When it comes to working with physicians and other clinicians, and other end-users, in their organizations, how are healthcare IT leaders advancing cybersecurity in patient care organizations these days? Part of the answer to that question was embedded in the title of a panel discussion on Tuesday in Cleveland, during the Health IT Summit, sponsored by Healthcare Informatics, and unfolding this week at the Hilton Downtown Cleveland. “It Takes a Village: Collaborating to Secure Your Organization” was the title of the panel discussion, which was led by Pamela Banchy, R.N., CIO at Western Reserve Hospital in Cuyahoga Falls, Oh.
Banchy was joined by David Kaelber, M.D., Ph.D., CMIO and vice president of health informatics at Cleveland’s MetroHealth System; Karen Martinko, MetroHealth’s IS security officer; Keith Duemling, information security officer at Lake Health in Painesville and surrounding towns in northeast Ohio; and Ricky Aldridge, who spent more than 20 years in healthcare IT security, before recently shifting to Diebold Nixdorf, a North Canton, Oh.-based corporation in the financial services equipment and software area, as cloud security architect.
“Frequently, clinicians see security as an inconvenience—it’s their perception that we’re keeping them from caring for patients,” Banchy said early in the panel discussion. “They’re not understanding why you can’t have USBs connected to computers, for instance. And if you understand the business, you know how we can help collaborate together. So what I’ve heard through my career is, make it easier, don’t make it harder. And of course, who’s responsible for security? We all are. And you do your penetration testing, and inevitably find the few individuals who fall for the phishing email, right?”
“In terms of phishing, yes, I agree, that’s probably the weakest link at MetroHealth, and we’ve undertaken a variety of efforts to make them aware that you can’t just open every email, click on every link,” Martinko said. “So in addition to articles we’ve put on our Internet, around phishing. And we thought we were making some really significant strides in helping to educate people; unfortunately, we got some results that weren’t so great, so we’ll be making some more changes.”
“From the clinicians’ side, security is viewed as making things harder for them to do. We tried to cut down on the Internet sites people could go to, trying to create a kind of ‘white list.’ But there are unintended consequences of blocking some things that people need, in order to do their normal jobs. How do you find that balance? We’ve seen that it’s got to be a collaborative effort. And you have to make a decision, thinking it’s the best decision you can make at the time, and then adjust accordingly. For instance,” he said, “we went with IronKeys [encrypted flash drives], but that was a tough transition. And now we’re going through some things around passwords—you’ve got to have 12 passwords now, and better passwords. And the thing is, as a physician, you’re not seeing the upside of the system being more secure. If you own your own practice, you can see both the upside and downside of being secure. In a small practice, it’s really hard to keep up with the security issues, in a constantly changing environment.
“Do you find that many users will look for and develop and try to use workarounds?” Banchy asked her fellow panelists. “
“Information security has to be adaptive, and we have to adapt to the needs of the clinical staff, to see what their needs are,” Duemling responded. “We have to make adaptations, so that people don’t feel they have to go around us to do their work. That give and take is critical, in my view.”
“I absolutely agree,” said Martinko. “One of the things we’ve been doing at Metro recently is applying some additional governance layers. We’re actually taking some of the security solutions we need funding for, and communicating that to a diverse series of folks, to help us move forward. We talk about why we want to deploy a particular technology, what the benefit will be, and how it will be maybe use things for the users and staff.”
“We try to communicate what we’re doing and why, without making it too technical,” Aldridge said. “And now at my new job, I use my marketing department, and the marketing department actually does a good job for me. Because I can’t be the person to give the controls and communicate the controls at the same time, because they won’t want to listen to me. Big communications should be done with a good PR background,” he asserted.
“Security is often seen as a dis-enabler,” Aldridge continued. “But in reality, everything you want to do, we can do; we just need to make it secure. But reach out to PR. Because I need to communicate to the whole organization. Like with phishing. At Akron Children’s, we worked on that. And our monthly or weekly communications to the whole organization, we gave them numbers, and we gave those numbers to leadership, so they knew what we were doing and why. So communicating with your user base is probably the number-one thing you can do.”
“As CMIO, I really want it to be a partnership; and what we might consider a workaround, might be a new weakness you didn’t anticipate,” Kaelber noted. “And my view of HIT in general is that there’s no way in the design and testing phase, that you can come up with every possible scenario. So you’ve got to go live, and then fix things, but you need really good relationships around all this, to make it work.”
“What types of structured governance models have you found to be a good or best practice?” Banchy asked.
Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.