Posted and filed under Compliance, Fraud, Healthcare.

A study conducted by three universities has revealed a fatal flaw in the healthcare industry’s cyber security operations – lack of cohesion between cyber security protocol and the proper execution of such procedures. Healthcare organizations are vulnerable to data breaches because cyber security efforts are perceived as an interruption of clinical workflow, rather than as safeguards to secure the protected information of patients. The current cyber security protocols that have been established in medical practices and other organizations responsible for the safekeeping of PHI were formulated under the expectation that perfect theology would equate to perfect execution – but interviews with clinicians, chief information officers, and other healthcare workers revealed that this is not the case.

Cyber security measures are currently functioning in a manner that allows them to be protected against external breaches and workarounds at the hands of hackers, but this focus on external threat doesn’t take into consideration the opportunity for internal, unintentional breaches. Every day, seemingly menial circumvention of security protocols are proving to be a glaring weakness in the industry. Clinicians and day-to-day employees of medical practices and healthcare organizations have reported repeated offenses to security compliance measures in order to increase job ease and convenience.

This raises the question, is cyber security growing in the wrong direction?

How effective are firewalls and safeguards against hackers, when employees are frivolously sharing passwords, keeping separate note sheets for ease of use during the day, and leaving authentication details on the very devices they’re meant to protect?

Clinicians are regarded as caretakers, but they’re failing their patients in a tremendously alarming manner. By finding workarounds for the security measures in place, clinicians are leaving both their patients and the healthcare industry itself vulnerable to an epidemic of theft and invasion.

The rejection of basic security protocols by clinicians is paralleled by cyber security’s inability to create sustainable security measures that couple convenience with protection.

Clinicians and healthcare organizations need to take accountability for their carelessness while the two industries work towards a healthy marriage. Cyber security needs to grow in two directions, roots expanding to focus on internal security solutions as well as external measures – but clinicians need to recognize that patient information is worth more than the minor inconveniences caused by compliance. Until then, there are simple solutions. Stop sharing passwords for ease of use, and keep your credentials confidential. Passwords lose their validity the moment they’re spread to anyone other than who they’re intended for. Resist the urge to tape codes, passwords, and identifiers to the bottom of locked devices – and realize that EHRs can be a useful efficiency tool once ignorance of their operations is eliminated.