As a Chief Information Security Officer (CISO), my core function is to set and execute cybersecurity strategy, specifically, to ensure protection of an organization’s information ecosystem, including sensitive information and systems. I’m responsible for developing and implementing security strategies, policies, and procedures to mitigate cyber risks and prevent adverse outcomes.
How to go about setting strategy, what policies to align to, whom to involve in crafting controls, and how to govern your program (among other things), varies organization to organization. Each security leader has multiple variables to consider through this process: company size, team size, the sector(s) your company operates within, your company’s industry-specific regulation, and the list goes on. Regardless of these variables, the constant we security leaders find ourselves navigating is that our organizations are made of people whose teams have different cultures, types and levels of expertise, and priorities.
In my experience, one key to successful strategy execution is effective customer communication; to build security champions, and to change the organization’s security maturity from the inside-out by turning it into a team sport. This is especially true in healthcare delivery organizations (HDO), where brilliant clinical practitioners and support staff perform critical tasks and make decisions that—wittingly and unwittingly—impact security and privacy risk every day.
I can tell you from personal experience that it can be challenging for clinical staff to truly understand the importance of cybersecurity – not because they are incapable or don’t want to understand it, but because they are so incredibly busy with the important task of providing the highest quality care to patients.
Specifically, there are several potential challenges when discussing cybersecurity with non-cybersecurity and/or clinical staff:
Lack of understanding or technical background: Clinical staff may have limited knowledge of technology and cybersecurity and may not understand the implications of insecure systems or practices.
Different priorities: Clinical staff’s primary focus is on patient care, while the CISO’s primary focus is on protecting systems and data.
Resistance to change: Clinical staff may be resistant to changes in workflow, especially if they believe that security changes or security measures will slow down their ability to provide care.
Time constraints: Clinical staff often have limited time and may not prioritize cybersecurity training or discussions.
To overcome these challenges, it’s important to take a proactive approach and communicate the benefits of initiatives that security teams are driving. Here are some successful strategies I’ve employed:
Explain the risks: In the early days of the COVID pandemic, I decided to make an impactful change to one of our security technologies in order to respond to an ongoing threat we faced. This change was very disruptive to our clinical staff, and especially disruptive to people with little information technology background. Through this process, I learned a valuable lesson: once I took the time to explain the reasons behind this critical change, people became strong advocates for the change and even took steps on their own to advocate for the change with their peers. Highlight the potential consequences if a change isn’t made, explain the risks and reasons why you’re doing what you’re doing, and you’ll build a team of allies.
Emphasize patient safety: Take time to understand and then communicate the patient safety impacts of security initiatives. Explain how securing systems can improve patient safety by protecting sensitive information and ensuring uptime of systems when they are resilient to cyberattacks. At Providence, we’ve invested a tremendous amount of resources in securing clinical devices—devices that are often not patched or upgraded as frequently as other devices on an enterprise network given how they are regulated and used. Taking a device offline for maintenance can be a disruptive event for clinical care, but collaborating with clinical staff to educate them on patient safety impacts of not patching a device can alleviate some of the operational pain associated with device downtime.
Provide training: Make sure you’re offering relevant, succinct, training to appropriate audiences. Offer training sessions to help clinical staff understand the importance of cybersecurity, and practical measures to be cyber-safe every day in both the professional and personal settings. We regularly educate our staff about cybersecurity topics such as phishing and using strong passwords. Clinical staff are often exposed to different cyber risks in the care setting than your knowledge workers. Realize the biggest training impact by ensuring you tailor training to be relevant and specific to the audience.
Be available: I see lots of security organizations falling into the trap of operating in the shadows and being inaccessible or not communicating what controls exist in a particular environment. By communicating openly and being available, the controls can act as a deterrent to bad practices, educate those who are interested, and encourage people to report suspicious behavior. Make yourself personally available for clinical staff to approach with questions, take time to learn their priorities, and be friendly.
Lead by example: Demonstrate the importance of security by following the practices in your own team, and encourage others to do the same with open cyber communications.
By taking these steps you can help clinical staff understand the importance of cybersecurity, how it enables patient safety, and how it can be a differentiator to customers who are choosing where to seek care. This can lead to a more secure and efficient organization and ultimately benefit both staff and patients.
Adam Zoller is the Chief Information Security Officer for Providence, a national, not-for-profit healthcare system with more than 50 hospitals, 1,000 clinics, and locally driven programs administered by more than 120,000 caregivers.