Why doctors should be involved in the cybersecurity decision-making process

Many painful security practices exist in the healthcare industry

by Steven Mitchell, Vice President of Global Business, AT&T Healthcare Solutions

Every night at 9 p.m. at Boston’s Beth Israel Deaconess Medical Center (BIDMC), a system wide malware and virus scan swept through all machines on the hospital’s network.

This was a necessary but process-intensive security procedure.

Everything slowed during the scan. Reviewing medical records, placing lab orders and admitting patients became prohibitively slow. Doctors couldn’t even dictate clinical notes into their transcription application.

Larry Nathanson, Director of Emergency Medical Informatics and a board-certified emergency medicine physician, recounts that a lot of ER physicians said IT should refrain from scanning the ER computers at all, because the impact was too great.

Nathanson worked with the doctors to find a compromise: Malware scans across the rest of the hospital would continue to occur nightly at 9 p.m., but scans for the emergency room would be moved to 4 a.m., so patient care wouldn’t be compromised.

The lesson learned at BIDMC?

“Painful security measures can’t be something you impose on people or they’re going to try to find ways to subvert them,” Nathanson says.

Consider this scenario:

While in a rush one hectic afternoon, a doctor grabs a piece of paper and writes down a new password to access the hospital EHR database. He then passes it to a nurse.

  • Threat: The password could be visible to anyone, or left behind – a violation of privacy standards that could lead to a significant fine. The physician could be held legally and financially responsible.
  • Solution: Use two-factor authentication whenever possible to eliminate the possibility of shared passwords and password-hacking or guessing. Implement a comprehensive password policy that includes training about threats and consequences.

The decision-making process

Nathanson is a member of the Information Systems Steering Committee, which includes many physicians. The group gives all stakeholders an opportunity to interact and guide decisions about security and privacy policy.

The group revealed a new vulnerability: Doctors were documenting wounds and healing progress using smartphone cameras because it was a quick, convenient way to do so. But photos and video stored on phones can be lost or stolen, and cloud storage through a cell phone provider or app typically isn’t protected by a HIPAA-mandated business associate agreement.

“When they take a picture of an X-ray,” says AT&T’s Terry Hect, Chief Security Strategist for AT&T Healthcare, “and they send it to their radiologist pal in Milwaukee – whose opinion they value – they’re getting around all these controls.”

In other words, a physician, working inside the virtual walls of your secure network, can innocently push private patient data outside that network.

Recognizing their doctors’ needs for photo sharing, BIDMC’s IT department teamed up with clinicians to create a secure phone app called Photo Consult, which uploads photographs into the secure electronic medical record and deletes them from the phone.

Bottom line

Create formal systems and structures that include doctors in the cybersecurity decision-making process.

Collaboration does not happen automatically, especially when security has been traditionally the purview of IT. Both groups may rarely interact with physicians in the context of their actual work, so it often takes a dedicated effort to facilitate their involvement.