Clinicians need the right messaging to pay attention to cybersecurity  

From left: Mark Sugrue, Eric Liederman, Cindi Carter and Srinivasan Suresh take part in the HIMSS Healthcare Cybersecurity Forum in Boston.

Photo: Susan Morse/HFN

BOSTON - The issue with cybersecurity from a clinical point of view is that physicians and nurses just want things to work. They often want cybersecurity to be bolted on to make patient information secure, according to experts speaking during the HIMSS Healthcare Cybersecurity Forum this week.

Clinicians are busy, and get so many messages, that when they receive an email message from the chief information security officer, that information had better be attention-grabbing to rise above the noise. A cybersecurity newsletter is not going to cut it, according to Srinivasan Suresh, vice president, chief information officer and chief medical information officer at UPMC Children's Hospital of Pittsburgh.

"Messaging is key," Suresh said. "We are competing for attention from clinicians who receive dozens of messages every day. Similar attacks at hospitals similar to our hospitals get attention. That hits home," as do the amounts paid in ransomware attacks and the chaos caused by systems going down during cyberattacks. 

"Some of these sound a little dramatic," he said. "The point is to get their attention."

The question becomes, "How do we get clinical workforce cyber aware and how do we get cyber clinically aware?" according to moderator Mark Sugrue, managing director of FTI Consulting, and the other experts speaking during "Clinical Perspectives in Cybersecurity."
 
Clinicians need a steady drip of information to understand the whys, such as why it's important to hover over a link before opening it, said Cindi Carter, CISO for Checkpoint. "I think cybersecurity gets a bad rap," Carter said. Security is viewed as people who "sit in a corner with hoodies on with no social skills," she said.

Most clinicians get the message, according to Eric Liederman, National Leader for Privacy and Security for Kaiser Permanente. In test phishing, only one-half of 1% of the workforce clicks three or more times a year on a test phishing email. 

"We give these folks a lot of extra attention," Liederman said. "We don't penalize them."

Attention must also be paid to connected information beyond the four walls of a hospital, such as through medical devices. 

"We have to think about securing at the edge, as well as what we have going on at bedside." Carter said.

Security must be built into it, not added on later, she said.

Liederman said, "We have a well-developed structure around medical devices. Before, it focused on functionality, and we had the cybersecurity discussion later. We've pushed nonfunctional assessments much earlier in the process. Then we can weed out companies that aren't going to cut it."

The best way to get clinicians involved in cybersecurity efforts, the experts said, is to invite them into meetings at the beginning of the conversation. Don't bring the physician in after you've been talking for three months, Suresh said.

COVID-19 taught everyone that they could innovate on the fly, Sugrue said. New care models, such as telehealth and hospital at home, and a remote workforce, have also created security challenges. Clinicians question why they can't access the gmail hospital server.

Liederman said, "Trade-offs are sometimes necessary. People are trying to harm us and our patients all the time."

Patients need to get the best medical health outcomes, while having their data protected, Carter said. 

"At the end of the day, what is that quality experience going to be like?" she said. "We're always on this dichotomy, keep it private, share it with everyone." 

Twitter: @SusanJMorse
Email the writer: SMorse@himss.org