Enabling Integration with your Medical Devices

Imprivata Medical Device Access enables fast, secure authentication for accessing and transacting with patient information on medical devices.

Integrate Imprivata with your medical devices to enable strong authentication for transacting with patient information:

Configure Users

See Planning an Imprivata Enterprise Access Management for MFA Implementation before completing the steps on this page.

Complete the steps in the following sections to get medical device users up and running.

Synchronize to a User Directory

NOTE: You do not need to perform this step if you are already using the same user directory for another Imprivata product.

The Imprivata user database is a mirror of the user directories in all domains from which you create user accounts. When you first install Imprivata Enterprise Access Management, there are no user accounts in place. To set up the Imprivata user database, you synchronize with the user directories in which your users’ primary accounts are located. See Adding a Network Domain

(Optional) Set Up Administrator Roles

Enterprise Access Management uses administrator roles and sub-administrator roles with nested scope so you can delegate administrative authority throughout the enterprise. Administrator roles help delegate Enterprise Access Management administration operations throughout an enterprise. See Administrator Roles (Delegated Administration)

Create and Assign User Policies

User policies are associated with MFA workflow policies. Before enrolling Enterprise Access Management users:

  • Create a user policy that is assigned only to providers who are authorized to access an Imprivata-integrated medical device.
  • For example, you can create a user policy called Medical Device Users and then assign it to each user who is authorized access a medical device.

See Creating and Managing User Policies for information about configuring user policies.

Configure Workflows

The MFA workflow policy controls:

  • The authentication methods that are allowed for each workflow, and

  • The clinicians who are allowed to use each associated workflow.

Configuring the MFA workflow policy involves:

  1. Specifying the authentication method(s) required to complete each workflow, and

  2. Associating at least one user policy with each workflow.

After a user policy is associated with a workflow, all users to which the user policy is assigned are allowed to:

  • Enroll the authentication methods specified in the policy, and

  • Use the workflow.

The following table lists and describes each workflow that requires authentication via Enterprise Access Management. Your applications may not support all available workflows.

Workflow Name in the MFA Workflow Policy Applicable Users Regulations Allowed Authentication Methods (first factor plus second factor, if so specified) License Required
User verification (non-regulated)

Users who perform streamlined workflows from integrated mobile computing carts and medication dispensing carts and cabinets.

 

 None

All

 Medical Device Access
Medical device log in Clinicians who log into integrated medical devices with proximity or fingerprint. None

All

 Medical Device Access
Medical device log in — password only

Clinicians who manually log into an integrated medical device with username and password only.

Other authentication methods are not supported.

    Does not require a Medical Device Access license
Medical device different user authentication Clinicians who perform a witness workflow on a medical device None All Medical Device Access
Medical device user verification (non-regulated) Clinicians who require authentication during a clinical workflow on a medical device None All Medical Device Access

Workflows are configured on the MFA workflow policy page of the Imprivata Admin Console (Users menu > Workflow Policy). Some workflows can have more than one allowed authentication method.

You can remove authentication methods that you don't want to use, or you may be prompted to remove certain authentication methods if they are not allowed by the regulations of the state you selected at the top of the page. Invalid methods are highlighted in yellow and a notification message appears at the top of the MFA workflow policy page.

You need to associate a user policy (or policies) with each MFA workflow you intend to use. After a user policy is associated with a signing workflow, all users in that user policy are allowed to perform that MFA workflow with the specified authentication methods.

To associate a user policy with an Enterprise Access Management MFA signing workflow:

  1. Click Associate user policies to the right of the workflow on the MFA workflow policy page. The Choose a user policy box appears.
  3. Click in the box to view a drop-down list of available user policies, or begin typing to search for the user policy you want to associate.
  4. Select the user policy you want to associate. The Associate user policies link changes to Associated with 1 user policy and displays the total number of users contained within the associated user policy.
  5. To associate another user policy, click Associate another user policy.
  7. Repeat these steps for each workflow that your organization uses.

You may improve the user experience by providing a grace period where Enterprise Access Management MFA skips second factor authentication:

  1. In the Imprivata Admin Console, go to UsersWorkflow policy.

  2. In the section Workflow options, set a grace period (24 hours, 59 minutes maximum), where a user does not have to complete second factor authentication after proximity card authentication and/or fingerprint authentication.

  3. Click Save.

Configure Endpoint Computers

The following sections describe how to configure the endpoint computers and/or virtual desktops on which Enterprise Access Management enrollment and/or workflows will occur.

