Security tips for a 'cyber workforce'
Michael Kaiser, executive director of the National Cyber Security Alliance, says developing a well-trained and proactive workforce is key to hospitals and health systems as they stare down growing and evolving cybersecurity threats.
But, as these things often are, that's easier said than done.
At the Healthcare IT News Privacy & Security Forum in Boston on Dec. 2, Kaiser will offer his perspective on the unique challenges - but also opportunities - providers face as they set about shaping "the next generation of cybersecurity professionals."
With the National Cyber Security Alliance, Kaiser engages with businesses, government agencies and non-profit groups in education and outreach efforts, such as National Cyber Security Awareness Month, which just wrapped up in October and the upcoming Data Privacy Day on January 28.
"Our primary mission is education and awareness to help people use the Internet more safely and securely," says Kaiser.
That includes those in healthcare, and through partnerships with groups such as HIMSS, NCSA aims to build awareness about smart and safe practices in cyberspace.
We hear all the time about how healthcare is fundamentally different from other industries with regard to its privacy and security challenges. But Kaiser isn't necessarily so sure.
"It's only different to the extent of the amount of information it collects about people," he says. "The amount of information that accumulates about you is significantly more in the healthcare industry."
One other differentiator is that "healthcare is a very diversified industry," says Kaiser, with protected health information flowing between and among all different types of organizations: "Everything from an individual doctor's office to a lab to a gigantic hospital or health system, with insurance providers up and down."
Across all of those spaces, one key to keeping data secure is ensuring those who handle it are acutely aware of their solemn responsibility for safeguarding it. Toward that end, Kaiser has a couple pieces of advice.
First, "Creating a culture of cybersecurity isn't just about laying down rules and asking people to follow them," he says. "That's part of it and it's kind of the way we think about it most of the time, but it's really about starting at the top of the organization and throughout, getting everybody aware - to pay attention to and have their antennae up about risks and the kind of things they're doing that may cause risk."
Second, says Kaiser, a key challenge is figuring out how to set the stakes in a way that everyone can grasp: "How do we do this in a way that's more organized and more framed out, so people can understand it? One of the risks about cybersecurity is that it moves to the technical rather quickly. That loses a lot of people when you're trying to create a culture of cyber security."
For instance, he points to something like the NIST framework, a bit more "non-technical" that employees could grab onto.
Then, of course, there's the basic blocking and tackling that's still often overlooked: "identifying the digital assets you have and need to protect; making sure you have ways to prevent those assets from being lost or stolen; making sure you would know if an incident occured; being able to recover and respond to that incident and recover."
By offering a framework that helps keep this in perspective, "you can kind of put people in a better frame of mind about what they need to do," he says.
And lest we forget: Kaiser may be from the National Cyber Security Alliance, but security "is not always cyber. There could be patient data in a folder sitting, unsecured. Or there could be computers that don't get turned off because you're just going to be away for a second. All kinds of things increase your risk."
Add to that, the high-speed and high-stakes nature of hospital workflow: "Obviously the healthcare setting is not always a low-stress setting," he says. "If you're working in that kind of environment, you have to think about how to adapt this to the environment in which we're operating. And how do we identify the things that are most important to be protected."
Oftentimes, after all, cybersecurity is framed as a looming disaster, one that often seems hard, if not impossible, to protect against. That mindset has the potential to overwhelm employees - and, ironically, undermine security.
"What you hear all the time is that you're just bombarded with risk," says Kaiser. "With risk and bad things: There's a breach here, there's a breach there. People need to be able to prioritize when they've already got a million things to do: What's the most important thing I can do right now to make sure I'm protecting the most important data."
In Boston next month, he says, "hopefully we can have a conversation to clarify some ways that can happen in the healthcare setting."
The Healthcare IT News Privacy and Security Forum runs from Dec. 1-Dec. 3 at the Westin Boston Waterfront Hotel. Register here.