It seems as if very few industries, and even fewer businesses, are confident in their overall ability to adequately respond to and defend against cyberattacks. But some sectors are significantly more ill-prepared than others.
A new university study was just released that indicated health care organizations face some of the most critical cybersecurity risks and vulnerabilities today. The main reason can be attributed to a disconnect between the information security policies that are implemented and what is actually practiced in the clinical setting.
The research was conducted by professors from the University of Southern California, Dartmouth College and the University of Pennsylvania, who found that many health care workers, from doctors and nurses to chief information officers and IT specialists, are often willing to against a security regulation if doing so allows them to get their work done faster or more efficiently.
Care trumps security
The findings of this study are particularly concerning considering the large number of data breaches and cyberattacks that have recently hit health care organizations. In several cases that have occurred over the past year, hackers were behind the penetration and maliciously invaded critical infrastructures to seize sensitive and private patient information and essentially hold it for ransom. And while external sources are still a major threat, one of the biggest cybersecurity risks plaguing hospitals is internal parties.
Clinical workers are willing to circumvent cybersecurity measures to deliver faster care.
“Cybersecurity efforts in health care settings increasingly confront workarounds and evasions by clinicians and employees who are just trying to do their work in the face of often onerous and irrational computer security rules,” the report explained.
The health care environment is becoming increasingly digital. But clinical practitioners are generally more focused on their primary responsibility – delivering patient care – than they are about abiding by security controls on the computer systems. According to the study’s authors, “all too often, with these tools, clinicians cannot do their job – and the medical mission trumps the security mission.”
A defect in the design of defense
Of course, the answer is not to solely blame the workers and push stricter enforcement of mandating the use of the security controls. Health care staff members have an obligation to provide their patients with the best possible care and, in a fair amount of situations, time is of the essence. So it’s understandable that employees are considering the immediate needs of their patients before the potential implications a cybersecurity workaround could have. In some ways, IT safeguards are perceived as preventing patient safety, rather than enforcing it.
“Health care workers often view computer security controls as an inconvenience rather than a critical patient safety measure.”
A more effective approach to resolving the information security gap in the health care setting is to design security frameworks that are better suited for the workflow of clinical practitioners. The university researchers learned that a major issue had to do with password sharing. Time constraints, login requirements and accessibility limitations are just some examples of factors that play into the inconvenience of cybersecurity measures.
It’s a catch-22: The teams responsible for building, securing and maintaining IT systems aren’t familiar with the experiences of clinical workers and the practitioners aren’t well-versed in why certain security safeguards are in place or the pivotal role they play in protecting their patients’ information.
Furthermore, the researchers explained that, “Cybersecurity and permission management problems are hidden from management, and fall in the purview of computer scientists, engineers and IT personnel.”
Resolving health care security risks
There is clearly a need for increased collaboration and consideration among various departments and levels of health care organizations. Clinical practitioners, tech teams and management must work together to develop an information security and computer protection strategy that is conducive to all parties, including their patients.
To enhance the effectiveness of its IT defense system, it is highly recommended that professionals who have little to no tech-related knowledge or experience participate in some kind of cybersecurity awareness training. At the National Cybersecurity Institute, we offer a suite of programs and courses for this, including one specifically aimed at health care workers, (ISC)2 Health Care Information Security and Privacy Practitioner (HCISPP).