Overcome risk to drive a successful healthcare IT strategy (Part I)

Joel Alcon
Jan 22, 2019

If you’re a health system Chief Information Security Officer (CISO), you have one over-arching element you deal with all the time: operational risk. It’s constant, and it’s across your entire solution stack.

In a healthcare setting, operational risk can mean several things, starting with the risk of a data breach, where protected health information (PHI) is inappropriately accessed, information on your systems is held ransom, or critical information is stolen. There is also the risk of falling out of compliance and experiencing regulatory fines, and the risk of mistreating or losing patient data.

Such forms of operational risk cannot be eliminated, but they can be modified. Your organization’s level of risk – particularly around information security and privacy – is going to fluctuate, especially as the organization acquires a new facility, deploys new technology, or gets an influx of new users. There are various reasons why your level of risk can, and will, change.

When assessing risk, especially in healthcare, it is critically important to consider the end-user’s experiencewith your technology. How easy is it for end-users to use the technology being deployed? Perhaps an even bigger question for healthcare organizations to answer is: are security layers compromising the efficiency and delivery of patient care?

These questions are especially critical in healthcare because a large number of end-users are clinicians. They are laser-focused on delivering quality patient care and are prioritizing efficient patient care over information security As a result, clinicians often view usernames and passwords as barriers, and will likely circumvent these security protocols by either leaving their systems unlocked, sharing user credentials, or finding other creative ways to get to their patient’s information faster and more efficiently. In healthcare, unlike in finance, retail or other industries, security layers that “stick out” actually increase an organization’s risk of a breach or compliance gap.

To mitigate this risk, organizations implement an identity, governance, and authorization (IGA) strategy that ensures only the right users have the right level of access to the right sets of systems and applications when they need them. And as the organization evolves – new IT systems, new users, etc. – the goal is to continue to drive down ever-fluctuating risk.

However, some organizations are using solutions that don’t integrate with their key workflows, or they are doing IGA manually, leveraging either a system of spreadsheets or custom scripts to set the right access controls. This approach is not scalable, especially as your organization changes. 

And it is indeed changing. Look at points of access. We see time and time again organizations deploying new applications, endpoints, and other clinical and non-clinical systems. Some of these are virtual systems or cloud applications. 

Moreover, changing regulatory requirements and new technologies mean that change is a constant for most organizations. In Part II of this post, we will examine new challenges being introduced, including: Regulations, mobile devices (for access and secure communications), connected medical devices, and the very manual and error-prone patient ID process.