This year we have already witnessed twice as many breached patient records as 2018’s total of 15 million, with 285 incidents reported through June. In just the first week of September, five providers reported patient data breaches caused by successful phishing exploits that affected at least 20,000 patients, according to industry watchdog HealthITSecurity. Though many hospitals have improved IT-based security protections and provided training to workers, dangerous data breaches are increasing rapidly across most organizations, often due to employee negligence. It is apparent that hospitals must do much more to inspire a strong top-to-bottom cybersecurity culture that will deflect or neutralize criminal attacks.
In Part 1 of this series, we examined and outlined overall conceptual strategies for designing an efficient enterprise-wide cybersecurity program that will multi-task: protect patients from data compromise, empower employees, comply with HIPAA and other regulations, and help the executive leadership team sleep better at night. We considered essential criteria such as sustainability, scalability, and aligning cybersecurity awareness with the bigger vision: your organization’s strategic goals, employees’ self-interest, and patients’ privacy.
Here in Part 2, we’ll take a deeper tactical dive into practical solutions for achieving a sustainable security culture. Part 3, coming soon, will offer a panoply of culture-change action items gathered from across the industry
Chances are good that data security is not in the forefront of your workers’ minds when they arrive for work, whether it’s cybersecurity or physical security. This is not an indictment; in fact, your staff’s work responsibilities should be top-of-mind. In a successful security culture that emphasizes cyber protections, the organization can have it both ways: patient care and other work responsibilities continue to be the number one priority, and at the same time, safe practices will have become so internalized that they integrate seamlessly with people’s everyday work activities. Staff must understand that a cybersecurity culture must be lived every day, forever.
The power and influence that culture has within any organization is indisputable. Culture determines what’s expected and what’s unacceptable in terms of how you and your employees interact with each other, conduct business, and treat patients. An organization’s culture is an overall spirit or personality that is an enduring outcome of the interactions among its people and their environment. It spells out the nature of the organization and includes elements such as mission, values, ethics, goals, expectations, atmosphere, interactions, dependencies, politics and rules.
Top-down advocacy and exemplification starting with the CEO and all other executives, including physicians, is essential to any culture change. Cultures always start at the top, no matter how lesser managers manage themselves and their teams. Employees look to their leadership to recognize and affirm the cultural nature of their organization. If executives and physicians don’t set an example or visibly participate in the hospital’s security culture change project, it will fail. Being an executive, physician or manager is not a reason to exclude oneself from actively investing time in cultural growth; just the opposite is true. If these leaders don’t act is if they need a security program, employees won’t give a committed effort to it either.
When an end-to-end security approach is implemented and then publicly and repeatedly championed by both the board and executive leadership, “It rolls downhill very well and people across the hospital are willing to listen,” says Garden City Hospital’s Christopher Allman. Rich Miller, retired President and CEO of Marlton, N.J.-based Virtua, has noted that the CEO “can’t be afraid to go out and discuss the issue with employees and physicians….Nothing says you’re serious like a significant and touted reallocation of budget.“ “The way you allocate resources is an indication of what your belief system is,” says Ronald A. Paulus, MD, the physician-CEO at Mission Health.
Just as physicians and hospital leaders have learned to be sensitive to the spread of germs, they can drive home the fact that healthcare environments are now cyber hot zones that must be kept “uncontaminated.” Sponsoring and participating in training or proving ground challenges throughout the program are key ways for executives to show commitment and support.
Deliberate disruption is necessary to catapult your staff to a state of cybersecurity “auto-awareness.” Cultural change cannot be achieved with an annual training session and the occasional lunchroom poster. Big, grandstanding but short-term awareness campaigns, even once a year events, may make a splash, but the effects will be short-lived. Within weeks, your employees will be glad the latest disruption is over so that they can get back to business as usual.
A sustainable security program must be both deliberately disruptive and founded on a set of complementary ongoing actions that will foster long-term culture change. Key program components are:
- Assess and evaluate the current security and privacy-related culture and the organization’s technical and physical data protections through a blank slate third-party audit that excludes any upfront assumptions or assertions from IT, your security officer or anyone else who might skew results. Understand the systems and people you’re protecting, and expose any related security or privacy vulnerabilities. This requires an independently drawn picture of your security state, including systems, devices, permissions, network architecture and security practices. It also necessitates an objective assessment of the organization’s cultural strengths and weaknesses, relative to security and privacy. It should be made clear that this effort has been authorized by the CEO as a high priority, and the assessment should be overseen either by an appropriately committed executive or an executive steering committee. To achieve employees’ buy-in to this process, consider clarifying that no one will be blamed for discovered deficiencies (unless deliberately criminal actions are uncovered).
