Healthcare is full of tensions. For security professionals at innovative health systems, one tension that can be hard to navigate is the pull between innovation and caution, a topic several experts discussed last month at the Healthcare Security Forum in Boston.
“The job of the CISO is to say no, to look at risk,” John Halamka, president of the Mayo Clinic Platform, said at the event. “I had a CISO once tell me ‘The most secure library never checks out any books.’ Well that’s true, but that would be a somewhat useless library.”
That perception of the security team, as the gatekeeper of progress, needs to be actively overcome, said Karl West, CISO and AVP at Intermountain Healthcare.
“You as CISOs, you set a tone,” he said. “I was invited to speak to a group of CEOs of large healthcare groups in America earlier this year. [One thing they told me was] the 'Dr. No' issue is associated with who we are as part of our identity. We have to change that. If you’ve listened to us talk about consumerism, go away with this message: You can change that on your teams. Hold people accountable. [For] my employees’ goals every year, one is to be an enabler, to make this frictionless.”
Sunita Patolia, team lead for human-centered design at Partners Healthcare Pivot Labs, agrees.
“Language is so important,” she said. “Establishing the right kind of language in your organization, from the CEO to the front line. It has to stay the same: the message, the language — and I think that gives people safety to experiment with different things because you all know you’re working toward the same goal.”
One goal shared by many innovative hospitals across the country is bringing more care out of the hospital and into the home — a prospect that excites clinicians but is likely to worry security professionals, who have to concern themselves not only with data security, but also privacy, and not just with legal responsibilities but also ethical ones.
“Although consumers want to take part in healthcare, we also have to educate them,” Anahi Santiago, CISO at ChristianaCare, said. “They want to bring in apps. They want to download the medical record to an app of their choosing, but we have a social and ethical responsibility to make sure that we’re educating them and ensuring them that the app they want to bring is protecting their information. Although once that information leaves our ecosystem and ends up in their devices it’s technically, legally, not our issue, we still have an ethical responsibility to make sure we’re educating them and that they understand that there are risks.”
Not only do CISOs need to be thinking about patient education, they need to make sure physicians are educated about security issues, at least enough to know how to spot potential issues and where to direct inquiries from patients.
“What’s happening now is that a Medtronic vulnerability for the insulin pumps is showing up on the news and patients are coming to our physicians to say ‘Hey, I have this device that I bought at home. I saw in this news article that there’s a vulnerability. What should I do?’” Santiago said. “And the physicians are not educated enough to respond, but they need to be. So as CISOs, we need to become educators to our clinicians and our patients and to our stakeholders to make sure that they understand some level of cybersecurity so we can bridge the gap of this new ecosystem of healthcare. So from the hospital to the home, cybersecurity is now a conversant topic across the ecosystem.”
On a systemic side, there’s some work underway to build cybersecurity into the medical education curriculum for residents, Santiago said. But given the speed at which the industry moves, that won’t be a substitute for ongoing education and conversations.
“We are going to have to change,” West said. “It will make us uncomfortable. So we are going to have to figure out how to do what has to be done.”
“I think we all agree that security is completely foundational,” added Halamka. “So as we now do more partnerships and we think of more platforms, security has to be at the very base of everything that you do. Understand what data you’re exchanging, for what purpose, data governance, and even ethical uses of data.”