IT security requires more than producing a long policy
IT security requires more than producing a long policy
IT security is becoming more important in healthcare every day, but the old ways of educating employees and physicians on this topic are insufficient, say leading IT security experts. Risk managers should consider entirely revamping the way IT security is taught and monitored, they say.
Unless IT security is a core element of someone’s job, it is not necessarily considered in their ongoing development needs, says Dominic Saunders, senior vice president of the NETconsent business unit at the London office of Cryptzone, a technical security company based in Gothenburg, Sweden. All too often employees receive merely an initial presentation from the IT department when they start and are expected to remember it, keep up to speed with changes, and adhere to ever-changing IT security policies and procedures.
“Without an ongoing systematic and proactive user-awareness program, a strong security posture is in jeopardy,” Saunders says. “There is no cure for stupidity or genuine human error, but you can educate your workforce to help them make the right decisions and avoid unnecessary mistakes. What are you doing to make sure your workforce is security aware?”
Eileen Buck, MD, an IT security specialist with the Cogo Agency in London, is working with IT security in the National Health Service (NHS) and says the IT security concerns are nearly identical in American hospitals. “We find that hospitals do the basics with IT security, but they cannot keep up with the new information about security risks and prevention,” Buck says. “The nurses on the ground are running around trying to take care of patients, and the ones at the top sometimes think they’re too important to be told this. So the e-mails don’t get read, and the new information is lost.”
Most commonly, the biggest failing in a healthcare IT policy is that it is written to satisfy regulators and not to actually educate staff about protecting data security, Buck says. “When I ask what is in their policy, the hospital always tells me ‘it has everything in it, everything we’re supposed to have,’” Buck says. “That makes me wince. That means that it’s likely to be 40 pages long, it covers everything, and people are asleep by page three. They don’t understand it, and there is no focus on specific essentials.”
Most IT security policy and procedure manuals are written in a language to impress the regulators, lawyers, and auditors who will be checking its existence, Saunders says. “The average employee doesn’t stand a chance,” he says.
Instead, employees should be educated about the specific areas in which they work, under the umbrella of the overall IT policy, Buck says. Provide examples of situations in which they might actually face a security issue and explain how it should be handled. The goal, Buck emphasizes, is to actually educate the employee about IT security rather than being able to say you gave the employee the entire IT policy and therefore any violation is the employee’s fault, not yours.
“Auditors are not impressed anymore with looking at a huge policy,” Buck says. “They want to see that the risks and procedures are so clear that the employee should understand them.”
Specificity in IT training also can eliminate the folly of forcing employees to agree to a policy with which they cannot comply. For example, most IT policies forbid employees from downloading software to their work computers and require everyone to agree to that provision along with the rest of the entire IT policy. “And then the IT professionals violate that agreement on the first day, because they have to download software to do their jobs,” Buck explains. “When you force people to agree to something that they can’t do, you’re telling them that the policy is not really intended to provide security but is there for another reason.”
Employees should receive a copy of the written materials, but most actually learn better and faster from practical experience, Saunders says. (See the story below for more on how to improve IT security.)
“Staff need multi-sensory input if they’re going to fully appreciate relevant policies and procedures and understand exactly what their responsibilities are,” he says. “If you expect them to play their part in protecting the organization, don’t they deserve to be shown how to do it? Online videos and interactive training that can be viewed at their convenience do the job very well.”
Risk managers also must watch for the creeping emergence of a systematic disregard for IT security, cautions Beverley Stonehouse, UK marketing manager for Cryptzone in London. If an IT policy is poorly developed and does not take into consideration the practical needs of employees, or if they are not properly educated on the policy, employees might dismiss it as unworkable. “You can get nurses and others who say among themselves that they know what the policy is, but if they follow it they’ll never get their jobs done,” Stonehouse says. “That can be devastating to the effectiveness of your security program.”
An employee’s ability to take appropriate actions if, and when, a security incident arises is paramount, Saunders says. Think about how anyone in your organization would react when discovering a breach. If it were something they’d done that had caused the problem, would they put their hand up and come clean, or try to cover it up?
It is imperative to make sure employees understand the risks of leaving any security breach unreported and are not scared of reporting potential issues, he says. Employees also respond better to seeing that right behavior is expected and it is what everyone else does, rather than simply being told that is what employees ‘have to do,’ Saunders says.
“Every single person in your organization needs to understand the part they play in defending your organization and keeping it secure,” Saunders says. “Don’t just assume that because you’ve got written policies and procedures to follow that the people in your organization are security aware.”
Sources
• Eileen Buck, MD, Cogo Agency Ltd., London. Email: [email protected].
• Beverley Stonehouse, UK Marketing Manager, Cryptzone, London. Email: [email protected].
• Dominic Saunders, Senior Vice President, NETconsent Business Unit, Cryptzone, London. E-mail: [email protected].
IT security is becoming more important in healthcare every day, but the old ways of educating employees and physicians on this topic are insufficient, say leading IT security experts. Risk managers should consider entirely revamping the way IT security is taught and monitored, they say.Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.