Deven Cook Sr., information systems security officer at Battle Creek (Mich.) VA Medical Center, explains why humans will always be the biggest threat to information security and how his hospital implemented a proactive cybersecurity training approach for staff.
Responses have been lightly edited for clarity and length.
Question: What tasks require the majority of your time as facility ISSO?
Deven Cook Sr.: Access request, security control reviews, training and audits.
Q: How do you train clinicians and front-line staff to protect patient data and avoid cyberattacks?
DC: Employees go through training during our new employee orientation class. Then, on an annual basis, all employees are required to complete privacy training and information security awareness training. If anyone who has access does not complete this training, they lose their access until it is completed. We take a proactive approach by providing senior leadership with a list of employees that will be delinquent in this training 10 days prior to reaching delinquency. I also provide service level training at staff and service meetings.
Q: What do you see as the next big cybersecurity threat hospitals should look out for and why?
DC: Humans are the biggest threat. From physicians discussing patient care in the middle of a hallway or in an elevator, to employees leaving patient information out on their desk while they run to the bathroom. As a professional and a patient in many hospitals, I have seen it all.
Government and [National Institute of Standards and Technology] guidelines can publish and push security practices all they want, but when you have humans that don't care about or lack in their responsibility to protect the information, that will always be the biggest threat to the information security program.
There is also a lack of discipline on the part of senior management at other non-VA hospitals and corporations. Employees know employers won't fire them for violations. Until employees start losing their jobs or are disciplined over violations, it shows a lack of concern from the leadership at those places of employment. Here at Battle Creek VA Medical Center, our senior leadership and service management are very much engaged with the information security program. The information security posture at the facility is taken very serious, again a proactive approach is applied.
To learn more about clinical and IT leadership, register for the Becker's Hospital Review 2nd Annual Health IT + Clinical Leadership Conference May 2-4, 2019 in Chicago. Click here to learn more and register.
To participate in future Becker's Q&As, contact Jackie Drees at jdrees@beckershealthcare.com