In this week’s healthcare social media chat (#HITSM) part of the discussion focused on information security in healthcare.
As usual there were a lot of opinions expressed. Bernadette Keefe was in fine form, asking some penetrating questions that lead the discussion.
Bernadette Keefe @nxtstop1 Jul 24 Not expert Encryption detersMT @john_Lifecycle: Any IT Security experts want to weigh on solution?More segmentation?More encryption? #hitsm”
As the CTO and CIO of a rapidly growing company that services most of the luminary hospitals in this country, part of my role is to spend significant time thinking about how security controls can be applied to safeguard patient data. It’s a highly complex task that involves a wide range of skills and I’m fortunate to have a team of well developed IT engineers to assist me with it.
As I chewed on Bernadette’s question it became clear to me that while the standard set of controls such as encryption are important, it’s far more important to think in terms of human factors and how these apply to security. In short,
The most important element of security is teaching your staff to be secure in the environment that they live in.
Put another way, there’s no point in having security controls if your staff have live in a culture where it’s ok to override them.
There are many ways to circumvent systems. The classic in healthcare is the medical professional who shares, writes down, or reuses their passwords. Often they are deliberately attempting to circumvent the security of the system because they find it too difficult to use. In response we increase the complexity of passwords, thereby guaranteeing our staff will write them down to remember them!
The IT department is not immune from these practices either. Consider the person who creates a network share on your domain controller with write access for the world because they need to copy some software over. Did they remember to remove it?
Why do people do these things that they know to be wrong? How do they strike these faustian bargains?
When I talk about this issue I like to discuss another simple, yet often ignored practice – washing your hands before you enter the exam room.
We all know hand washing reduces the incidence of infection. Yet, even today, after countless years of indoctrination there is less than a 100% compliance rate. Likewise, in security, everybody knows not to write their password down, yet people do it every single day.
I’m not going to talk about why people don’t comply as I’m sure we all have our own opinions. I’m much more interested in how we can influence people’s behavior and help them understand why they need to take their time, think through their actions, and remember that convenience can be the enemy of security.
To me this is a culture problem. If it’s acceptable to circumvent controls and people don’t call out others for their behavior, the problem can never be fixed. On the other hand, if a militant approach is used people hide their non-compliance to avoid retribution.
The information security officer of today really has their work cut out for them. They need to work with a wide swath of the organization to introduce programs that try to communicate the need for security. They need to train people at every level and broadly communicate why it’s important to do the right thing so others understand the purpose. They need to model behaviors.
Without this, your security program is just a set of controls that will be overridden by a set of very busy people…