When it comes to working with physicians and other clinicians, and other end-users, in their organizations, how are healthcare IT leaders advancing cybersecurity in patient care organizations these days? Part of the answer to that question was embedded in the title of a panel discussion on Tuesday in Cleveland, during the Health IT Summit, sponsored by Healthcare Informatics, and unfolding this week at the Hilton Downtown Cleveland. “It Takes a Village: Collaborating to Secure Your Organization” was the title of the panel discussion, which was led by Pamela Banchy, R.N., CIO at Western Reserve Hospital in Cuyahoga Falls, Oh.
Banchy was joined by David Kaelber, M.D., Ph.D., CMIO and vice president of health informatics at Cleveland’s MetroHealth System; Karen Martinko, MetroHealth’s IS security officer; Keith Duemling, information security officer at Lake Health in Painesville and surrounding towns in northeast Ohio; and Ricky Aldridge, who spent more than 20 years in healthcare IT security, before recently shifting to Diebold Nixdorf, a North Canton, Oh.-based corporation in the financial services equipment and software area, as cloud security architect.
“Frequently, clinicians see security as an inconvenience—it’s their perception that we’re keeping them from caring for patients,” Banchy said early in the panel discussion. “They’re not understanding why you can’t have USBs connected to computers, for instance. And if you understand the business, you know how we can help collaborate together. So what I’ve heard through my career is, make it easier, don’t make it harder. And of course, who’s responsible for security? We all are. And you do your penetration testing, and inevitably find the few individuals who fall for the phishing email, right?”
“In terms of phishing, yes, I agree, that’s probably the weakest link at MetroHealth, and we’ve undertaken a variety of efforts to make them aware that you can’t just open every email, click on every link,” Martinko said. “So in addition to articles we’ve put on our Internet, around phishing. And we thought we were making some really significant strides in helping to educate people; unfortunately, we got some results that weren’t so great, so we’ll be making some more changes.”
“From the clinicians’ side, security is viewed as making things harder for them to do. We tried to cut down on the Internet sites people could go to, trying to create a kind of ‘white list.’ But there are unintended consequences of blocking some things that people need, in order to do their normal jobs. How do you find that balance? We’ve seen that it’s got to be a collaborative effort. And you have to make a decision, thinking it’s the best decision you can make at the time, and then adjust accordingly. For instance,” he said, “we went with IronKeys [encrypted flash drives], but that was a tough transition. And now we’re going through some things around passwords—you’ve got to have 12 passwords now, and better passwords. And the thing is, as a physician, you’re not seeing the upside of the system being more secure. If you own your own practice, you can see both the upside and downside of being secure. In a small practice, it’s really hard to keep up with the security issues, in a constantly changing environment.
“Do you find that many users will look for and develop and try to use workarounds?” Banchy asked her fellow panelists. “
“Information security has to be adaptive, and we have to adapt to the needs of the clinical staff, to see what their needs are,” Duemling responded. “We have to make adaptations, so that people don’t feel they have to go around us to do their work. That give and take is critical, in my view.”
“I absolutely agree,” said Martinko. “One of the things we’ve been doing at Metro recently is applying some additional governance layers. We’re actually taking some of the security solutions we need funding for, and communicating that to a diverse series of folks, to help us move forward. We talk about why we want to deploy a particular technology, what the benefit will be, and how it will be maybe use things for the users and staff.”
“We try to communicate what we’re doing and why, without making it too technical,” Aldridge said. “And now at my new job, I use my marketing department, and the marketing department actually does a good job for me. Because I can’t be the person to give the controls and communicate the controls at the same time, because they won’t want to listen to me. Big communications should be done with a good PR background,” he asserted.
“Security is often seen as a dis-enabler,” Aldridge continued. “But in reality, everything you want to do, we can do; we just need to make it secure. But reach out to PR. Because I need to communicate to the whole organization. Like with phishing. At Akron Children’s, we worked on that. And our monthly or weekly communications to the whole organization, we gave them numbers, and we gave those numbers to leadership, so they knew what we were doing and why. So communicating with your user base is probably the number-one thing you can do.”
“As CMIO, I really want it to be a partnership; and what we might consider a workaround, might be a new weakness you didn’t anticipate,” Kaelber noted. “And my view of HIT in general is that there’s no way in the design and testing phase, that you can come up with every possible scenario. So you’ve got to go live, and then fix things, but you need really good relationships around all this, to make it work.”
“What types of structured governance models have you found to be a good or best practice?” Banchy asked.
“We’ve made a lot of changes just in the past year,” Martinko reported. “But we have different panels now. We do have physicians who are members of those panels; so they are involved, and we bring forward projects we’re looking towards. Doctors sit on the panel that IS is involved with. A lot of times,” she noted, “there have been things we’ve talked about, and when I’ve explained the benefits, the doctors have actually been rather enthusiastic supporters of what we’ve been trying to do. And per what Dr. Kaelber has said, as we roll out new technologies, we do include doctors in our pilots and pilot planning, and that helps us.”
“And the other thing I’ve seen that’s been really positive,” Kaelber added, “is that five to seven years ago, security was seen as purely an IS technical function; but there’s an evolving recognition at MetroHealth and presumably at other places, too, that everybody has a role in this. We’re really making sure we’re engaging not only the technical people, but some of the marketing people, the compliance people, some of our training folks, technical folks. Because at the end of the day, security really is the job of everyone. But it’s a continuing process.”
“I think that clinical informatics is an important group, with growing importance,” Aldridge asserted. “They help to engage clinicians, and in reality, they convert IT-speak to clinical speak. Because we’re not thinking from a caregiver standpoint, but from a pure IT standpoint.”
“And the patients’ information is our responsibility,” Banchy noted. “And all of us are, have been, or will be patients. And so having an understanding of all the roles across the enterprise, anybody who has that information, is really key.”
What will happen, going forward, as the emerging world of APIs evolves forward? “That’s where I’m actually operating right now,” Aldridge said. “We’re basically shifting and lifting, moving everything to the cloud. And an API—you have one system here that knows all its data, and a system over there that knows all its data, and you can basically write a script to create an easy way to share data. In the cloud, everything is API-driven. We’re building a lot of APIs for the ATM machine. Pretty soon your ATM machine will be software as a service. Sounds crazy, but it’s going to happen. So how we’re trying to security around those is that, within your cloud providers, there’s a way to do key management. Key management is the first thing you’ve got to implement. You need to make these API calls, to manage them across the life cycle. And there’s a life cycle around when an API is built, deployed, secured, etc.”
What’s more, Aldridge noted, “A lot of companies are actually offering API security. Healthcare is going to start to see a lot of APIs. And as you move to the cloud, you’re going to have to get used to APIs. And as the government pushes open APIs, one of the reasons they did that—back in the day, hospitals were connecting one to one. So they’re pushing all the EHRs to use an open API, as EHRs go to the cloud. That’s how data will be moved between data points, so you basically need to get hooked up with API security vendors like Apogee, MuleSoft, etc.”
“And I think that from a governance standpoint, one way to approach that would be to essentially treat information moving from an API to another entity, as being to a third party, and work with that API as a business partner,” Duemling said. “It’s not perfect, but it’s one way to look at it.”
“Back in the day, you had all these security products, and none of them talked to each other. Now, all of them have an open API, so if you use products like Phantom, Command, those products sit in the middle and make systems talk,” Aldridge noted. “So now if you saw something that looked like malware, you’d have to call the PC person, etc., to run an antivirus on the system. Now, with open APIs, you could send data to the firewall and automatically block it, and your firewall guys wouldn’t have to do anything.”