameras that Intel and other vendors are building, you can start to see how that technology can potentially play into much more active facial recognition. Passwords will hopefully become something you use only in case of emergency as opposed to something that you need all the time.
Another seemingly obsolete technology is pagers. Will hospitals get rid of them completely any time soon?
Pagers have been around since 1950. It was initially used in some critical industries to alert people to use the phone as a means of communication. Pagers have morphed over the last 60 years from an alerting mechanism to now providing very simple textual output with the opportunity to respond from some pagers bi-directionally.
Those capabilities are rapidly being surpassed or provided by the smart phone and even simple flip phones. Technology, certainly in healthcare, is moving towards the increasing use of secure electronic messaging using smart phones. As Wi-Fi coverage and Wi-Fi reliability is improved within the hospital and certainly outside the hospital with 4G technology, the ability for smartphones to serve as a reliable communications mechanism will eventually displace many of the uses for pagers. It’s more cost effective and there’s much more informational content that you can share.
Our Cortext product is a secure messaging product that allows a clinician to send textual data or photos. In the future, we can see sending all kinds of complex PHI in a secure fashion and also to have that receipt mechanism that indicates when the receiver actually saw it, whether they received it, whether they saw it, whether they can respond to it. That will eventually become the predominant communication mechanism.
Your have a lot of experience with document management and other systems. Are we missing opportunities by worrying too much about text field entry instead of other forms of media?
Text fields are only relevant because that’s the way computers originally were built. We had keyboards. We added a pointing device with the mouse.
A physician with a smart phone is carrying a microphone, an accelerometer, and a camera with them. That will allow more media-rich content to be integrated into the EMR record. We have lots of clinicians who want to take photos of their patients’ wounds or their gait and then incorporate that into the EMR as opposed to textually describing it.
More complex sensors will become available. A lot of personal fitness devices and vitals devices will become easily accessible through the smart phone. That will become the means by which a lot of the data that we enter today manually, like your vitals, will be electronically captured and passed into the EMR systems.
I am surprised we've not seen more comments regarding the new FL law regarding patient data and offshore data storage…