Create and Assign Computer Policies

Computer policies set security parameters for each computer in your organization. Each computer must be assigned one computer policy. See Creating and Managing Computer Policies

Deploy the Imprivata Agent to Endpoints

IMPORTANT: Perform all previous configuration steps listed in Installing and Configuring Enterprise Access Management for MFA before performing this step. Enterprise Access Management features do not "go live" on your users' endpoint computers until the Imprivata agent is deployed.

An Imprivata agent must be installed on each endpoint computer on which MFA enrollment or workflows will take place.

Imprivata provides a variety of agents for different uses. It is important to understand the differences between the agent types to be sure you employ the agent best suited to each user. See Different Imprivata Agents for Different Uses.

You can distribute the Imprivata agent with Microsoft Active Directory (AD) group policy or similar tools, or you can email users a link and have them self-install it. You configure these settings on the Deploy agents page (Computers menu > Deploy agents). See Deploying the Agent.

Connect Authentication Devices

Connect the required authentication devices on each endpoint computer on which MFA enrollment and/or workflows will take place and make sure the devices are working properly.

Configure Medical Device Integration

Configure the integration between Imprivata Enterprise Access Management and your Medical Devices to support authentication via MFA.

NOTE: Before you begin, see Enterprise Access Management MFA Supported Components for the supported versions of your medical device software.

Configure Eyecon Users

  1. In the Eyecon console, go to Settings > Login/Scan out > Edit Users.

    The Username value must exactly match the username value in Imprivata Confirm ID.

  2. Go to Settings > Login/Scan out > Use Imprivata Login: Enabled

  3. Imprivata Server FQDN/IP — The FQDN/IP address of your Imprivata enterprise

  4. Imprivata Scan Retries — the number of fingerprint scan retries allowed: Two attempts = one failure, so a value of 2 would provide four attempts before failing.

  5. To enable two-factor authentication, configure Count Only Login, Validation Login, and Inventory Login. Refer to Eyecon user manual for details.

Configure Medical Device Workflow

Enable fingerprint authentication for Eyecon:

  1. In the Imprivata Admin Console, go to Users > Workflow Policy.

  2. In the section Medical Device workflows:

    1. Select Fingerprint authentication for the User verification (non-regulated) workflow;

    2. To enable users, associate their user policies with this workflow.

      For details on configuring workflows, see Configuring the Enterprise Access Management Workflow Policy.

  3. Click Save.

After the Imprivata agent and the administration tools have been installed, run MedCartAgentConfig.exe as Administrator. If this tool is launched from a Capsa CareLink endpoint that has the Imprivata agent installed, the current agent settings will be loaded and any changes saved will take effect immediately. Otherwise, a default set of values are loaded. Deploy the saved configuration file to the Capsa CareLink endpoints.

The configuration settings for the agent are stored in a file MedCartAgent.exe.config. This file can be deployed to other computers by storing it in the same directory as MedCartAgent.exe.

Configure Medical Device Workflow

  1. In the Imprivata Admin Console, go to Users > Workflow Policy.

  2. In the section Medical Device workflows:

    • Select the appropriate authentication methods for the User verification (non-regulated) workflow;

    • To enable users, associate their user policies with this workflow.

  3. For details on configuring workflows, see Configuring the Enterprise Access Management Workflow Policy.

  4. Click Save.

Enable API Access

This medical device integration requires full access to the Imprivata ProveID Web API:

  1. In the Imprivata Admin Console, go to the gear icon > API Access.

  2. On the API Access page, select Allow full API access via ProveID Web API and ProveID Embedded

  3. Click Save.

This medical device integration requires full access to the Imprivata ProveID Web API:

  1. In the Imprivata Admin Console, go to the gear icon > API Access.

  2. On the API Access page, select Allow full API access via ProveID Web API and ProveID Embedded

  3. Click Save.

To complete the integration with Capsule SmartLinx MDIS, see the SmartLinx MDIS System Administrator’s Guide and complete the following steps:

  • Validate that the devices are supported and have the appropriate RFID proximity reader kit installed;
  • Install the Imprivata appliance root certificate to the SmartLinx server;
  • Configure the CapsuleTech SmartLinx MDIS server registry to connect to the Imprivata appliance.

Configure Medical Device Workflow

  1. In the Imprivata Admin Console, go to Users > Workflow Policy.
  2. In the section Medical Device workflows:
    • Select the appropriate authentication methods for the User verification (non-regulated) workflow;
    • To enable users, associate their user policies with this workflow.
  3. For details on configuring workflows, see Configuring the Enterprise Access Management Workflow Policy.
  4. Click Save.

