We held our first CIO/CISO Dinner last week at Becker’s Healthcare in Chicago. Listening to the anecdotes that are swapped around the dinner table by CIOs and CISOs is always exciting. This crowd did not disappoint with two tales we had heard before. This post talks about Velociraptors and Clinician Workflows.
In Jurassic Park, the Velociraptors are continually testing the security fences looking for weaknesses. In hospitals, clinicians test cybersecurity fences. Motivated by a fierce desire to serve their patients, as clinicians come across a policy that slows them down, they either try to go around it or defeat it.
Digging into this observation, you uncover that IT teams have researched how groups of clinicians use the various systems. Based on interviews with clinicians, tribal knowledge, and historical precedence, IT policies and rules are implemented to support these usage patterns. The problem is too many variables in the usage patterns. Patient care almost always wins out over IT policies. The rules get broken. IT teams are pushed to break the rules daily when clinicians, for whatever reason, can’t get their jobs done. In these cases, IT at least knows they have made an exception. Of course, tracking the exceptions and understanding the long term impact is challenging to manage. Granting a clinician administrative privileges to solve an immediate issue, for example, might cause long term incident risk that is tough for the team to detect or model.
In other cases, the clinicians use repeated runs at the security policies to figure out ways around the system. Many times they succeed, and these workarounds can be exceptionally creative but risk PHI incidents.
Finally, in other cases, the clinicians get frustrated, attempting to meet the needs of their patients. These are perhaps the worst cases since they go undetected by IT, and unless the clinician raises the issue to IT, it merely causes latent frustration.
Tausight will detect attempts to defeat security policies and provide IT teams with a starting point to improve clinical workflows while preserving the security profile of the hospital. In some cases, depending on the Tausight calculated risk profile of the user, relaxing security policies might make sense. In other cases, based on the behavior detected, there may be ways to change workflows to support the clinical process better and maintain security. As everyone is on the same team to deliver excellent care, IT can’t make changes if they are blind to the issues. Tausight should give them visibility to proactively fix these issues. While Tausight won’t end the Velociraptors, it should detect them so that the fences can be adjusted.
We are currently recruiting and signing up our initial design partners!