Access management has become one of the most persistent friction points in modern organizations. The challenge isn’t just about securing identities. It’s about doing so without grinding productivity to a halt, especially in environments where shared access is the norm. Healthcare workers moving from patient to patient, police officers sharing devices in patrol cars, and manufacturing workers on the floor all face the same dilemma: security requirements that clash with operational speed. Traditional access management solutions force organizations to choose between security and efficiency. This inevitably leads to workarounds, privilege creep, and the classic “we’ll deal with it later” approach. We all know how well that works out.
In this episode, Chip Hughes, chief product officer at Imprivata, explains how the company addresses shared access management challenges with specialized solutions that prioritize both security and user experience. Joining him are Kathleen Mullin, former CISO at MyCareGorithm, and Howard Holton, CEO at GigaOm.
Want to know:
- Why does shared access management remain such a persistent challenge across industries?
- What does Imprivata’s solution actually do versus traditional IAM tools?
- How does passwordless authentication work in high-security, high-speed environments?
- What authentication modalities beyond badges are organizations adopting?
- How can organizations integrate access management across devices, operating systems, and applications?
- What are the unique access challenges in healthcare, law enforcement, and manufacturing?
- Can shared mobile devices provide enterprise-grade security while reducing hardware costs?
Check out the episode for the answers you need.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Imprivata
Full Transcript
[Voiceover] Connecting security solutions with security leaders, Security You Should Know starts now.
[Rich Stroffolino] Welcome to Security You Should Know. I’m your host, Rich Stroffolino. Today, we’re talking with Imprivata and what they’re doing in access management. Now, the problem that they’re addressing is the business friction created by access management, especially when it comes to shared access management.
I think we’ve all felt it, and we know it is a problem. Helping us find out specifically why, we have Kathleen Mullin, former CISO at MyCareGorithm, and Howard Holton, CEO at GigaOm. Howard, I’m going to start with you. Why is the business friction created by access management, especially that shared access management, still a problem?
[Howard Holton] Because we’re lazy. The reality is, it is very complex to deal with the time and the political needs of a proper access management program. They get complicated. The challenge is, while managing human identity is reasonably easy – one human, one identity – it becomes really complicated when you have shared resources, or when we start talking about non-human identities or, I don’t know, quasi non-human identities like AI, where you have things that are impersonating specific people.
While it’s really, really easy to assume what humans are going to do, which is kind of what got us into this problem, right? Kathy in accounting is likely to do accounting functions, she’s not malicious. As soon as you start adding in things like AI that are impersonating, it starts to become a real serious problem, and all we’ve done is kind of kick the can down the road for 25 years.
So, we are where we are.
[Rich Stroffolino] Kathleen, is that where you’re seeing it? Why are we still having this problem? Are we just can kickers with the shared access management?
[Kathleen Mullin] I agree plus. So, I look at things from the lens of healthcare, and within healthcare, what you see is individuals who are moving from room to room, patient to patient. And some of the solutions, although simple, become very complex.
And there is a very limited interest in having to log in over and over again, validate identity over and over again. There is this tradeoff between efficiencies, especially when devices are being shared. It is complex and simple at the same time. And we really, really want to look at what we can do to make it simpler for the users because they really don’t understand the value.
When they have a job to do, the concerns related to access management are not their concerns.
[Rich Stroffolino] Well, today we’re going to be talking with Chip Hughes, chief product officer over at Imprivata. Now, Chip, help us out here. To start out, we need to answer three essential questions. How do I explain the value of your solution to my CEO?
What does your solution do? What does it not do? And what is the pricing model? Can you help us out here?
[Chip Hughes] Yep, thanks for having me, and I like what Kathleen said there. When you think about frontline workers, you think about healthcare and clinicians, you have a shared resource. And what do we think about? How quickly can I get that frontline worker into that resource?
That’s a productivity gain that we care about if I’m that end user. If I’m a CISO, how do I make sure that that’s secure as I’m changing users and users doing that really quickly? And if I’m backend operations, how am I tracking? How am I dealing with audit?
How am I dealing with compliance? And so, what we’re really focused on at Imprivata is making sure that we deliver the most value that we can, which is getting that user in the most seamless, sometimes passwordless way possible in a way that really still balances security.
And so, what do we do? We solve that problem. We ultimately solve the shared access management problem. We have very specialized software that will get you in, will make sure we know who you are, and does it in a really secure way. What we’re not is sort of other security products, right?
