Hospital cybersecurity: It takes practice

Cambridge Health Alliance is one of many hospitals that has embraced health-care technology to improve patient care. Still, for doctors and nurses in this hospital network outside Boston, worrying about security when they input data into the system's computers requires a balancing act.

"You have the patient interaction, you have the computer, you have security and you're actually trying to think clinically about what to do next," explained Dr. Brian Herrick, chief medical information officer at Cambridge Health. "It has made things more difficult to interact with the patient."

By law, Cambridge Health is required to protect patient information. Yet recent ransomware attacks that hobbled systems at Hollywood Presbyterian Medical Center in Los Angeles, MedStar Health in Washington, D.C., and others, have made staff here more aware that they could also be targeted.

"It's one of our number one concerns, and it certainly has risen," said Herrick.

As a result, they've focused on trying to make security measures seamless and easier to use. One method they've adopted is to move away from passwords for user authentication.

"Whether it's using a fingerprint or inking your card and eliminating all those things you initially need to think about … and [ending] that habit or trend to use the same password across all platforms and applications," said David Ting, co-founder of cybersecurity firm Imprivata, which provides the hospital's IT security.

"We've known that to be a bad policy, because if you get one password you can get access to everything," said Ting, who serves on the U.S. Department of Health and Human Services cybersecurity task force.