What does good cybersecurity awareness have in common with thorough hand-washing? Both can go a long way toward protecting patients.
See Also: 2016 Social Engineering Report
The importance of improving cyber threat awareness among the workforce as well as senior leaders was among the top themes that many privacy and security experts stressed during the recent HIMSS 2016 conference in Las Vegas.
"The first thing to focus on is user awareness because a lot of these attacks are occurring because users are doing things that are dangerous."
Dave Summitt, CISO at the Moffitt Cancer Center in Florida, noted during a presentation that when he joined the organization, one hour of the new employee orientation was spent on instructing workers on proper hand-washing to protect patients, but only about 10 minutes of discussion was devoted to cybersecurity.
Since he's settled in at Moffitt, Summitt - who formerly worked at the Department of Defense - has been on a mission to raise cybersecurity awareness throughout the organization with the goal of better protecting patient data. That's because, in order to improve breach prevention and detection, "users and leaders must know and understand what they are up against," he says.
Championing Cyber Awareness
Security personnel also need to add to their responsibilities "championing" awareness among the workforce, he says. "We had a huge increase in email-related questions from employees after our cyber team went out to build awareness during [the recent] cyber awareness month," he said.
The improved awareness ended up helping Summitt's team prevent a potential ransomware attack after "an employee told us about an attachment in an email that was opened. We looked for more [malicious emails] and stopped it before it propagated."
While patient safety - including infection prevention through thorough hand-washing - indisputably needs to be the top priority for healthcare providers, recent cyberattacks on the sector have proven once again that many organizations need to spend a lot more time building workforce awareness and leadership buy-in when it comes to cybersecurity and breach prevention and detection efforts.
Ransomware attacks, such as the recent incident involving Hollywood Presbyterian Medical Center - which last month paid $17,000 to unlock patient data - need to be recognized and stopped before damage is done - and patient safety is jeopardized. Getting the workforce better engaged in that effort can be vital, as Summitt has found at Moffitt.
During an interview at HIMSS 2016, Mac McMillan, CEO of security consulting firm CynergisTek, told me improving awareness is the No. 1 step that healthcare organizations can take to immediately improve their defense against cyberattacks.
"The first thing they need to focus on is user awareness because a lot of these attacks are occurring because users are doing things that are dangerous," McMillan says. That includes downloading documents from sources they don't know and opening attachments in emails or clicking on links that bring them to malicious sites, he says.
But awareness-building shouldn't just be for the rank and file; it's also more critical than ever to get buy-in from senior management that holds the power and the purse strings.
Collaboration Among Leaders
When attempting to build support for rolling out multifactor authentication to bolster protection of patient information, or for investing in better ways to prevent breaches involving mobile devices, collaboration between clinical and information security leaders can help.
Paul Connelly, CISO at Hospital Corporation of America, a national chain, stressed to attendees at a HIMSS 2016 cybersecurity workshop that it's vital for CISOs to closely collaborate with their organization's chief medical information officer.
"Look for ways to bring the CMIO into what you're doing," he advised. That includes collaborating on setting standards for public cloud services and new authentication requirements as well as devising ways of better protecting Social Security numbers of patients - or minimizing their use.
Collaboration is vital because poor decisions that are made by the security team could potentially impact clinical workflow and patient care. And clinical team members' resistance to security efforts could end up making it easier for mega breaches to happen.
Collaboration also aids awareness-building. For instance, a CISO and CMIO spending several hours shadowing each other, or even following around busy physicians during rounds, can help foster understanding and appreciation for goals, challenge and priorities.
Dave Levin, M.D., chief medical officer at Sansoro Health, a health IT vendor, told HIMSS attendees that a healthcare organization he previously worked at decided to move to a single sign-on solution a few years ago after he spent the day shadowing an ER doctor and saw how much time the physician wasted logging into systems.
Chuck Kesler, CISO at Duke Medicine, told attendees that his team attempts to build cyber awareness among the workforce by having staff members take the "cyber smart" pledge to take 10 important steps. Those include using strong passwords, and, whenever possible, multifactor authentication; applying all security updates in a timely fashion when prompted; "thinking before clicking" on links and email attachments; using encryption to protect sensitive data when appropriate; and reporting suspected security concerns immediately.
After all, when it comes to protecting the best interests of patients, good cybersecurity is as important as proper hand-washing.