We’re not a governance product. We’re not doing necessarily lifecycle management, although there’s always a little of that. We’re not a SIEM tool. We’re not XDR. We’re not all these other acronyms. We’re focused on getting that access in and out, and then just sort of closing out what’s our pricing model.
We do it per seat. It’s pretty straightforward for us. So, pros and cons of all of those things, but I think really focused on delivering value to our customers.
[Rich Stroffolino] Fantastic. All right. Well, we’ve gotten a taste for the solution. I’m sure a lot of questions on there. Kathleen, I’m going to go to you first. What other questions do you have about Imprivata?
[Kathleen Mullin] My big question is if we’re looking at implementing the solution, what is that ongoing relationship? Because it’s all about relationships with vendors. What is that ongoing relationship to ensure that I have fully implemented the solution, and if there are hiccups, what could I do to get help to make sure that it is working effectively?
[Chip Hughes] It’s a great question for us. There’s a couple different components to this. We have a services organization, obviously, that can help you, we have a customer success organization that’s going to help you, and we obviously really value that relationship.
So, we’re going to want a regular cadence. We’re going to want regular touchpoints with you. The other thing that we do that I think is really interesting is if you’re in healthcare, you mentioned healthcare, we’ve got a clinical team. So, we actually have a chief medical officer that we’ve hired, which when I first came on board to the organization, I’d never seen that before, particularly for a security company.
And his team is responsible for walking into hospitals and doing walkthroughs and making sure that your frontline workers, your clinicians, your healthcare providers, are maximizing the value out of our solutions basing on the license you have.
And we’re building that muscle out, so we’re taking that and we’re entering into other industries around manufacturing where you’ve got a lot of shared usage. When we think about state and local and police officers, there’s actually a lot of shared usage there, too.
And so, we’re building out that team so that we can provide that walkthrough. Look, doctors like talking to doctors, right? And particularly police officers want to talk to police officers. So, getting that unified sort of view and bringing that together is how we really deepen that relationship.
[Rich Stroffolino] Howard, I see you nodding over there. Get in there, I’m sure you have some questions.
[Howard Holton] Kathleen, I’m totally stealing the concerns with access management are not their concerns. That is absolutely fantastic. So, my questions are great, but so far, it’s all been kind of platitudes. We can do this. We do do this. We’ve got people that have some expertise.
I like everything that I’ve heard. Great. How do you do it? And how do you do it in a way that allows me to integrate it into my operating model, right? I’ve got people that have to manage these things without it being another kind of headache or a three-quarter solution.
It works for three-quarters of my platforms and the other quarter I’m still having to deal with in a kind of kludgey, clunky way.
[Chip Hughes] So, I think one of the things that’s interesting about Imprivata is a lot of companies, particularly that are access management companies, focus purely on standards. We as a company have gone a lot further than that. So, when we think about what we integrate with, and if you think about classically a clinical use case, if I’ve got a clinician that’s coming up next to a bed and needs to open up an end point so that they can chart, right, put information in about that user in that shared scenario, you’ve got that desktop, that machine next to the bed.
You’ve got to integrate with the operating system. You probably have to integrate with some sort of virtualization layer potentially. You’ve got to integrate with the app, and you’ve got to be able to do it soup to nuts really quickly so that that user can get into it.
That’s the challenge that we take on. And so, one of the big things for us is making sure that we’re entering into specific verticals that we can go solve for.
The other thing that we do that we really think about is it’s quite frankly passwordless access. We’ve just been doing it longer than everyone else. So, you think about a badge tap. We badge tap into that, and then traditionally we’ve been using a password, which unlocks something we called grace period.
Once we unlock grace period, you can go tap into more and more machines without having to do that again. Security people don’t like that. They want you to continue to authenticate. So, what are we doing now? We’re bringing in risk signaling. We’re adding modalities like your face so that once you’ve done that stronger authentication, we can go through and let you go across whatever your rounds are, across whatever they are, using those frictionless modalities so that you can really drive seamless access.
And ultimately, it’s all in our roadmaps. We make those publicly available. You can go see them online, book a meeting with us, and we’re happy to have those conversations.
[Howard Holton] I really like that explanation. Now, as a security guy, stealing a badge is a great piece of physical security penetration. So, let’s talk more about those modalities and how you integrate those and kind of some of the behaviors that you’re looking for, if that’s an easy way to kind of talk through it and allay my fears.
