Cybersecurity Cranks: If You Can't Beat 'Em, Get 'Em to Join You

— Recruit those recalcitrant doctors to help explain your system's cybersecurity practices

MedicalToday

ORLANDO -- Getting reluctant doctors on board with a healthcare system's cybersecurity practices is simple: pay them to educate their peers on why cybersecurity is important, Joseph Schenider, MD, MBA, said here Wednesday.

"We clinicians tend to undervalue cyber-risk protection," said Schneider, who is a pediatrician at the University of Texas Southwestern Medical Center in Dallas. "Why do we do that? ... One [reason] is that we value patient safety and value efficiency, and we see cybersecurity as a roadblock to those, rather than an integral part of that." Schneider spoke at the Healthcare Information and Management Systems Society (HIMSS) annual meeting

In general, healthcare is viewed as a relatively insecure industry, said Axel Wirth, a distinguished technical architect with the Symantec Corporation in Boston. "We know that about three-quarters of all hospitals spend less than 6% of their information technology budget on security," while more "security mature" industries spend about 10% to 12%, he said; however, many hospitals have recently been reporting increases in their budgets for this item.

image

Axel Wirth, Symantec (Photo by Joyce Frieden)

And yet, clinicians engage in practices all the time that are potentially harmful to health system security, said Schneider:

  • Using weak passwords -- examples of actual passwords used by medical staff members include "123456," "password," and "iloveyou."
  • Writing passwords down, particularly as they become harder to memorize.
  • Sharing passwords, especially when a colleague is locked out of the computer system. A found that more than 50% of nurses, 77% of medical students, 83% of first-year residents, and 100% of upper-level residents had used a colleague's password to gain access to electronic health records. "Notice anything?" said Schneider. "As you go further in your training, you pay less and less attention to cybersecurity."
  • Clicking quickly through required cybersecurity training.
  • Texting and emailing protected health information in a non-secure way. Typically, people say that their institution's secure email systems "are really hard to use" and if they work at several different institutions, they have different secure email systems to deal with, Schneider said.

In addition, physicians don't hear about cybersecurity during medical school, he added. "And our organizations generally don't connect cyber-risk with patient safety and efficiency ... Like adolescents, we undervalue risks if they're not apparent."

Schneider noted that the FDA recently declared cybersecurity a public health issue. "So do you increase cybersecurity awareness and education? And what would a [more secure] world look like?"

He gave a few examples. "Imagine where, in my [cybersecurity] education, every day I was getting little snippets that were relevant to me about cybersecurity, and you did away with my annual competence [assessments]," Schneider said. "And oh by the way, why don't you reward me if I give you some really good tips that could prevent the next WannaCry [ransomware attack]?"

And "What if we lived in an organization that considered cybersecurity misbehavior as the equivalent of providing bad patient care, and it was not an administrative issue?" he said.

image

Joseph Schneider, MD, MBA, University of Texas Southwestern Medical Center (Photo by Joyce Frieden)

Schneider told the story of "Dr. Rob," an interventional cardiologist who often complained to Schneider about Baylor's cybersecurity practices when Schneider was working as the institution's chief medical informatics officer. "They were locking down USB drives ... and running antivirus updates at 10 a.m., during clinical time," Schneider said. "Just about every week, another missile was coming down at me from clinicians [including Dr. Rob] and I said to him, 'How would you like to be our medical director of cybersecurity?'"

Schneider and Baylor's "very enlightened chief informatics officer" formed a "Clinical Data Access Team" that handled privacy and security decisions; they included Dr. Rob on the team. "And Dr. Rob took shared responsibility for those decisions -- if he was part of those decisions, he stood up to the medical staff, who very much respected him, and said, 'This is something, boys and girls, that we really have to do.' He was the front person that protected the IT [information technology] and biomedical folks," he said.

"We were able to compensate him, probably 40% of his earnings; he felt that was adequate ... It dramatically improved the quality of security decisions and the relationship of IT security with other clinicians. The missiles stopped raining down upon me."

Doctors also make good public spokespeople when security attacks happen, Schneider suggested. Although he wasn't able to do it at Baylor, "Imagine if you have a physician and/or nurse who really is able to stand out in front when some of these issues strike, so that when your hospital or healthcare system is shut down [due to a cyberattack], they're explaining what's going on and protecting the IT and biomedical folks from damage that can occur, or from the distractions that would keep them from trying to fix these things," Schneider said.

In fact, he added, "I would go one step further: imagine if you had patients represented in the cybersecurity decision-making process."

Physicians and other clinicians should be part of any "root cause analysis" of cybersecurity failures, Schneider said. "Where there are incidents, let them help you manage them. Certainly when you're under attack, you want to hit the button that says, 'Shut down all systems now,' but you desperately need that clinician who could tell you, 'Do not shut off the operating room.' ... That will make you perhaps a little less secure, but will also keep patients safe in the process."

Schneider suggested having IT round with the doctors to see patients. "Imagine a world where IT or the biomedical staff actually rounded with you and saw some of the things you were faced with ... and also saw vulnerabilities you create as you do those workarounds."

Schneider also urged any chief medical informatics officers in the room to "work to get funding for these sorts of positions, encouraging organizations -- both informatics and professional organizations -- to step up to the plate and say, 'This is part of patient safety and good patient care ... and if you do find [the Dr. Robs], make sure you celebrate their efforts."