Patching Provides Zero Value Add to the End User

In a recent discussion I was having with a healthcare CISO, they said something really powerful:

Patching Provides Zero Value Add to the End User

The background here is that patching is a fundamental principle to basic security that every healthcare CISO should be implementing.  However, to the end user, patching doesn’t provide any value.  In fact, one might argue that patching can actually slow the end user down while they wait for their machine to apply the patches and restart.  We all know the doctor that knows they need to update and delays it as long as humanly possible.

As I thought about it, there are so many areas of healthcare security where this is true.  Take for example, using a VPN to remotely access the hospital network.  What value does that provide an end user?  None.  In fact, they have to go to the added trouble of logging into the VPN and it can slow things down depending on the quality of the VPN.  However, a VPN is extremely valuable for the security of the healthcare organization.

Another example is 2 factor authentication (2FA).  Does a doctor gain a lot of value when doing 2FA when ePrescribing a controlled substance?  Not really.  I guess they at least appreciate that 2FA makes it harder for someone to steal their identity and impersonate them.  That’s at least some overarching value, but it certainly doesn’t provide any value to their workflow.

In fact, we could argue that passwords don’t offer any value to the end user either.  However, similar to 2FA, it does ensure responsibility for who did what.  I’ll never forget a nurse very aggressively telling me that she wasn’t going to do something in the EHR that would put her license at risk.  Maybe passwords do at least provide some accountability and protection for who did what within a system.  We all know that’s extremely important, but from the end user perspective a password doesn’t do anything to make the visit better.

This phenomenon isn’t just in healthcare security though.  One person on Twitter suggested that EHRs were in the same boat (ie. provided value to the organization, but not the end user).  I’m not that cynical (or at least I’m more nuanced in my cynicism), but no doubt some feel this way.  Needless to say, this is a big challenge for healthcare CISOs that need the support of end users for effective security.  What can they do?

I’ll admit that there’s no surefire solution to this problem.  Although, one option is to appeal to the importance of an action to the organization’s overall reputation.  We all know that patching can be a pain for the end user, but the right education can help them understand why doing so is extremely important to the organization’s overall security.  It’s not hard to find examples you can share of healthcare breaches that took place because patching wasn’t being done.  Plus, it’s worth sharing that if patients don’t trust an organization to appropriately secure their data, that can cause problems with the clinician and the patient as well (ie. the patient won’t share important information).

Another suggestion I’ve heard is that health IT needs to streamline things as much as possible.  For example, not all 2 factor authentication is created equal.  Some implementations are easier than others.  With some effort, patching can be scheduled at times that are more convenient for the clinician users.  These types of efforts are worth it especially when the thing that needs to be done offers no value to the end user.  At the end of the day, it’s about making the requests of users as reasonable and well thought out as possible.  You won’t win all these battles, but it will at least soften the blow.

A strong leader and buy in from top leadership is key as well.  No doubt that’s why many CISOs had a hard time getting buy in from staff for their security efforts in the past (and some still struggle today).  For a long time, many CEOs and healthcare boards weren’t bought into security either.  Given the number of breaches, ransomware attacks, and HIPAA fines, that’s less the case today than it was previously.

Those are a few of the ideas I’ve heard.  I’d love to hear how other people are approaching these challenging situations.  What’s been your experience getting things implemented that are essential to your organization, but provide no immediate value to the end user?  I’d love to hear your thoughts in the comments below or on Twitter with @HCITToday.

About the author

John Lynn

John Lynn is the Founder of HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.

   

Categories