Health information security needs a new approach — one that boosts compliance among health care workers and doesn’t slow down patient care.
According to Lynne VanArsdale, acting chair of the Health Information Security Center of Excellence, success hinges on open conversations between information security and health care professionals.
Health care workers can teach IT professionals how security requirements impact patient care — especially in situations where seconds count — and about what really works in the hospital setting. Information security professionals can give health care workers a greater understanding of why information security measures matter to patient safety.
HISCoE, which became part of the National Cybersecurity Center in August, serves as “a conduit and a translator between health care and information security,” VanArsdale said.
Feedback between these groups is vital because the frameworks and motivations that work well in other industries fall flat in health care.
For health care workers, she said, patient care and workflow are what matter most.
“If anything impedes their delivery of health care … they resist it and they don’t follow it,” VanArsdale said.
“So what happens is they close their ears to the benefits of compliance and they hide their heads in the sand in terms of the cost of non-compliance — ‘It’s not going to happen to me,’ — and then they build workarounds to the policies and infrastructure.”
Those workarounds introduce additional information security risks, often through informal and unsecured paper records and the use of shadow IT (software or hardware used within an organization without the knowledge or support of the organization’s central IT department).
VanArsdale said most security education motivates through fear — but that doesn’t carry the same impact with health care professionals.
“Threat is relative. Health care workers face life and death decisions very frequently and it’s fundamental to what they do; information security threat is minor compared to the other threats that they manage minute to minute,” she said.
“They worry about health risk first and foremost, and … they expect and need other people to worry about the infrastructure in which they deliver care.”
Speaking at the 7th Annual Cybersecurity Training & Technology Forum in Colorado Springs last month, VanArsdale said health care workers face critical choices between information security and medical best practices every day, and are frustrated by conflict between the two.
HISCoE gathered details of these conflicts across the summer by holding “Dueling Panels” sessions where Colorado health care providers spoke about challenges with security, and information security workers responded to their issues.
“What we found was that electronic information is relatively new in health care — it’s very immature. Health care workers are still adjusting to the idea that information security affects patient safety, and seeming conflicts between best care and best security practice are really what’s going on in the health care arena,” VanArsdale said. “Providers ask, ‘From whom are we protecting this data? What happens when life and death depends on disclosure but the law disallows it?’ These are the main types of questions that we heard.
“…There’s this perception of futility — they’re trying to do their job, they’re seeing these ‘stupid’ rules … impeding their ability to give care, so they give up,” she said.
“And when they give up, they then shirk the responsibility. Now it’s somebody else’s problem.”
The saddest part about this dilemma is that patient safety relies more and more on information security, VanArsdale said.
She cited WannaCry, the massive ransomware attack which shut down work at 16 U.K. hospitals, because they failed to maintain their Microsoft Windows security updates.
“These are the kinds of things that we can look forward to if we don’t start talking and realizing that we’re not going to get anywhere with health care workers unless we [incentivize information security],” she said.
Kris Kistler, chief information security officer for Centura Health, said Centura is constantly seeking feedback and looking at how to streamline information security for its clinicians.
Centura’s information security department regularly works with clinical teams to conduct detailed pilot tests when looking at new systems that could impact their workflow, he said.
“There is often a balancing act we must maintain to ensure that the acute care setting is not disrupted, while providing technology in a safe and efficient manner,” Kistler said in an email. “It is vitally important for these acute care systems to be available 24x7x365 for emergency needs and not suffer unexpected downtime due to a virus, phishing, ransomware or other malware attack.”
Although most health care workers do not have the experience and training to fully understand the security threat landscape, risk assessment and design requirements for a secure environment, Kistler said, “receiving input from them regarding workflow changes, avoiding extra clicks or steps when possible is very valuable and important feedback for security implementers to consider.”
He said the implementation of Centura’s Multi-Factor Authentication system was a great example.
“Several of the reasons we chose the product we did was a direct result of clinician preference. The clinicians really liked the multiple authentication options in the product we chose,” he said. “Instead of being forced to carry a hard token, they can use any one of five different methods to perform their MFA (push, passcode, sms, call, token) and cache those credentials for 30 days, just like Google, LinkedIn and Amazon, even using the same DuoSecurity app if they desire.”