On April 12th, I’m attending the Healthcare Information Management Systems Society (HIMSS) annual conference. This year’s theme is Staying Ahead of the Curve. This got me thinking: In what area of healthcare IT would it be most important to stay ahead of the curve? I can’t think of a better candidate than system security.
Here are some quick numbers:
To summarize: Healthcare IT security is an issue. Providers are feeling the pain and organizations everywhere are dedicating resources to the challenge.
Are End Users at Fault?
According to the 2013-2014 Security Deployment Trends Survey, 80% of corporate security professionals and IT administrators indicated “end user carelessness” as the biggest security threat to their organizations. This, I suspect, has to do with an approach to security that puts a lot of the onus on the end user to meet security objectives.
It’s important to understand that “end-user carelessness” is less about people being malicious than about them focusing on their jobs. A physician, for example, may have trouble printing out a form so she goes online, downloads a driver, and inadvertently introduces some malware onto the network. Or, a busy nurse on his rounds ignores an urgent alert to perform a security update and something goes wrong as a result. Both of these examples should be entirely predictable given the fact that in each case, busy people are simply trying to get their work done.
Prevention is the Key for Securing the Agile Workforce
So how do you best tackle this challenge? I say we start with an approach that heeds the wisdom of one of the most tried and true axioms in the healthcare field: an ounce of prevention is a worth a pound of cure.
When it comes to prevention, automation can be IT’s best friend. This is especially true for healthcare providers attempting to manage an increasingly agile workforce where people are constantly switching in and out of clinical settings. Physicians work at multiple hospitals. New per-diem nurses help to cover open shifts, and students at teaching hospitals show up at the beginning of the semester – only to leave again in a few short months.
In environments like these, automation can help ensure that clinicians are provided the right level of application and information access immediately, thus avoiding the risk of someone circumventing policies and creating new security vulnerabilities. For example, you could automate provisioning and allow access to applications and data based on profiles and permissions defined up front according the role of the user. You could also use technology to detect the context of each user situation. This would enable you to automate access to sensitive data when, say, a visiting doctor is on the relevant ward, but then shut it down again when that doctor is at lunch or visiting another facility.
These are just a couple of examples to illustrate a different approach to IT that can help tremendously on the security front.
Stay tuned for more blogs on healthcare. I plan to dive into some examples – such as what can go wrong security-wise when it comes to mergers and acquisitions and specific challenges faced by teaching hospitals. In the meantime, let me hear from you.
Do you feel the security at your organization is up to par with the needs of your organization and the speed of your employees?