After spending years analyzing data security and compliance for healthcare providers we have noticed it’s always the administrators we work with that may all be but unaware of the reasons why so many of their staff are circumventing the very policies meant to protect themselves, their patients, and the entire hospital network. These actions further weaken defenses against cyber threats and increase the likelihood of a compromise with protected data.
The need to protect and secure healthcare data has become one of the top priorities among hospital leaders as regulatory compliance seeks to enforce a plethora of overlapping and sometimes confusing security frameworks that encourage tight restrictions on data and systems. Administrators are in crisis as burned out and often frustrated hospital staff share the painstaking procedures that render them inefficient at performing daily tasks, much of which is due to overly restrictive data security policies.
We observe staff who are regularly forced to make password changes and unable to access much needed web applications, result to putting passwords in a word document on a desktop and turning to their own private devices to access resources online. Many hospitals, especially in rural areas do not have access to CIO’s OR CISO’s that regularly evaluate the security posture of the environment and thus many hospitals are limping along with outdated, inefficient, and ineffective means to support efforts to secure critical data while enabling staff to perform.
One recent conversation comes to mind when we were discussing with a hospital client about how to improve their security posture without bringing their operations to a grinding halt as it had in the past. We uncovered that their cyber security policies, enabled by past vendors and internal IT staff were not reflective of the actual threat to their data at a user level. Their policies did not strike a balance between satisfying data security requirements and end user operational productivity.
According to HHS stats, approximately 30% of data breaches in 2019 were classed as unauthorized access/disclosure incidents and involved 11% of all records breached.
Data security involves examining controls to thwart external threats as well as integrated policies of how internal employees handle sensitive data. A well-defined process should educate and train end users on how to handle, store, and transmit protected data in a way that does not put the hospital at greater risk of a breach. Chances are if you are picking up on the frustrations of hospital staff regarding access to tools and data, you may already be facing the risk of employees circumventing current policies.
Many hospitals struggle to maintain enough visibility across departments to ensure protected data is handled according to prescribed policies. Hospital employees may work to find their own unsecured workarounds when there is a breakdown in the ability to perform certain tasks. In July of 2019 employees at Tibor Rubin VA Medical Center were unable to transfer sensitive data from medical devices to the EHR, so they created their own workaround and improperly stored/transmitted data through unsecured personal computers, the cloud, email, and unencrypted flash drives.
Researchers from one study found that healthcare workers frequently bypass cyber security controls when clinical workflow and IT systems are not developed to support their ability to complete tasks. They uncovered such incidences such as clinicians offering their logged-in session to the next clinician as a “professional courtesy,” during security training or one physician who complained that a clinic’s dictation system had a five-minute timeout, requiring the physician re-authenticate with a password (which takes one minute). During a 14-hour day, he estimated that he spent 1.5 hours logging in.
There is not a “one-size fits all” or “silver bullet “approach to protecting data and systems of a complex healthcare environment, however with the right solutions applied with the right approach, many hospitals can achieve the necessary balance of security and productivity. Leverage the experience of healthcare cyber security professionals that can correctly balance operational needs, better secure healthcare data, manage cyber risk, meet compliance standards, and better protect your reputation.