Every night at 9 p.m. at Boston’s Beth Israel Deaconess Medical Center (BIDMC), a system wide malware and virus scan swept through all machines on the hospital’s network.
This was a necessary but process-intensive security procedure.
Everything slowed during the scan. Reviewing medical records, placing lab orders and admitting patients became prohibitively slow. Doctors couldn’t even dictate clinical notes into their transcription application.
Larry Nathanson, Director of Emergency Medical Informatics and a board-certified emergency medicine physician, recounts that a lot of ER physicians said IT should refrain from scanning the ER computers at all, because the impact was too great.
Nathanson worked with the doctors to find a compromise: Malware scans across the rest of the hospital would continue to occur nightly at 9 p.m., but scans for the emergency room would be moved to 4 a.m., so patient care wouldn’t be compromised.
The lesson learned at BIDMC?
“Painful security measures can’t be something you impose on people or they’re going to try to find ways to subvert them,” Nathanson says.
Painful security measures can’t be something you impose on people …
Consider this scenario:
While in a rush one hectic afternoon, a doctor grabs a piece of paper and writes down a new password to access the hospital EHR database. He then passes it to a nurse.
The group revealed a new vulnerability: Doctors were documenting wounds and healing progress using smartphone cameras because it was a quick, convenient way to do so. But photos and video stored on phones can be lost or stolen, and cloud storage through a cell phone provider or app typically isn’t protected by a HIPAA-mandated business associate agreement.
“When they take a picture of an X-ray,” says AT&T’s Terry Hect, Chief Security Strategist for AT&T Healthcare, “and they send it to their radiologist pal in Milwaukee – whose opinion they value – they’re getting around all these controls.”
In other words, a physician, working inside the virtual walls of your secure network, can innocently push private patient data outside that network.
Recognizing their doctors’ needs for photo sharing, BIDMC’s IT department teamed up with clinicians to create a secure phone app called Photo Consult, which uploads photographs into the secure electronic medical record and deletes them from the phone.
Create formal systems and structures that include doctors in the cybersecurity decision-making process.
Collaboration does not happen automatically, especially when security has been traditionally the purview of IT. Both groups may rarely interact with physicians in the context of their actual work, so it often takes a dedicated effort to facilitate their involvement.
Download the Cybersecurity Handbook for Healthcare CEOs to learn more.
Share this with others
READ MORE ARTICLES ON:
Sign up for the AT&T Business newsletter
Your feedback will help us to improve AT&T Business so you continue to have a great experience when visiting us!
This survey is conducted by an independent company ForeSee for AT&T.
Yes, I’ll give feedback!
Please provide the following information to access your document:
* To access your content, please check your browser settings to make sure pop-up windows are allowed.