- I was working with a healthcare organization recently and were discussing some new data security initiatives around remote, mobile, and local users.
We had a few teams in the room with us. The end-user compute (EUC) team focused on application and desktop delivery, the network team focused on the wired/wireless aspects of the architecture, and the security team was all about keeping data and users safe.
All very important roles, and sometimes they don’t get along in meetings. It goes without saying that user experience is critical for success. However, you can just as easily argue that healthcare data security is just as, if not even more, important than the user experience.
Poor user experiences can lead to lower adoption rates, poor performance, and a very unhappy healthcare workforce. Similarly, a weak security architecture can (and will) lead to nightmare scenarios around data leaks, PR headaches, and lost confidence from users and patients.
We all know that healthcare data is valuable. We also know that a user experience is extremely important. This means that doctors who are directly interfacing with patients can’t be spending several minutes trying to log in and get their charts up. This has to be done quickly so that patient-doctor interaction can start immediately.
And so, too often, I find that one structure tries to supersede the other. That is, user experience over security or vice versa.
Let’s try to break that paradigm and find a better balance.
User Experience and Healthcare Security – A delicate balancing act
Let’s take a step back and understand user interaction with various types of healthcare IT systems. You’ll have mobile users leveraging mobile devices, doctors interacting with patients, support staff conducting a myriad of tasks, and contract/temporary works who are a part of the healthcare organization.
The first thing I try to accomplish is to clearly map application and data workflows to ensure we understand how users are interacting with their respective systems.
That said, to walk the fine line between security and user experience, consider the following.
- Working with mobile users. More applications and services are being delivered via mobile devices. In the healthcare world, you’re going to have to enable some form of mobility management and content delivery. The good news is that evolving services allow you to integrate a variety of traditional user applications into an enterprise mobility management framework. So, you can create wrappers around applications, funnel file sharing solutions into one management architecture, and even enhance the delivery of key apps and services. Mobility management can help deliver context to users leveraging mobile devices. These solutions can automatically interrogate incoming users to know who they are, where they’re coming in from, which device they’re using, and what data they’re trying to access. For example, Citrix XenMobile allows you to do some pretty powerful things within healthcare. These kind of mobility management technologies can even tell if a user is experience a bad connection. From there, the solution can help compress data and actually improve the experience while still keeping the architecture secure.
- Enabling healthcare workers who directly interface with patients. Here’s the rule of thumb: You don’t want to implement solutions that force the patient to wait longer for services. For those users who are directly interfacing with patients, you might have to get creative. In these situations, a pilot program is the best way to ensure your delivery mechanism allows you to be secure while still leveraging powerful experiences. Let me give you an example around Citrix XenApp/XenDesktop. By using virtualization, you can pre-launch a set number of applications before doctors or nurses even log in. If you know that a certain EMR virtual machine is going to be in high-demand, you can spin up those VMs – automatically – before doctors even get into the office. This way, they get to their apps quickly and you get the chance to centralize and secure sensitive data points.
- Controlling contractors or temporary staff. Automated onboarding and offboarding solutions can be an absolute lifesaver here. That is, you can preset employment timeframes for contractors and ensure that there are no rogue users or administrators on your network. Furthermore, this is a great way to do asset control. You’ll always know which licenses are being used, and even which physical devices contractors are using. You can even integrate HR and business systems to really ensure you don’t have any lost accounts in your business. Solutions like those from Ivanti allow healthcare organizations to really gain control over their users and who has access to key systems.
- Managing data. I really can’t recommend this step enough. Every healthcare organization should create a data map and understand the flow of information. Data assessments should be done on a regular basis to ensure that PII and PHI are properly stored and are not being disseminated on unwanted networks or storage repositories. You’d actually be surprised how often there’s data that’s “accidentally” stored within unsecure locations or is being downloaded onto personal devices.
As you take all of this in, remember that there may be instances where some levels of user experience might have to be sacrificed to enable a good healthcare data and security architecture.
As mentioned earlier, you simply cannot allow any file sharing solution to be enabled within your network. However, creating security wrappers around those file sharing platforms can still allow healthcare associates access to their files, while monitoring activity.
Moving forward, the rapid digitization of healthcare will require your organization to think outside the box when it comes to security and supporting your healthcare workers. My biggest recommendation is to work with good partners and solution providers who simply help you see the bigger picture.
The other critical piece of advice is to run pilot programs and create internal champions of technology. Trying out a new system with a subset of users can be a great way to work through bugs and create an architecture that can make everyone happy.
These pilots are usually lower in cost and allow you to learn more about how your users interact with various systems on a daily basis. From there, if your pilot works, you don’t have to rip it out. Rather, you can build on its success.
If you find the right balance between good security policies and powerful user experiences, you’ll create a much happier workforce that’s capable of keeping up with emerging healthcare demands.