[Chip Hughes] It’s a great question. So, first off, not all badges are created equal, and you sort of need to understand that as a starting point. There’s high frequency badges, low frequency badges. There are FIDO badges now. There’s different flavors of it, and obviously we want to get you to the most secure badge possible so that it can’t be replicated, you can’t go clone it, those sorts of things.
The second piece is we’re moving to a state where we don’t think a badge is enough, and so how do you deal with that while still providing frictionless access?
And the answer for us is where we start getting into things like analytics, and we start looking at what are the common patterns of behaviors we see across our clinicians, across these frontline workers? What endpoints are they accessing? Are there patterns that we can see on that?
If I’ve got a nurse who’s maybe in oncology, and all of a sudden is going over to a different department and badging in, you may want to, especially in healthcare, fail in. We talk about that a lot. But you also may want to generate an alert, do something else.
We’re in an age where we can do a lot with biometrics, we can do a lot with alternative authentication technology. So, you think about things like BLE and location services, RTLS. We’re building patterns around these so that we can authenticate you and really drive, hey, we trust who you are, we’re using risk signaling.
If something looks afoul, let’s go deal with it in the appropriate way.
[Howard Holton] I might have a partner for you. If you could reach out after this call, that’d be great. I’m not kidding. I actually, like, someone that manages tech for hospitals, I might have a nice integrator for you.
[Chip Hughes] That’s great. For us, part of really where we’re at, we’re in most of the major hospitals across North America, right? So, 90%-plus of the hospitals in North America. So, we’re really driving that forefront of getting this out there. And I would say, especially what Kathleen said, productivity was the thing that we really focused on, and it’s just fundamentally shifted now.
It’s we have to have both. We have the various stakeholders, and it used to be if the doctors wanted it, they got it. The CISOs now are going, “Well, I’m going to get you this, but you have to solve this problem, or it’s really not going to work for us,” and that’s really real.
[Kathleen Mullin] The other thing that I think is interesting is you’re in 90%. The 10% that are left are dealing with some high-impact finance issues that is making it difficult for them to get across, but they need to drive efficiencies. The other thing is with a lot of these individuals, they are working from home on personal devices as well as working in hospital systems using the devices that are provided.
Is there any bridging that you guys provide?
[Chip Hughes] Yeah, so it really depends on the situation, but a couple things I would just hit on. We’re in the large hospital systems, generally speaking, those larger hospital systems. The smaller ambulatory clinics, those type of places, it’s harder for us to go down there, but one of the things we’re doing for that is we are now releasing multi-tenant SaaS.
So, our flagship product is still something that customers can go run, hospitals can go run, and part of the reason for that is we want to be able to fail in. Multi-tenant SaaS gives you an alternative option, and in theory, we can do that without having to have quite the IT staff that you would need to run some of our appliances.
So, we recognize that to help solve some of that problem.
The second big piece is we believe in the modalities that we are providing for our customers, and we are building out solutions that are focused on clinical but then can quickly be extended to the broader ecosystem. So, if I’m working from home and I want to log into my computer and it doesn’t have Imprivata on it, you’re not going to necessarily log in with your corporate credentials, but we’ve got the equivalent of SaaS-y type solution where we can open up that connection to the EMR and still provide a very seamless, secure experience following sort of industry standard principles using modern authentication methods.
[Howard Holton] Can we move out of healthcare for a moment? Because you do have other modalities. Within the context of healthcare, I worked in biometrics longer ago than I want to mention, and one of the things that we were really good about within the fingerprint and one of the things that we had a patent on was the ability to change the fail-in level, to use that term.
So, an outside door has a lower requirement than a pharmacy door, as an example, right? As we look at different industries, they’ll have far, far different requirements. So, how do you manage a similar level of service across your different industries?
And what are those industries? You mentioned government, law enforcement, healthcare, and manufacturing. Are there more or those are them?
[Chip Hughes] We’re primarily talking about really our flagship product. We have other products that we do for shared too, things like Shared Mobile, and we get into airline. We have our third-party management solution where we’re managing how third parties get access into systems as well, and we do a lot with gaming and from an industry perspective on that.
So, we’ve got a pretty wide array of different industries that we’ve got different solutions for or are focused on. The flagship, obviously, is healthcare, which is why I started there.
