While high-level discussions about data security strategies and technologies to protect patient data are important at every healthcare delivery organization, it’s important to keep in mind how security measures are impacting the clinicians and physicians who work in the trenches every day to provide patient care.
Healthcare professionals at hospitals, health systems and medical practices are using electronic health records (EHRs) and other health IT applications every day to access patient data in order to provide patient care and are often navigating security measures and log-ons for multiple applications. For those working on the frontlines, a critical issue is how data security measures, such as frequent log-ons and password authentication, impact workflow.
According to Scott Raymond, R.N., who serves as executive director of strategic innovation and information technology at the Fountain Valley, Calif.-based MemorialCare Health System, hospitals have to strike a tenuous balance between using technology to secure health data without impeding clinicians’ workflow. “Generally, when you put security in place, it’s putting in fences and doors that you have to go through, or hurdles to go over, and that is typically going to slow down workflow. From a healthcare IT perspective, we are responsible for that data and securing that data, but we’re trying to balance our environment—we want to secure our data, but also enable clinicians to use the systems easily, so the patient gets the best care and most efficient care and we can get the patient into the system and out as quickly as possible.”
These issues came up during a press event I attended that was focused on cybersecurity and healthcare. During the discussion, executive leaders at healthcare delivery organizations and digital health companies discussed the cyber threats facing the healthcare industry, and drilled down into the everyday issues around data security and workflow that impact clinicians on the frontlines of patient care. The round-table discussion took place in San Francisco and was sponsored by Merck Global Health Innovation, Merck’s venture capital group, Aventura, a situational awareness technology vendor and ClearData, a cloud computing vendor.
The healthcare IT leaders present at the event, including Raymond with MemorialCare and Ed Stiner, director of information technology at Republic County Hospital, Belleville, Kansas, provided in-the-trenches insights about hospital data security from the perspectives of both large and small healthcare organizations. MemorialCare Health System is an integrated delivery system with six hospitals based in Orange County and Los Angeles, while Republic is a 25-bed critical access hospital in north Kansas.
According to Chris Bowen, founder and chief privacy and security officer at ClearData, security risk assessments performed at healthcare organizations have exposed many common weaknesses, such as doctors writing down passwords and posting them next to computer stations. And, John Gobron, CEO of Aventura, noted that if security measures impede doctors and nurses getting to patient data quickly, they will simply find workarounds to the security or write down or share passwords.
“With a lot of applications at the point of care, it’s really about speed. You have patients on the ward and you’ve got 50 to 60 log-ons throughout the day, and you do this times three or four different applications, you’re going to go crazy or you’re not going to use the system,” Gobron said.
This ties into a study I wrote about last month that found medical workers, nurses and physicians frequently workaround cyber security controls in healthcare settings. The study’s researchers found that “workarounds to cybersecurity are the norm, rather than the exception,” and the fact that such workarounds go unnoticed or, in some cases, even tolerated, “allows healthcare organizations to continue to deploy security that doesn’t work.”
At Republic County Hospital, hospital staff were frequently frustrated with the time-consuming process of getting in and out of health IT systems, Stiner said. The hospital, like many organizations, runs several different applications with each requiring users to enter a separate log-on and password. Physicians and nurses would often forget their credentials so administrators would have to perform a reset. And, because nurses and physicians move around the hospital, they frequently had to log on and off computers, which became time-consuming and the burden led to many physicians no longer using the system, Stiner said. The hospital implemented a single sign-on platform from Aventura and staff have since reported improved workflows and hours saved throughout the day, Stiner said.
Raymond agreed that workflow issues related to health IT, and the security around it, are everyday issues at hospitals. “It’s a struggle to get doctors to keep using the system. You have to give them some sort of benefit, an open road, to using it, but not so open that anybody can get to the data, so that’s where that balance comes in.”
Many healthcare organizations are moving to two-factor authentication, so a user name and password combined with a token or badge tap-in. “You can set that balance by how often you want users to re-authenticate. My feeling is that once I’ve authenticated you and you are on your shift and working in your unit, then I’m going to let you go about your business and be as efficient as possible. If you go out on break or go out for lunch, then I’m going to require you, based on the timeframe, to re-authenticate,” Raymond said.
While there have been innovations with regard to data security moving beyond just passwords and two-factor authentication, the challenge, according to those involved in the discussions, is that the healthcare industry, by nature, moves slowly.
“There’s excitement around Bluetooth low energy beacons, but there’s a balance in terms of how fast the industry can go,” Gobron said. “The technology exists in other places, that’s nothing new, but it’s just a question of getting healthcare to go at a faster speed, and there’s a lot at stake. You can’t put unproven technology in front of a group of nurses. You can’t take the newest Silicon Valley-based technology and stick it into a hospital and then wonder what’s going to happen.”
“Healthcare moves a little slower because you have only one shot at adoption,” Raymond added. When MemorialCare implemented its EHR system, Raymond led an enterprise-wide physician integration and physician informatics effort to help with physician adoption. “I would hear things like, ‘I’m not a work clerk. I didn’t go into medicine to type things out.’ To get doctors to use the EMR, you have to create ways that they can get to the information easily and you have to show them the benefit. And if you put a lot of roadblocks in front of them, they’re not going to use it.”
And, with regard to implementing new security tools, he said, “Physicians, especially, if you put a system in front of them that doesn’t work, they’ll try it a few times, and then they’ll say, ‘I’m out.’ To try to get them to come back around on that again is very difficult.”
With the rise in ransomware attacks on healthcare organizations, the discussion also turned to protecting IT systems should a hacker access the systems. Having layered security is critical, so hackers can’t traverse the network in a straight line, and segmenting the data is an effective defensive strategy as well, many health IT leaders said.
“The most important thing is to have good, secure and fast backups,” Raymond said. “Eventually, they are going to get in some way; they’re very sophisticated on sending out phishing emails and eventually someone will click on one. We do a lot of work to educate our users and to send out our own phishing campaigns to reduce that percentage, but it’s going to happen, so it’s all defensive.”
Raymond pointed to the ransomware attack at Hollywood Presbyterian, located in Southern California, as an example. As previously reported by Healthcare Informatics, back in February, Hollywood Presbyterian’s computer system were knocked offline for more than a week following a ransomware attack.
“They didn’t have fast enough backup, the way I look at it,” Raymond said. “They couldn’t restore their system fast enough, they went five days and still couldn’t get to their data, so they negotiated and paid the ransom and got their data back.” Using flash storage, a hospital hit with a ransomware attack could potentially back up their systems in less than an hour, he said.
Everyone involved in the discussions agreed that physician and staff engagement is critical when implementing security IT solutions. And, within the healthcare environment, a strong, effective security strategy goes hand-in-hand efficient workflow, the healthcare IT leaders present at the round-table discussion all agreed.
“From a hospital perspective, it’s all about throughput,” Raymond said. “You want to get the patient to the ER, get them diagnosed, get the medicine they need, and then get them discharged or admitted as an inpatient. And, at the same time, for healthcare organizations, reimbursement is going down, so our efficiency has to go up, and the only way efficiency can go up is throughput. If you put things in the way of that, you’re going to have a hard time.”
For healthcare IT leaders implementing security strategies, as well as cybersecurity solutions providers designing security tools, these are critical issues worth considering as the healthcare industry continues to combat evolving cyber threats.