September 12, 2019
This year we have already witnessed twice as many breached patient records as 2018’s total of 15 million, with 285 incidents reported through June. In just the first week of September, five providers reported patient data breaches caused by successful phishing exploits that affected at least 20,000 patients, according to industry watchdog HealthITSecurity. Though many hospitals have improved IT-based security protections and provided training to workers, dangerous data breaches are increasing rapidly across most organizations, often due to employee negligence. It is apparent that hospitals must do much more to inspire a strong top-to-bottom cybersecurity culture that will deflect or neutralize criminal attacks.
In Part 1 of this series, we examined and outlined overall conceptual strategies for designing an efficient enterprise-wide cybersecurity program that will multi-task: protect patients from data compromise, empower employees, comply with HIPAA and other regulations, and help the executive leadership team sleep better at night. We considered essential criteria such as sustainability, scalability, and aligning cybersecurity awareness with the bigger vision: your organization’s strategic goals, employees’ self-interest, and patients’ privacy.
Here in Part 2, we’ll take a deeper tactical dive into practical solutions for achieving a sustainable security culture. Part 3, coming soon, will offer a panoply of culture-change action items gathered from across the industry
Chances are good that data security is not in the forefront of your workers’ minds when they arrive for work, whether it’s cybersecurity or physical security. This is not an indictment; in fact, your staff’s work responsibilities should be top-of-mind. In a successful security culture that emphasizes cyber protections, the organization can have it both ways: patient care and other work responsibilities continue to be the number one priority, and at the same time, safe practices will have become so internalized that they integrate seamlessly with people’s everyday work activities. Staff must understand that a cybersecurity culture must be lived every day, forever.
The power and influence that culture has within any organization is indisputable. Culture determines what’s expected and what’s unacceptable in terms of how you and your employees interact with each other, conduct business, and treat patients. An organization’s culture is an overall spirit or personality that is an enduring outcome of the interactions among its people and their environment. It spells out the nature of the organization and includes elements such as mission, values, ethics, goals, expectations, atmosphere, interactions, dependencies, politics and rules.
Top-down advocacy and exemplification starting with the CEO and all other executives, including physicians, is essential to any culture change. Cultures always start at the top, no matter how lesser managers manage themselves and their teams. Employees look to their leadership to recognize and affirm the cultural nature of their organization. If executives and physicians don’t set an example or visibly participate in the hospital’s security culture change project, it will fail. Being an executive, physician or manager is not a reason to exclude oneself from actively investing time in cultural growth; just the opposite is true. If these leaders don’t act is if they need a security program, employees won’t give a committed effort to it either.
When an end-to-end security approach is implemented and then publicly and repeatedly championed by both the board and executive leadership, “It rolls downhill very well and people across the hospital are willing to listen,” says Garden City Hospital’s Christopher Allman. Rich Miller, retired President and CEO of Marlton, N.J.-based Virtua, has noted that the CEO “can’t be afraid to go out and discuss the issue with employees and physicians….Nothing says you’re serious like a significant and touted reallocation of budget.“ “The way you allocate resources is an indication of what your belief system is,” says Ronald A. Paulus, MD, the physician-CEO at Mission Health.
Just as physicians and hospital leaders have learned to be sensitive to the spread of germs, they can drive home the fact that healthcare environments are now cyber hot zones that must be kept “uncontaminated.” Sponsoring and participating in training or proving ground challenges throughout the program are key ways for executives to show commitment and support.
Deliberate disruption is necessary to catapult your staff to a state of cybersecurity “auto-awareness.” Cultural change cannot be achieved with an annual training session and the occasional lunchroom poster. Big, grandstanding but short-term awareness campaigns, even once a year events, may make a splash, but the effects will be short-lived. Within weeks, your employees will be glad the latest disruption is over so that they can get back to business as usual.
A sustainable security program must be both deliberately disruptive and founded on a set of complementary ongoing actions that will foster long-term culture change. Key program components are:
Demonstrate the value of a cybersecurity culture for everyone — employees themselves, patients, and the organization. Your program should repeatedly present and substantiate organizational change as personally rewarding to your workers — that they will get something in return. The lowest hanging fruit is their own security; no one wants a criminal rummaging around a personal device like a smartphone and finding a bounty of credit card information to be sold to the highest bidder. Requiring and enforcing accountability is another attention-keeper; if job performance measurements reward security diligence and penalize negligence, employees will stay tuned in.
Assuming staff members identify with the organization, they also will be motivated by its return on their investment of their time and resources, if they realize the dangerous risks the hospital faces. Presuming the staff also empathizes with patients, the latter’s privacy, peace of mind and satisfaction with their care experience will be strong motivators. Lack of information security is also a patient safety issue that will matter to caregivers; for example, if ransomware shuts down hospital systems and physicians are unable to view EHR data and schedules, or medical devices like infusion pumps can’t be operated correctly, practitioners will be worried and frustrated, with patient safety at great risk.
Does such a cultural change initiative seem overwhelming or even over the top? It is understandable that the cyber-security culture change process we’ve outlined so far seems highly aggressive and potentially unwieldy to manage. Let’s remember that we are used to gradual cultural changes. For example, on a national level, the shift in public attitudes towards smoking started in 1964 when 40 percent of American adults were smokers. Since then a plethora of national initiatives including cascading Surgeon General reports, new federal, state and local laws, advertising campaigns, banning of cigaret ads, news of health risks and much more resulted in a decrease of adult smokers to 14 percent. It took over 50 years to change a dangerous, but widely accepted cultural more.
Unfortunately, cybersecurity dangers have crept up as quickly as computer and internet use, with healthcare taking a greater hit than any other major sector. No healthcare provider can let this problem hang around or expand without risking the well-being of our population and the viability of our institutions. We have to play catch-up.
Stay tuned to Part 3 of this series when we dig even deeper into recommendations and innovative ideas for specific actions to include in your hospital’s culture change plan that will charge up your workforce, keep them engaged, and help them integrate best cybersecurity practices into their everyday lives.