Servio Medina, acting cybersecurity policy branch chief at the Health IT directorate within the Federal Defense Health Agency, made a powerful case for healthcare organizations to take an open-minded and multidisciplinary approach in improving healthcare cybersecurity. He stressed the huge role of human choices in data breaches and said, "Technical controls alone are not enough, and it takes more than just effective training for training to be effective. It takes a myriad of controls."
Medina spoke at this year's Healthcare Information and Management Systems Society (HIMSS) conference, held in Orlando, Fla.
He cited findings from the Ponemon's Institute annual survey about privacy security. The survey has consistently found that "employee mistakes, third party snafus [sic] and stolen computer devices are the root cause of 50 percent of data breaches in healthcare." He also described Department of Defense data which found poor user practices is the top cause for a successful cyber attack. "This screams at me to do something," he said.
Medina described today's typical misguided approach to fostering better cybersecurity within organizations. He said it usually involves an hour or two of training each year through sessions that employees only grudgingly attend. The trainees often feel inconvenienced, bored and eager to get back to their own work, he said, and added that such infrequent, brief training has minimal impact.
Since the usual approach is failing and because humans tend to behave consistently across settings, Medina decided to study a successful attempt to change another behavior that matters greatly in healthcare. He looked at the regularity with which clinicians wash their hands before interacting with each patient. The model he looked at launched at Johns Hopkins hospital doubled clinicians' hand washing rates within one year and tripled them within two. He sought useful parallels to shape his thinking about how cybersecurity might be similarly enhanced.
The hand-washing campaign drew heavily upon a behavior change theory called nudge theory. He urged cyber security professionals to learn about and apply aspects of this theory. It's described in a bestselling book by Richard Thaler and Cass Sunstein called, unsurprisingly, "Nudge." The theory suggests that if certain poor decisions or actions result from a person's lack of understanding or poor habits, their behavior in that realm can most effectively be "nudged" towards improvements if their choices takes place within a context that makes good choices easy and effortless.
In the book, the authors wrote, "A nudge…alters people's behavior in a predictable way without forbidding any options or significantly changing their economic incentives….The intervention must be easy and cheap to avoid. Nudges are not mandates. Putting fruit at eye level counts as a nudge. Banning junk food does not."
Medina highlighted research done in 2016 at the National Institute of Standards and Technology (NIST) that identified effective ways to combat "security fatigue," a weariness or reluctance to deal with computer security. Key actions that IT leaders should strive to take were as follows:
- Limit the number of security decisions a user must make
- Make choosing the safe option very simple
- Design systems to encourage consistent, correct decision making
These imperatives mirror the logic of nudge theory, Medina said. He advised that to improve cyber security, broad thinking is essential. "What we are doing today is woefully inadequate," he said. "We have to get out of our swim lanes. We have to take off the horse blinders."