Add Capsule SmartLinx MDIS integration

  1. In the Imprivata Admin Console, go to Applications > EPCS and clinical workflows integrations.
  2. In the Medical Devices section, click Add a medical device.
  3. Select Capsule SmartLinx MDIS and click OK.

Enable CAREDirect Medserve Cabinets

  1. In the CAREDirect Medserve admin console, go to IT SettingsImprivata Settings.

    • Imprivata Server URL — enter the fully qualified domain name (FQDN) of the Imprivata appliance.

    • Active Directory Server — Address for Active Directory server

    • Port — LDAP port

    • Username — Windows username used for LDAP lookups

    • Domain — Domain associated with the above username

    • Password — Password associated with the above username

Enable Prove ID Web

This medical device integration requires full access to the Imprivata ProveID Web API:

  1. In the Imprivata Admin Console, go to the gear icon > API Access.

  2. On the API Access page, select Allow full API access via ProveID Web API and ProveID Embedded

  3. Click Save.

Configure Medical Device Workflow

  1. In the Imprivata Admin Console, go to Users > Workflow Policy.

  2. In the section Medical Device workflows:
    • Select the appropriate authentication methods for the Medical DevicesLog In workflow:
    • Associate user policies with the workflow.
  3. For details on configuring workflows, see Configuring the Enterprise Access Management Workflow Policy.

  4. Click Save.

Enable CAREDirect Medserve Integration

  1. In the Imprivata Admin Console, go to DevicesIntegrations.

  2. Click Add a medical device and select CAREDirect Medserve.

  3. Click OK.

Add GE Healthcare — Venue Ultrasound integration:

  1. In the Imprivata Admin Console, go to Applications > EPCS and clinical workflows integrations.

  2. In the Medical Devices section, click Add a medical device.

  3. Select GE Healthcare — Venue Ultrasound and click OK.

Enable API Access

This medical device integration requires full access to the Imprivata ProveID Web API:

  1. In the Imprivata Admin Console, go to the gear icon > API Access.

  2. On the API Access page, select Allow full API access via ProveID Web API and ProveID Embedded

  3. Click Save.

Configure Medical Device Workflows

Select the authentication method(s) available for medical devices:

  1. In the Imprivata Admin Console, go to Users > Workflow Policy.

  2. In the section Medical Device workflows:

    • Configure authentication methods required for the Log in workflow;

    • Associate user policies with the workflow.

  3. For details on configuring workflows, see Configuring the Enterprise Access Management Workflow Policy.

  4. Click Save.

To complete the integration with GE Healthcare — Venue Ultrasound, see the GE Healthcare documentation:

  • Validate that the devices are supported and have the appropriate RFID proximity reader kit installed;
  • Install the Imprivata appliance root certificate to the server;
  • Configure the server registry to connect to the Imprivata appliance.
NOTE:

GE Healthcare — Venue Ultrasound supports RFID reader programming. When you assign your GE Healthcare — Venue Ultrasound devices to an Enterprise Access Management computer policy, reconcile the card reader configuration settings with the card readers for those devices.

NOTE:

See the Imprivata Enterprise Access Management MFA Supported Components for details on specific requirements for enabling this integration and for supported functionality and authentication methods.

Enable API Access

This medical device integration requires full access to the Imprivata ProveID Web API:

  1. In the Imprivata Admin Console, go to the gear icon > API Access.

  2. On the API Access page, select Allow full API access via ProveID Web API and ProveID Embedded

  3. Click Save.

NOTE:

Full API access is also acceptable, but not required, for this vendor.

Add the Masimo Integration

  1. In the Imprivata Admin Console, go to Devices > Integrations.

  2. In the Medical Devices section, click Add a medical device.

  3. Select Masimo IRIS Platform and click OK.

Configure Medical Device Workflows

  1. In the Imprivata Admin Console, go to Users > Workflow Policy.

  2. In the section for Medical device workflows:

  3. Click Save.

Configure the Masimo SafetyNet Server for Imprivata Authentication

Contact your Masimo representative for assistance with configuring Masimo SafetyNet for use with Imprivata authentication.

NOTE:

See the Imprivata Enterprise Access Management MFA Supported Components for details on specific requirements for enabling this integration and for supported functionality and authentication methods.

