For healthcare IT and security leaders, the past few weeks have unlike anything most have ever experienced. To accommodate the unprecedented influx of patients, organizations are taking several steps, such as adding more staff, reassigning roles, shifting to a largely remote workforce, and even setting up makeshift care sites.
“To say that right now IT responds primarily to issues dealing with this event would be an understatement,” said Mitch Parker (Executive Director of IS & Compliance, Indiana University Health), who spoke during a recent webinar along with Sean Kelly, MD, CMO at Imprivata, and Sri Bharadwaj, CISO at UCI Health. “Everything we do now is focused on incident objectives.”
According to Bharadwaj, who also serves as co-chair of AEHIs, those objectives have centered around three key areas: virtual care, identity and access management (IAM), and connectivity. At UCI Health, an academic medical center based in Orange County, California, working from home isn’t a new concept, and as a result, hasn’t presented many issues. The challenge, he noted, has been around provisioning.
Kelly, an emergency physician at Beth Israel Deaconess Medical Center, has encountered similar issues. With such a large population working remotely, “the capacity issues are huge,” he said, adding that when the same networks being used to download movies and use on apps like TikTok are being used for telemedicine, the onus is on IT and security to protect some bandwidth and mark off certain areas for business and clinical needs. “The ability to do that well and do it easily can make all the difference between being able to run your clinical care in business or failing to do so.”
To the end, the experts shared some of the lessons they’ve learned, and offered best practices for successfully leveraging tools like IAM to enable providers to keep their focus where it needs to be: on the patient.
- Don’t just increase staff; manage roles properly. As organizations deploy tools to ensure providers can access the systems, it’s imperative that the right security measures are in place to be able to provision and deprovision users as they rotate among different locations and areas, noted Kelly. “It’s not just about increasing staffing; it’s managing those roles properly. Have a good identity and access management system is a huge need.
- Process is king. While it is certainly beneficial to have an IAM strategy, what’s even more important is having a solid process when – not if – surge staffing becomes a reality, according to Parker. Those that do are more prepared to rapidly onboard large groups of workers. “It’s simple. If you have a good process, you can address customer issues and address the surge, and be able to conduct business better during uncertain times.”
- The new firewall. It’s no longer enough to create a firewall and feel safe. As workflows extend beyond the hospital walls, and usage increases, identity becomes the perimeter, said Kelly. “It’s the control plane by which we expect most healthcare systems to now dial up or down that security.” By adopting a zero trust policy and being able to accurately verify users, “you can make it really easy for those that legitimately need to get in, like your doctors, nurses, and others, and make it a lot harder for the nefarious characters.”
- Communicate effectively. A common challenge for information security leaders is the ability to communicate with physicians. According to Bharadwaj, it’s all the approach. Rather than getting into the weeds, he advised positioning security as a patient trust issue, and conveying the damage a breach can have, both on safety and on the organization’s reputation. He also advised security staff to make themselves available as much as possible, and show that they’re willing to help. “Physicians need to understand that we have constraints we have to work with,” he said. “We need to say, ‘let us help you deliver a more resilient, scalable, secure infrastructure.’ We are enablers. We are leaders, and so we have to lead our physicians in a more secure way for them to deliver better patient care.”
- Don’t overlook workflow. One of the biggest concerns Parker has seen is in addressing new workflows and new processes, and the impact they may have. “We’re talking about a fundamental change in how we do business to accommodate a global pandemic,” he noted. “We have to minimize the effects of anything else so that we can allow our clinicians to focus on keeping people safe.” That means maintaining the same security posture while also being able to manage workflow changes, particularly in areas like telehealth.
- Form (or use) committees. At UCI Health, a Compliance Risk Information Security and Privacy committee was already in place to discuss challenges and propose solutions. But now, rather than meeting monthly, the group — which includes representatives from clinical, operations, compliance, privacy, revenue cycle, and operations, among other areas — now convenes multiple times a week. “With anything we do from a security perspective, we have the voice of the physicians,” he said, adding that the multi-function, multi-disciplinary committee “makes decisions not just for IT, but for the organization.” Having that in place, Bharadwaj said, has been a critical piece in UCI Health’s coronavirus response plan.
- Don’t waste a good crisis. If organizations don’t already have a Hospital Incident Command System (HICS), now is the time, said Parker. During an event like COVID-19, where strategic objectives are constantly changing, having a structure to guide governance is paramount. Kelly agreed, adding that the “highly operational” nature of incident command can actually having a positive impact. “In some ways, hospital and provider systems can become more functional during this time, because they’re forced to strategically and operationally focus on what really matters,” he said. By having the right set before an event occurs, leaders are able to react appropriately, be more agile, and be more definitive with decisions.”
- Checks and balances. During a crisis of this magnitude, having a solid checks and balances system becomes critical. “You see the pace of meetings accelerate, you cut to the chase more, you make big moves for your hospital system and then you reassess, or course-correct a little bit,” said Kelly. Therefore, it’s essential to have people at the table who are willing to question certain decisions. Someone, he added, who is willing to say, ‘I understand that in the interest of security, you need to do this, but we also have to preserve the ability to access the system, and here’s how we need to do that.’”
- Get creative. Now isn’t the time to cease with creativity. In fact, a number of organizations have come up with new ways to leverage tools already in place as part of their COVID-19 strategy. For example, Yale New Haven Health System is using IAM with single sign-on to track potential exposures to staff. Other ideas include lending devices to family members so that they can stay in touch with patients during visitation restrictions, and using access management to assist with up-staffing and staff rotations, according to Kelly.
Finally, now more than ever, vendors need to focus on being strategic partners. That, noted Kelly, means knowing when to simply listen to what customers need. It also means being willing to go above and beyond, whether that’s by increasing the number of licenses, extending them at a lower rate, and creating a taskforce to help quickly address and resolve issues that are unique to the coronavirus outbreak.
“As we do everything we can, from an operational, clinical, and IT standpoint, to fight this epidemic, we’re pushing the boundaries,” Kelly cautioned, both in terms of scale, and the ability to withstand the increased capacity. And so, although he believes it’s important to continue to innovate, leaders also must acknowledge the risks involved. “The cybersecurity risk is real. Phishing attacks are real. Fraud is real. We have to be as vigilant as ever while trying to open systems up, and identity is really the only way to do that.”