To your specific question, it’s a couple of things from where we sit. One, we’re bringing in risk signaling now so we can sort of get into this low, medium, high, and we also have the ability, if you think about face, to control how sure we are you are who you say you are.
One of the things we don’t talk a lot about, but when you get into like facial modalities or some of the biometric modalities, it’s not a binary yes, no, are you Chip? It’s I’m 95% sure you’re Chip. I’m 98% sure you’re Chip. And so, we can look at how we have the ability to turn that up or turn that down.
We have a standard that we usually release. That’s sort of the standard we expect most of our customers to use. And then we want to use those external signals to determine, quite frankly, if you trust face, if you think it’s good enough, and if you don’t, then fingerprint can be a better modality.
Push, whatever it is, can be passkeys. All of those things can be other modalities that we would use. So, hopefully that answered sort of the question you were asking, but that’s how we think of it.
[Howard Holton] I like the idea of fallback verification methods if the default fast verification method isn’t sure enough.
[Chip Hughes] That’s right.
[Howard Holton] I think that’s an interesting view of how to solve the problem and how to manage the problem. And this’ll be my last question, just within facial recognition, how are you managing for and confirming the elimination of bias on race and sex?
[Chip Hughes] The short answer on that is we’ve got a team. We actually use a third party that we embed in our product, and they go through testing on this, we go through our testing on this, and quite frankly, that’s a longer conversation than probably this podcast, but it’s something we worry about obviously as we move forward.
[Rich Stroffolino] All right, we have time for one last question.
[Kathleen Mullin] So, my question falls along the same line in terms of you had spoken about getting into law enforcement, and I was looking to see if you have any more details about that because within law enforcement, obviously we’re talking harsh environments, and they have some very specific requirements related to the security and access to the CALEA FBIC [Phonetic 00:15:20] systems, and then at the same time, lower-level requirements to get into some of the other systems they have to get into.
[Chip Hughes] So, CJIS is a lot of the regulatory pieces that are out there, and that’s specifically, it’s shared access, and we need to get into these federal systems through CJIS, and that’s specifically what we go solve for. That’s one of the big things that we’ve seen is, you know, you think about police car, you think about shared resources in that police car, I need quick access, I need access to very specific resources, including these highly regulated pieces.
And so, that’s an area that we’ve seen a lot of success with a number of different police precincts moving forward, and it’s an area that we’re investing in heavily. We’ve, like I said, we’ve brought in specialists now that are doing walkthroughs with us that tell me that I don’t know what I’m talking about, this needs to work this way for police officers, and revamp our product to make it work for those specific use cases.
So, it’s going to be an area we continue to invest in, along with manufacturing is the one that everybody kind of gets, right? So, just sort of working through those.
[Rich Stroffolino] All right, Chip, what’s one thing we didn’t ask about that we need to know?
[Chip Hughes] I hit on it a little bit, but just mobile and where mobile fits into all this and moving to mobile and how that works. And for us, we have an entire solution that we’ve put together that helps with shared mobile. So, you think about these different use cases.
I’m walking on a plant floor. I can talk about the healthcare use case, too. Do you want to have to buy a mobile device that’s managed by the corporate enterprise that you give to every single user? There are reasons in terms of unions and other things that you have to go do, can get really expensive.
And one of the things we have done a lot of focus on resources into is how do we go have share iPhones, share Android devices so that I can walk in, use it on a shift, have passwordless authentication into that device, personalized to me, specific data to me.
And then at that end of that shift, you walk away, wipe it clean and charge it for a little bit and let that next user use it. So, something we’ve been really excited and seen a lot of traction in the market on.
[Rich Stroffolino] Well, that’s just about it for this episode of Security You Should Know. To learn more, head on over to imprivata.com. And if you have any feedback for this show, send it to us at feedback@CISOseries.com. A huge thanks to Kathleen and Howard for helping us learn more about Imprivata, and a big thank you to Chip for your time and being game to answer all of these questions.
And thank you for listening to Security You Should Know.
[Voiceover] That wraps up another episode of Security You Should Know. If you like this program, please subscribe, tell your friends, and leave us a review. All companies showcased on this program are sponsors of CISO Series. If your company would like to be spotlighted and interviewed by our security leaders, go to our contact page on CISOseries.com or just email us at info@CISOseries.com.
Thank you for listening to Security You Should Know, connecting security solutions with security leaders.