Enable API Access

This medical device integration requires full access to the Imprivata ProveID Web API:

  1. In the Imprivata Admin Console, go to the gear icon > API Access.

  2. On the API Access page, select Allow full API access via ProveID Web API and ProveID Embedded

  3. Click Save.

Add the Mindray Integration

  1. In the Imprivata Admin Console, go to Devices > Integrations.

  2. In the Medical Devices section, click Add a medical device.

  3. Select Mindray BeneVision DMS and click OK.

Configure Medical Device Workflows

  1. In the Imprivata Admin Console, go to Users > Workflow Policy.

  2. In the section for Medical device workflows:

  3. Click Save.

Configure the Mindray Server for Imprivata Authentication

See Mindray’s documentation or contact your Mindray representative for assistance with configuring on Mindray’s BeneVision Distributed Monitoring server for use with Imprivata authentication.

Philips Patient Monitoring System Integration

Add Philips Patient Monitoring System integration:

  1. In the Imprivata Admin Console, go to DevicesIntegrations.

  2. In the Medical Devices section, click Add a medical device.

  3. Select Philips Patient Monitoring System and click OK.

Configure Medical Device Workflows

This medical device integration requires full access to the Imprivata ProveID Web API:

  1. In the Imprivata Admin Console, go to the gear icon > API Access.

  2. On the API Access page, select Allow full API access via ProveID Web API and ProveID Embedded

  3. Click Save.

Select the authentication method(s) available for medical devices:

  1. In the Imprivata Admin Console, go to Users > Workflow Policy.

  2. In the section Medical Device workflows:
    • Configure authentication methods required for the Log in workflow;
    • Associate user policies with the workflow.
  3. For details on configuring workflows, see Configuring the Enterprise Access Management Workflow Policy.

  4. Click Save.

This medical device integration can handle the following scenarios:

  • The EMR username and password are the same LDAP credentials as stored by Imprivata Enterprise Access Management (formerly Imprivata OneSign) (the EMR is in the same domain).

  • The EMR sits in a different domain, and therefore the EMR username and password are different from the Enterprise Access Management LDAP credentials.

    • An Imprivata APG profile is required to store the EMR credentials. The Welch Allyn device will retrieve these credentials from the Imprivata appliance once the user has successfully authenticated to the medical device using Enterprise Access Management, and will send those credentials to the EMR as the EMR identifier, along with the test vitals and other information.

    • For the Welch Allyn device to be able to retrieve the credentials from the Imprivata APG credential store, an application mapping is required in the Imprivata Admin Console. The external application name in this mapping must match the contents of the Welch Allyn field "Credentials App Id".

    • The credentials retrieved from the Imprivata APG credential store needs to be in simple username format. There is no need for complex formats such as user@domain or domain\username.

      However, Welch Allyn should be capable of parsing out the correct format from whatever Imprivata APG has stored.

Enable API Access

This medical device integration requires full access to the Imprivata ProveID Web API:

  1. In the Imprivata Admin Console, go to the gear icon > API Access.

  2. On the API Access page, select Allow full API access via ProveID Web API and ProveID Embedded

  3. Click Save.

Add the Welch Allyn integration:

  1. In the Imprivata Admin Console, go to DevicesIntegrations.

  2. In the Medical Devices section, click Add an application.

  3. Select Welch Allyn.

  4. Click OK.

Select the authentication method(s) available for medical devices:

  1. In the Imprivata Admin Console, go to Users > Workflow Policy.

  2. In the section Medical Device workflows:
    • Configure authentication methods required for the Log in workflow;
    • Associate user policies with the workflow.
  3. For details on configuring workflows, see Configuring the Enterprise Access Management Workflow Policy.

  4. Click Save.

Enroll Authentication Methods for Medical Device Workflows

After a user policy is associated with a workflow, all users to which the user policy is assigned are allowed to enroll the specified authentication methods. If you have configured your medical device workflows to require authentication methods besides username and password, users must enroll the specified authentication methods before you complete your Enterprise Access Management integration. For complete details on the enrollment process, see Enrolling Authentication Methods for Imprivata Enterprise Access Management — MFA .

Password Only Authentication

Enterprise Access Management supports password only authentication to medical devices with no license necessary.

  1. In the Imprivata Admin Console, go to Users > Workflow Policy.
  2. In the section Medical Device workflows > Log in - password only, associate user policies with the workflow.
  3. Click Save.

Users associated with this workflow will not consume a Confirm ID for Medical Devices license. Users cannot be associated with any other medical device workflow.