Cybersecurity presents a huge, ongoing challenge for healthcare organizations across the board. Information systems, medical devices, and patient data must be protected at all times, but many hospitals and practices cannot afford to retain in-house personnel solely dedicated to security. At the same time, they often lack the technology infrastructure needed to identify and track security threats and subsequently translate threat data into action.
What’s more, healthcare workers regularly and mistakenly assume their IT network and supported devices function with a low level of cybersecurity vulnerability.
An industry task force, established by the Cybersecurity Act of 2015, reported to Congress last June with recommendations for shaping an urgent response. The group set forth expectations for healthcare cybersecurity and called for increased protections for and resilience of IT systems and supported devices. The task force also addressed human factors by emphasizing workforce readiness enabled by improved cybersecurity awareness and education.
An Effective Action Plan
Forward-thinking facilities recognize that disparate IT systems and devices must interoperate within a unified scheme. For example, when Marin General Hospital, located north of San Francisco, updated system-wide security in 2016, the executive who led the project went beyond filling in technology gaps.
Jason Johnson, Marin’s chief information security officer, told Healthcare IT News: “We took a different approach to focus on the person and people [involved] because we knew that would be the hardest needle to move and the most difficult to change.”
Johnson’s team instituted mandatory security awareness training, going so far as to integrate it within new employee orientation. Additionally, the project team interviewed clinical staff to gain an understanding of their daily workflows. That effort identified caregivers’ top channels of email communication, which paved the way for the build-out of encryption “tunnels” that could seamlessly lock down emails containing patients’ protected health information.
The results? One year after the project started, Marin reported a 50 percent drop in system vulnerabilities, along with 100 percent staff participation in security awareness efforts. Click rates on malicious emails fell from 63 percent to a practically non-existent 0.5 percent.
Departmental outreach was key, concluded Johnson. “Once people were convinced it was a good idea and everyone was onboard, security became a requirement,” he explained. Every new project or contract now requires a standardized security review.
Integration and the Human Factor
As the Marin case shows, technology integration can flourish through an approach that takes into account human responsibilities on the front lines of care. Healthcare is notorious for dependence on “tribal knowledge” — individualized bits of information residing in staff members’ heads or scribbled on post-it notes — and such vulnerabilities often aren’t readily apparent. However, workflow-based analysis takes into account human factors prior to revamping core processes.
Further, technology such as NetDirector’s HealthData Exchange platform, which automates the sharing of clinical and billing data, frees up labor resources by simplifying the integration process. As a result, care providers can spend more time focusing on patient needs while technologists keep a watchful eye on ever-present compliance and cybersecurity issues.