I had a conversation with the CEO of a very progressive hospital recently and as I sat in my home office afterwards reflecting on that discussion, and the rest of that week’s events which included near miss security incidents at two other hospitals we work with, it occurred to me that we are addressing cyber security all wrong. And because we are coming at it all wrong, we are rewarding and punishing the wrong behaviors.
If we accept the fact that breaches are inevitable—which I believe we should due to the complexity of the environment today, the nature of the threat, the hyper-connected ecosystem we operate in, the sheer volume of transactions occurring, and the value placed on personal health information—then we should be focusing more attention on detection, both proactive and reactive, and our ability to respond. We should be rewarding CISOs who actively hunt for weaknesses in the operations, processes, controls, etc. at the organizations they support and who bring those risks to management’s attention early and work to remediate them. We should see boards and executive managers asking questions and expecting to be briefed on potential issues that could impact patient care or safety. We should see risk management programs that recognize information systems security incidents as a critical business risk that can affect hospital operations. We should see general counsels and compliance officers who view this as an important business issue that deserves independent audit just as finances and tax matters do. Information technology incidents should receive their own code (color/name) and be a part of the organization’s incident response process. The bottom line is: it’s high time that we start treating information security as what it is -- a critical business issue.
We need to attack our culture and change it. We need to provide our workforce with the knowledge and awareness that will protect our patients, information systems and data, and just as importantly the workforce themselves. All over the country we are seeing healthcare systems beginning to perform social engineering and phishing exercises and failing miserably. The positive side of this is that they are doing it and raising their organizations’ awareness, but the negative side is that we are simply not changing fast enough. Challenging someone you don’t know or don’t recognize should not be a stressful decision. It should be a customer service issue. Challenge them to identify themselves and their purpose for being there. If they are in the wrong area help them to get to the right area and turn them over to another coworker. Explain that privacy and security are important at the institution and aid them in getting the assistance they need. It’s an opportunity to be helpful and at the same time reinforce an important cultural ethic of patient privacy and safety. We need to talk about and celebrate the things that go right, such as the incidents that are averted, or the ones that are detected and stopped before serious harm or compromise occurs. We should acknowledge the number of workforce members who identified a phishing email, not just the ones who clicked on and opened it.
As Gerry McGuire said, it's a cynical world out there, but we don’t have to, and shouldn’t, give into that perception. Yes, incidents are inevitable but compromise is not. Throwing in the towel and giving up is just not an option. The Ponemon Institute just recently published its 5th Annual Medical Identity Theft Study. It’s an easy read, and every healthcare executive should read it. It has some pretty illuminating things to say about what the consumer feels and expects, and it’s important to remember that consumers are your patients. Their confidence level that healthcare organizations can effectively protect their information is very low, but their expectation that we should be protecting their information is very high. That said, we should be assessing more often, testing our environment on a regular basis, running exercises and table tops to increase readiness, providing more useful and relevant training for the workforce, as well as regularly reporting to committees, executive leadership and the board. The board should be requiring independent third party assessment and audit of controls. In short, we should be investing in the business and our patients, in order to achieve our mission of providing quality care.