The real cybersecurity risk sits between the chair and keyboard

Cybersecurity is at least as much about behaviour as it is about technology.
By Philipp Grätzel von Grätz
06:51 AM

A recent survey on healthcare cybersecurity that PwC performed in Germany chose an interesting approach. Usually this type of survey is directed at hospital CEOs or at healthcare IT professionals. But this time, PwC decided to ask the public. One thousand people were polled, and nearly one in three said that, in the case of a hospital visit, they would be deeply worried that IT systems might break down as a result of a cyberattack. Every second German said they were convinced that hospitals are unprepared for cyberattacks.

Two out of three want mandatory cybersecurity education for medical staff

These figures are high but not totally surprising. More remarkable was the “risk analysis” of the survey participants. When asked about the type of measures that might improve data security in hospitals, what came out first was neither penetration tests, nor surveillance, nor introducing a standardised security concept. All this was mentioned, for sure, but what appeared at the top of the list with a staggering 87% of participants mentioning it was better education of staff.

In fact, 67% of Germans said that hospitals should be forced by law to train their staff on cybersecurity and proper behaviour. Citizens, it seems, are acutely aware of where healthcare-related cybersecurity risks lie. Technology is an issue, but more important is the risk factor ‘between the chair and the keyboard’, in other words the professional user.

HIMSS cybersecurity survey: Phishing not taken seriously?

There is myriad data suggesting that this is true. In the recent 2019 edition of the HIMSS Cybersecurity Survey, for example, 59% of hospital representatives and healthcare IT professionals in the US said that email was the most common point of information compromise. This indicates that phishing emails continue to be a significant security threats for healthcare organisations – despite the fact that this type of malware shuttle has been around for many years now.

Avoiding phishing-related incidents is clearly a matter of staff education, and thus the US survey corroborates the “gut feeling” of the German public that there might be a problem with staff education in hospitals when it comes to cybersecurity. Surveillance, too, should help to avoid phishing-related incidents. But surveillance, again, doesn’t seem to be taken seriously by hospital staff everywhere. In the HIMSS survey, 36% of non-acute care organisation representatives claimed that their organisation did not conduct phishing tests. The 'risk between chair and keyboard', it seems, is not only about doctors and nurses.

How to address the risk factor that is the human being?

Why is it that supposedly intelligent adults too often end up paving the way for disaster? At the HIMSS and Health 2.0 European Conference in Helsinki, these questions were addressed in a cybersecurity workshop that brought together experts and hospital representatives from all over Europe.

Workshop participants identified several factors as being responsible for making staff members become a security risk in healthcare organisations. In line with the surveys above, a lack of basic education came up. At least some medical professionals still put too much trust into IT systems, and many aren’t aware enough of which type of behaviour poses which type of risks.

Usability issues were also mentioned frequently. Doctors, one hospital representative said, wanted to cure patients, not deal with IT systems. If there are too many passwords or too complex workflows for storing or transferring data or for communication with patients or colleagues, the result will be “creative” evasion strategies that will in turn put patient data or hospital IT systems at risk.

Talk about patients and involve them

Workshop participants agreed that there was not a single measure that will reliably eliminate the risk between the chair and keyboard. An important aspect, many said, was improving usability through security by design.

Implementing voice recognition or face recognition, for example, could help to get rid of passwords, and thus eliminate a security-relevant process that is highly susceptible to misuse and also to “creative” (and risky) evasion strategies like pimping monitors with password stickers.

Talking differently about cybersecurity and cyberattacks could also help. Healthcare was about patients, a workshop participant said, and thus education about cybersecurity should also be about patients. Instead of lecturing about technology, security education should be about telling stories about patients that illustrate the risks that cyberattacks pose for them.

Patients could in fact take an active responsibility when it comes to reducing the risk of cyberattacks on healthcare organizations. There is an example from a related field, medical hygiene. Like with cybersecurity, there are clear and evidence-based behavioural measures that can be taken to reduce risks posed by a lack of hygiene, most prominently handwashing and disinfection.

Some years ago, it was shown that among the most effective measures to improve staff hygiene behaviour was asking patients to remind their doctor or nurse to clean their hands when entering the room. What would happen, if a patient asked his doctors after an encounter: ‘Have you logged out properly?’, or ‘Have you closed my file?’  

 

This article was first published in the newest issue of HIMSS Insights, which looks at cybersecurity in healthcare. Healthcare IT News and HIMSS Insights are HIMSS Media publications.