Though often discussed in highly technical terms, cybersecurity and safeguarding patient data are arguably more human-centric than anything. The root cause of breaches is usually human error — an employee who falls for a phishing scam or shares a password, for example. Research from IBM shows 95 percent of all security incidents involve human error.
No organization is immune to a cyberattack, but hospitals and healthcare organizations are elevating discussions of how to best safeguard data. On a panel at the Becker's Hospital Review 4th Annual CEO Roundtable + CFO/CIO Roundtable in Chicago, healthcare IT leaders shared their thoughts on cybersecurity, consumer expectations and the human element as it relates to security efforts.
Panelists included Sabi Singh, co-COO of University of Iowa Hospitals and Clinics in Iowa City; Jaime Parent, vice president of IT operations and associate CIO of Rush University Medical Center in Chicago; and Gib Sorebo, chief cybersecurity technologist for Leidos. Ayla Ellison, editor with Becker's Hospital Review, moderated the panel.
Here are six key thoughts on the intersection of human behavior and cybersecurity.
1. Healthcare has been hit hard by the consumerization of IT. Just like consumers have come to expect Wi-Fi in their favorite coffee shop, patients and providers have the same expectations for Internet access and ease of use in a healthcare setting. "People at my hospitals, whether patients, students or faculty, all expect the same kind of Internet experience they get at Starbucks," Mr. Parent said. Users want to log on quickly, safely and securely without the burden of multistep authentication, and they want to come and go as they please. This means IT leaders face a delicate balance of serving their consumer base while commanding privacy and security.
"I've got patients, I've got staff, I've got faculty, I've got students, I've got people watching Netflix at night while they visit [their] grandpa, and that's what they demand," Mr. Parent said. "The days of quiet bandwidth at night are far from gone, and I still need to protect those threats on devices that I don't own."
2. Enabling security stewardship is as important as systems engineering. "Regardless of the type of healthcare environment we work in, we are all stewards of security," Mr. Parent said. Reinforcing security as a component of workplace culture personalizes the responsibility, rather than relying solely on electronic security solutions that employees don't interact with directly. By making security stewardship a priority for employees at all levels, more eyes and ears work to keep data safe, and the team works together to develop better systems.
A high portion of system security relies on vigilant protection of log-in credentials and access to networks. Part of this type of empowerment is fostering a culture of security around data. When employees are sharing passwords with one another or writing them down on sticky notes posted to computers, it can undermine other security protocols.
3. A lack of standards leaves security up to third parties. "The standards and policies [regarding cybersecurity] are not there. So if they're not there, guess who kicks in? The vendors," Mr. Parent said. The healthcare industry shouldn't rely solely on technological solutions for data security. Empowering staff and employees creates a culture of security stewardship and helps heighten awareness. Mr. Parent mentioned HHS' "Wall of Shame," where organizations that experience breaches affecting 500 or more individuals must publicly report the incident. Programs such as this, which focus on fostering the transparency required by the HITECH Act, have the added element of playing on the human factor. They aim to build accountability and help guide attitudes toward security by focusing on transparency, he said.
Additionally, Mr. Singh mentioned vendor agreements and vendor management. Some vendors cannot provide the level of security an organization requires, or they do not demonstrate how new systems interact with existing ones. "We do not build security. It's built in an ex post facto manner," he said. "We have vendors who tell the physicians all the capabilities, the physicians are all excited about it and want to buy the product, but nobody knows how the interfaces work or what security controls are there."
4. Commercial hacks, for better or for worse, set an example for healthcare organizations. Learning of breaches at other organizations reinforces the fact that a breach can happen to anyone at any time and can initiate discussions around defensive measures. Privacy and security experts say the new question in healthcare isn't if an organization will be breached but rather when.
When large companies are attacked, people suddenly feel as though the hackers are in their own backyard. "When Target got breached — my board of trustee members are Target shoppers. They have credit cards. They came to me and they said, 'Could my credit be at risk?' Yes. 'Could my identity be at risk?' Yes. 'Could this happen here?' Yes," Mr. Parent said. "That creates the focus that we need to put security on the front burner rather than the back burner."
5. In a threat-filled environment, providers must protect health information to the best of their ability. Mr. Parent said the wide variety of actors in today's healthcare environment makes it difficult to implement a comprehensive security policy. Patients, their families, physicians and various staff are in and out of hospitals each day, creating security vulnerabilities as they come and go. While CIOs have the technology to try to deter breaches, the culture doesn't always support it, and they don't have the operational command and control to be on top of every single security risk. "Oftentimes there are operational security issues and not just IT [lapses]," Mr. Parent said. "I cannot stop anybody from taking a medical record and faxing it to The Chicago Tribune. I can't stop anyone from taking a picture of a celebrity when they go in. These two are also big breaches."