Security is top of mind for the CIO. But security involves the entire organization and demands that everyone takes security seriously… hand washing as a priority and second nature seriously. Often, we find that hospital system CIO and CISOs have been more focused on budget battles with the board as security and core infrastructure has historically been under-funded. Changing behavior and influencing a healthy security mindset as core to hospital operations and corporate culture has not been a top priority.
Frankly, organizations should be placing security above all else. Security is not just about avoiding data breaches. It is not just about changing passwords or updating patches. Security is not just about technology. This is likely the steepest education curve organizations must overcome…understanding that security is about patient safety and social responsibility. Yes, the financial ramifications of a data breach are high, but when you factor in the loss of personal health information and having a community lose faith in the organization, the costs are exponentially higher.
At Constellation we come at this from two distinct vantage points: From that of an experienced CIO in the Healthcare industry and that of a consumer (who moonlights as a marketing and brand security analyst.) Let’s start with an example…one that potentially put patient privacy at risk and highlights how easy it can be too loose both security posture and brand trust in an instant.
A patient visited a new health network. In providing the network with her email, something went wrong. Maybe the patient provided the wrong information…or the intake administrator accidentally mistyped one letter…either way, the wrong email was attached to the patient’s record. This was 100-percent human error. Upon receiving email reminders for upcoming visits, recaps of past visits, recommendations for lifestyle modification and notifications for pharmacy pickups, the email’s actual owner looked for a way to notify the health network that emails were being sent in error.
After multiple digital communication attempts, the email owner picked up the phone to speak with someone at the hospital. After bouncing around from member services to finance to customer support, an agent informs the email owner that there is nothing that can be done...the team can only help with web site usability problems and can’t address contact details. The agent explains that while he isn’t allowed to make changes to patient data, but since there isn’t a registered account, maybe the email owner should go ahead and register for an account and then change contact permissions…”Maybe that way you can stop the emails all together?”
For the record, Liz Miller (co-author of this post) was the email’s owner…and she did NOT follow this suggestion. But the service agent did little to resolve the issue and showed little regard for the greater security issue at hand. As of today, emails from doctors, secure messages from the pharmacy and follow-up care details for three procedures, including information about a post-op stay and well wishes from the nursing team are still being sent. Links to opt-out of communications have proven no match for the system’s insistence on delivering patient communications to a total stranger.
Had security been instilled as a mindset and part of the culture across every touchpoint with the patient, this suggestion…that a total stranger attempt to create an account and potentially access a trove of even more personal information and detail…would never have happened. In fact, the reaction would likely be what we had expected: shock, horror and an immediate suspension of emails to a stranger. It is abundantly clear that not only is security not part of the culture, it is also not part of training or education.
Security risk exposure is at an all-time high. A single person’s personal health information is worth at least 25x more than a credit card’s information on the black market, turning healthcare organizations into a prime target for attack. Hospitals are often considered to be a ripe target for hacks as they are often seen as large, bloated systems, open 24/7 and teaming with sensitive data, especially financial data. Headline grabbing horror stories about medical device vulnerabilities and “what-if” scenarios of hacked heart valves to MRI machines have put security on the radar of every CEO and Board. Yet discussions around simple human error inviting bad actors and attacks typically does not make the agenda when discussing what must be done to secure patients and personnel.
While everything must be done to boost and augment the technology in place to proactively protect and effectively maintain a robust security posture, comprehensive education and security training must also take place for every team member…from doctors to the front desk. Everyone should know what part they play in protecting the patient and the brand reputation of the hospital itself.
Security won’t be resolved by technology alone. It will take partnerships across the C-Suite and participation from every member of the team. It will take a very low-tech path of education, cooperation and a foundational belief that a patient’s health and well-being extend to their data.