- Determine what cultural outcome will best align with your organization’s security position and strategic objectives. Then design a cultural change plan outlining action steps and accountabilities. Factors such as the plan’s challenges, mission, goals, timeframe, expectations, priorities and budget should be considered. The organization’s discovered vulnerabilities or greatest areas of risk shouldn’t be detailed to employees for security reasons, but can be translated into priorities. For example, revenue cycle operations which have access to major amounts of patient information and financial data may be an especially attractive target for would-be hackers or phishers. Your plan may provide for specialized awareness activities for this workgroup to ensure extra precautions.
- Create a plan to align the organization’s desired security culture, business strategy, and overall structure. The latter should include its formal systems and policies, reporting relationships, performance appraisal program, reward/compensation structures, and training and development capabilities. Plan to protect all your endpoints from phones to laptops to desktops to connected medical devices. Everything must be considered in program planning, an approach that has been found to be critical to the success of most culture change initiatives. For example, if the initial security assessment identified an inadequacy of security or privacy policies, including out-of-date policies, coordinate training components of the culture-change program with new policy announcements and related procedure changes. Similarly, the results of the security assessment will include previously unknown systems or physical vulnerabilities. If the organization plans to correct these issues, make sure that any related process changes are considered in your cultural change plan.
- The most important tactical goals to focus on are getting the staff’s attention and keeping it over a long period of time. Efforts to do so should be new, engaging, challenging, even fun. It bears repeating that bland tutorials — especially generic e-courses — are the opposite, making them expensive time-wasters. Instead, begin outlining the engagement process by meeting with representative focus groups to discuss how their departments and/or similar associates learn best, and with the least interference in their core duties.
It is well known that bringing hospital workers together for learning and demo sessions is not easy; I’ve seen many program managers throw up their hands in frustration. But think about the days of Meaningful Use deadlines. They were exact and unchangeable. All users of the new EHR were required to attend training sessions and, in many cases, meetings to plan needed process changes. If staff didn’t find a way to participate, they would have been left behind, unable to be productive (and perhaps without a job). Staff participated. But the most competent implementation program managers facilitated participation by determining what training and planning session approaches worked best for the various workgroups involved, as well as offering time and methodology options.
- Engage your participants by giving them meaningful involvement in the program ranging from offering ideas, solutions, reactions, and personal experiences. Nothing makes a stronger impression than listening to a staffer’s description of the shock, anger, embarrassment, and guilt he felt as a result of a phishing experience — not to mention the impact that it had on his hospital and its patients, and the following expensive, arduous reporting and clean-up process.
Demonstrate the value of a cybersecurity culture for everyone — employees themselves, patients, and the organization. Your program should repeatedly present and substantiate organizational change as personally rewarding to your workers — that they will get something in return. The lowest hanging fruit is their own security; no one wants a criminal rummaging around a personal device like a smartphone and finding a bounty of credit card information to be sold to the highest bidder. Requiring and enforcing accountability is another attention-keeper; if job performance measurements reward security diligence and penalize negligence, employees will stay tuned in.
Assuming staff members identify with the organization, they also will be motivated by its return on their investment of their time and resources, if they realize the dangerous risks the hospital faces. Presuming the staff also empathizes with patients, the latter’s privacy, peace of mind and satisfaction with their care experience will be strong motivators. Lack of information security is also a patient safety issue that will matter to caregivers; for example, if ransomware shuts down hospital systems and physicians are unable to view EHR data and schedules, or medical devices like infusion pumps can’t be operated correctly, practitioners will be worried and frustrated, with patient safety at great risk.
Does such a cultural change initiative seem overwhelming or even over the top? It is understandable that the cyber-security culture change process we’ve outlined so far seems highly aggressive and potentially unwieldy to manage. Let’s remember that we are used to gradual cultural changes. For example, on a national level, the shift in public attitudes towards smoking started in 1964 when 40 percent of American adults were smokers. Since then a plethora of national initiatives including cascading Surgeon General reports, new federal, state and local laws, advertising campaigns, banning of cigaret ads, news of health risks and much more resulted in a decrease of adult smokers to 14 percent. It took over 50 years to change a dangerous, but widely accepted cultural more.
Unfortunately, cybersecurity dangers have crept up as quickly as computer and internet use, with healthcare taking a greater hit than any other major sector. No healthcare provider can let this problem hang around or expand without risking the well-being of our population and the viability of our institutions. We have to play catch-up.
Stay tuned to Part 3 of this series when we dig even deeper into recommendations and innovative ideas for specific actions to include in your hospital’s culture change plan that will charge up your workforce, keep them engaged, and help them integrate best cybersecurity practices into their everyday lives.