Medical devices and instruments exchange hands as they are brought in and out of hospitals. Here's how one vendor management company is increasing the security of its device tracking system.

Medical device security threats usually bring to mind malicious hackers trying to steal passwords or infiltrate hospital networks. But what happens when users are willingly giving away their log in information and sharing accounts?

That was the situation Settrax, a Gig Harbor, WA-based company, found itself facing. Settrax offers a vendor tray management solution, tracking surgical implants and instruments coming in and out of hospitals and surgery centers. The company was founded by Brad Lindenmayer, who had worked as a device rep, as a way to centralize device tracking and communication between medical device vendors and hospitals. Settrax kiosks replace the paper log books previously used to track devices and instruments with a more precise system that requires device reps to weigh, photograph, and describe the devices being used in a surgery.

With the prior system, "[A device rep] would come in with all of these instruments and implants and they could be valued anywhere from a half million dollars to a couple million dollars . . . They would just sign a log book, a paper log book, if that. And that would be it," Lindenmayer explained.

Though the Settrax kiosks brought another level of traceability to the device inventory management process, it wasn't foolproof. Initially, the company's registered users had a standard username and password to access the system and log devices. But, because users--the device reps--have to pay to register accounts, there was an incentive for them to share accounts with each other. This meant lost revenue for Settrax, but had more troubling consequences for healthcare delivery, compliance, and billing. So, the company decided to purse another layer of security with two-factor authentication.

"We're not like a lot of other companies with our user base," Lindenmayer said. "Most user bases are not trying to actively share their account. They're trying to protect it and two-factor is just an additional layer. [For] us, it's sort of the reverse. Our user base is trying to share their account."

Settrax ultimately chose to work with Authy, a provider of two-factor authentication for individuals and businesses. Two-factor authentication (2FA) confirms a user's identity to ensure the right person is accessing the account, Marc Boroditsky, vice president and general manager at Authy, explained.

"[Settrax] need[ed] to make sure that only the permitted person was actually interfacing with their kiosks in order to ensure that they have proper compliance with all of the hospital and medical device regulations . . . but also so that they could proide reliable, auditable reports that would ultimately support whatever payments needed to be taking place from the surgical provider to the device provider," Boroditsky said. "For them, authentication was critical to ensure that they had the proper compliance for all of that."

Settrax implemented Authy's SOFTTOKEN product option, which generates a one-time code every 20 seconds. Users input that code to access their protected account. Lindenmayer pointed out that the ability for users to receive this code without an Internet connection was a key selling point for Settrax. "Since our kiosks live in the dungeons of a lot of these hospitals where there is no cell service, that was a unique feature that we had to have if we were going to implement two-factor authentication," he said.

In addition to SOFTTOKEN, Authy offers ONETOUCH, which sends users a push notification to accept or reject account access, and ONECODE, a code sent to users via text or voice call.

The implementation process requires just a few hours of coding, testing, and modifications, Boroditsky said. However, it can take more time and effort to explain the new process to users. Lindenmayer said, "The biggest part of the process is when you have a big chunk of users that you need to transition over to two-factor. They have a lot of questions." 

Authy's ONETOUCH solution has been in place at Settrax for about five months. While two-factor authentication has led to more transparency and traceability, it hasn't been a sure-fire barrier against account sharing. Now, some users have begun using the two-factor authentication process on multiple devices under a single account, enabling several device reps to use one account.

"Again, it's a curveball that most user groups would not do," Lindenmayer said. 

Settrax can use the Authy product offering to observe that there are multiple devices authorized on a single account, so that has led to conversations with those users, Lindenmayer said. That means Settrax may limit each registered user to a single device.

These types of challenges are part of the territory with the software-as-a-service model, Lindenmayer said. "This issue of users sharing their access, their credentials, to avoid having to pay for multiple accounts--that's something that we're going to see rise in our industry and others," he said. "It's just going to happen."

On the other end of the spectrum, Authy recognizes that additional security measures are often perceived by users as a hassle. This may be particularly true in healthcare, where security steps can be viewed as an impediment to usability. Boroditsky acknowledged: "Their priority focus is on the delivery of healthcare and if you're adding an additional step, it's something that they'd like to get rid of. So making it the least possible burden on the end user is what we focus on." He added that this may be accomplished with a simple user experience, an easy-to-use application, and the ability to use one form of authentication across all types of accounts.

Authy has seen interest in two-factor authentication from the healthcare industry rise as the e-prescribing process becomes mandatory in some states and as medical record systems become more mobile. Extra measures are being implemented to ensure secure e-prescription delivery and to authenticate appropriate access to medical records.

"The whole concept of ensuring that only the right person is actually doing what's taking place and that they're effectively permitted to do so, is really important in the whole healthcare process," Boroditsky said.

[Image courtesy of DIGIDREAMGRAFIX/FREEDIGITALPHOTOS.NET]