While high-level discussions about data security strategies and technologies to protect patient data are important at every healthcare delivery organization, it’s important to keep in mind how security measures are impacting the clinicians and physicians who work in the trenches every day to provide patient care.
Healthcare professionals at hospitals, health systems and medical practices are using electronic health records (EHRs) and other health IT applications every day to access patient data in order to provide patient care and are often navigating security measures and log-ons for multiple applications. For those working on the frontlines, a critical issue is how data security measures, such as frequent log-ons and password authentication, impact workflow.
According to Scott Raymond, R.N., who serves as executive director of strategic innovation and information technology at the Fountain Valley, Calif.-based MemorialCare Health System, hospitals have to strike a tenuous balance between using technology to secure health data without impeding clinicians’ workflow. “Generally, when you put security in place, it’s putting in fences and doors that you have to go through, or hurdles to go over, and that is typically going to slow down workflow. From a healthcare IT perspective, we are responsible for that data and securing that data, but we’re trying to balance our environment—we want to secure our data, but also enable clinicians to use the systems easily, so the patient gets the best care and most efficient care and we can get the patient into the system and out as quickly as possible.”
These issues came up during a press event I attended that was focused on cybersecurity and healthcare. During the discussion, executive leaders at healthcare delivery organizations and digital health companies discussed the cyber threats facing the healthcare industry, and drilled down into the everyday issues around data security and workflow that impact clinicians on the frontlines of patient care. The round-table discussion took place in San Francisco and was sponsored by Merck Global Health Innovation, Merck’s venture capital group, Aventura, a situational awareness technology vendor and ClearData, a cloud computing vendor.
The healthcare IT leaders present at the event, including Raymond with MemorialCare and Ed Stiner, director of information technology at Republic County Hospital, Belleville, Kansas, provided in-the-trenches insights about hospital data security from the perspectives of both large and small healthcare organizations. MemorialCare Health System is an integrated delivery system with six hospitals based in Orange County and Los Angeles, while Republic is a 25-bed critical access hospital in north Kansas.
According to Chris Bowen, founder and chief privacy and security officer at ClearData, security risk assessments performed at healthcare organizations have exposed many common weaknesses, such as doctors writing down passwords and posting them next to computer stations. And, John Gobron, CEO of Aventura, noted that if security measures impede doctors and nurses getting to patient data quickly, they will simply find workarounds to the security or write down or share passwords.
“With a lot of applications at the point of care, it’s really about speed. You have patients on the ward and you’ve got 50 to 60 log-ons throughout the day, and you do this times three or four different applications, you’re going to go crazy or you’re not going to use the system,” Gobron said.
This ties into a study I wrote about last month that found medical workers, nurses and physicians frequently workaround cyber security controls in healthcare settings. The study’s researchers found that “workarounds to cybersecurity are the norm, rather than the exception,” and the fact that such workarounds go unnoticed or, in some cases, even tolerated, “allows healthcare organizations to continue to deploy security that doesn’t work.”
At Republic County Hospital, hospital staff were frequently frustrated with the time-consuming process of getting in and out of health IT systems, Stiner said. The hospital, like many organizations, runs several different applications with each requiring users to enter a separate log-on and password. Physicians and nurses would often forget their credentials so administrators would have to perform a reset. And, because nurses and physicians move around the hospital, they frequently had to log on and off computers, which became time-consuming and the burden led to many physicians no longer using the system, Stiner said. The hospital implemented a single sign-on platform from Aventura and staff have since reported improved workflows and hours saved throughout the day, Stiner said.
Raymond agreed that workflow issues related to health IT, and the security around it, are everyday issues at hospitals. “It’s a struggle to get doctors to keep using the system. You have to give them some sort of benefit, an open road, to using it, but not so open that anybody can get to the data, so that’s where that balance comes in.”
Many healthcare organizations are moving to two-factor authentication, so a user name and password combined with a token or badge tap-in. “You can set that balance by how often you want users to re-authenticate. My feeling is that once I’ve authenticated you and you are on your shift and working in your unit, then I’m going to let you go about your business and be as efficient as possible. If you go out on break or go out for lunch, then I’m going to require you, based on the timeframe, to re-authenticate,” Raymond said.