The technological developments that have fueled innovation in health tech are accompanied by challenges that need to be addressed if their potential is to be fully realized. Few areas of healthcare reflect that reality more than cybersecurity and the need for health systems to provide robust training, so staff are prepared for phishing attacks, ransomware and other forms of cyber-attacks.
At the ViVE conference, powered by HLTH and CHIME, a panel discussion on the topic of healthcare and data security concerns concluded that the best way to educate and train employees on data security best practices is not through multi hours-long training courses and workshops but through frequent but bite-sized “apéritifs of information” — think 3-6 minute — training installments highlighting best practices.
Bill O’Connell, head of product security and privacy operations at Roche Information Solutions at Roche Diagnostics shared his perspective on the topic.
“I’ve run security and privacy training programs for probably 15 years. One of the things I’ve noticed is that sometimes there’s more information than people want or are ready for. You also have to figure out how to tailor the message because ultimately your goal is not just let me get the check mark that everybody sat through one hour of training —let me get them to behave differently.
“You might be better off going for some small wins. One year, we did three-minute videos, YouTube-length videos, and sprinkled them out throughout the year rather than the one-hour long training. Also, making it where there’s a baseline that you’d have to do that would offer more and make it relevant to the individual.”
O’Connell offered a couple of examples such as for staff planning travel — how can they stay safe using guest WiFi at hotels or other venues.
Marti Arvin, chief compliance and privacy officer with Erlanger Health System, agreed that her team had adopted a practice of providing what she described as “apéritifs of information” in the form of biweekly “Etips” — emails focused on a specific topic in cybersecurity and patient data management. Arvin said this approach has enjoyed a strong response from staff because it’s easier to retain this information. But heath systems still have to meet the expectations of regulators when it comes to training, which favor training sessions of longer duration.
Lynn Sessions, a partner with Baker Hostetler, was the panel moderator and was joined by Jesse Fasolo, head of technology infrastructure and cyber security of St. Joseph’s Healthcare System; Marti Arvin, chief compliance and privacy officer with Erlanger Health System; O’Connell; and Sherri Douville, CEO of Medigram.
Fierce competition for staff
Although ransomware attacks on hospitals have grabbed headlines, other industries face cybersecurity concerns as well, creating fierce competition for staff from industries prepared to pay 30% to 40% more, observed Fasolo. He said another option is for health systems to nurture a new generation of staff to meet these needs.
“There’s a training methodology that organizations need to adapt to go out and get the talent because the talent is not learning at the capacity that technology, security, regulations and privacy is growing,” Fasolo said. “It’s hard to get new skills or a person with those new skills in the door. You almost have to nurture and develop within — grow that resource, build and establish a bench — and that’s the only way I’m seeing it from my perspective in security.”
Who has the data?
Fasolo and Arvin shared insights on how challenging it can be for a health system with an extensive network of third-party vendors to keep track of and manage data. A health system shares data with hundreds of other third parties on any given day. Having a good grasp of where that data is and who is receiving the data is a daunting task for any healthcare system, Fasolo noted.
“I think if you can say that you know where 95% of your data is, from my perspective, you’re doing a really good job because it’s just so incredibly difficult to figure out …all the storage locations, all the people who store data in places they’re not supposed to,” Arvin said.