Healthcare professionals should rightly be focused on providing quality healthcare services to patients. Does that mean that the industry should ignore a non-related technical topic, such as cybersecurity? Hardly, if the data breach history captured by the U.S. Department of Health and Human Services (HHS) is any indication. Data breaches are rampant and increasing in size and frequency.
A large percentage of the reported breaches can be traced back to human error. Physical security controls break down because a door is left open. Technical controls break down because a user ID or password is posted via a sticky note on a computer monitor or because account credentials are shared and the task at hand absolutely positively need to be done right now.
Professionals working in the healthcare industry possess a zeal for protecting the health of their patients and improving how that support is provided. No legitimate employee wants to intentionally do something to adversely impact the health of a patient.
Health IT is about promoting the use of IT to support the healthcare mission. Health IT is all about providing high-quality care more efficiently, faster and cost effectively by using software and hardware technologies that have transformed countless other industries. However, these technologies cannot be deployed without considering the potential new cyber risks introduced to an organization.
An obvious manifestation of healthcare IT is the continuing transition from paper-based records to digital health records. But it does not end there, as wireless technologies have enabled medical devices to become extended diagnostic and reporting nodes on an increasingly networked IT infrastructure that shares patient medical records, billing records, financial records, and burgeoning software applications—all accessing databases housed in common server structures.
How can this extended enterprise be protected? One approach can be extracted from the “Stop. Think. Connect” campaign administered by the U.S. Department of Homeland Security (DHS). The intent is not to make everyone a cybersecurity expert or to unduly raise fear, uncertainty and doubt—the intent is to bring some sense of awareness of cybersecurity to the general population. The goal of this campaign is to make someone think—even for half a second—before they take action online.
Do you have a secure connection to the server where you are about to input your credit card information? Are you authorized to access the data records you are about to request? Should you post personal information online for anyone to see? Simply hesitating to consider your actions before blindly clicking on that link can help prevent obvious human errors from occurring.
The board of directors of a healthcare organization has a myriad of concerns—providing sound patient care, maintaining financial viability and leveraging IT to enhance their operations. Just like healthcare professionals run their departments, the IT infrastructure should utilize cyber security experts cognizant of the constantly evolving threats and mitigating the resultant risks to the organization. As there is never enough budget or staff to throw at a non- mission essential, yet critical, area such as cybersecurity—how can the board cope?
Raise the cybersecurity awareness of the overall organization with role-appropriate cognizance of the consequences of individual actions and how easily one click on an inappropriate link can compromise an entire network—ultimately leading to the compromise of personal health records.
What is one effective way to overcome this challenge? Establish a cyber security awareness program.
Creating and operating a cybersecurity awareness program does not mean transforming staff into cyber engineers able to reverse engineer malware samples. Instead, the intent, like the DHS “Stop. Think. Connect.” campaign, is to have individuals realize that they play key roles in protecting the digital health of patients—just as they play direct roles in protecting the physical health of patients.