Inside CHIME: Task Force Chair’s Tips for Getting Clinicians to Follow Best Cybersecurity Practices
By Theresa Meadows, CHCIO, Senior VP & CIO, Cook Children’s Health Care System
October is National Cyber Security Awareness Month, a campaign supported by the federal government to raise awareness of the importance of cybersecurity across all sectors and provide Internet users with tools and resources to prevent cyber incidents. As the chair of the Health Care Industry Cybersecurity Task Force, which was mandated under the Cybersecurity Act of 2015, I have had the opportunity to discuss strategies for strengthening the healthcare industry’s cybersecurity position with the industry’s top thought leaders.
I am also the senior vice president and CIO of Cook Children’s Health Care System. My fellow CIOs and senior IT executives know that cybersecurity is a 24/7 endeavor that takes no holidays. While we and our healthcare IT teams may be ever-vigilant, our clinicians and other staff may not. National Cyber Security Awareness Month provides an opportunity for us to help them better understand the threats and ways to mitigate those threats.
But how? Here are some tips.
- Build a culture of cybersecurity among your executive and physician leaders. Educate them about the threats, myths and importance of good cyber hygiene. As influential and knowledgeable leaders, they can champion the cause among their peers and staff and get them to buy into safety processes.
- Know the strengths and weaknesses of your cyber infrastructure and practices. Assess risks, including staff noncompliance to safe practices, and determine a plan to address or mitigate those risks.
- Establish an ongoing education program for all your employees about cybersecurity and cybersecurity threats, and reinforce good security practices as much as possible.
- Address myths. There are many myths about cybersecurity, for instance, that appropriate security controls decrease productivity. Use your C-suite and physician champions and educational sessions to debunk those myths.
- Emphasize the consequences to patients. Share with physicians that a lack of adequate security puts their patients at risk. For instance, a ransomware attack might block an organization or caregiver from access to a patient’s medical record, which might lead to a medical error or otherwise compromise that patient’s safety. Today most medical devices require network connectivity, and many are connected to patients. Adding a device without appropriate security precautions could open the door to potential harm to the patient if the medical device is impacted in a hack.
- Don’t allow complacence. There is an overall trust in healthcare that a cyber incident could never happen to an individual’s organization. The WannaCry and Petya attacks earlier this year have helped to convince some that the threat is real and universal. In truth, every organization no matter what the size, is at risk, and it is critical to have a plan in place to address that risk.
The Health Care Industry Cybersecurity Task Force released 100 recommendations earlier this year, including one that encouraged healthcare organizations to participate in National Cyber Security Awareness Month events. The full report is available here.
On a related note: If you are in Washington. D.C., on Oct. 4, be sure to join me at CHIME’s briefing, “The Critical State of Healthcare Cybersecurity: Leveraging the Recommendations Made by the Health Care Industry Cybersecurity Task Force.” The noon- 2 p.m. presentation is hosted by CHIME’s public policy team and will include members of CHIME and the Association for Executives in Healthcare Information Security. If you plan to attend, please RSVP here.