Rethinking culture in healthcare cybersecurity strategy

Data privacy is about more than keeping personal information safe and secure, says Dr. Eric Liederman, Kaiser Permanente’s director of medical informatics – it’s an essential component for establishing trust with patients that healthcare organizations take personal safety seriously.

At the HIMSS 2023 Healthcare Cybersecurity Forum, scheduled for September 7 and 8 in Boston, Liederman will highlight his experiences implementing systems and procedures that foster a culture of privacy and security.

“Patients really do say in polls and interviews that they really care about the safety of their information and the protection of their information,” he told Healthcare IT News in a preview of his presentation.

“If people don’t feel safe getting care, they won’t get it or they’ll do things to try to mitigate their sense of the unsafe,” such as withholding information from their physicians, Liederman explained. And they “vote with their feet,” he said. 

At one health system, Liederman worked for, he said it was not unusual that employees and their families would travel more than 100 miles to get care elsewhere because the culture was so “insidious” and it was clear that privacy and safety were not priorities and that any staff member could access patient data. 

Today privacy and security represent a twofold challenge.

Insider threats go beyond the risks of staff that may take patient data for personal gain or former employees’ credentials that are compromised by bad actors. There are also well-meaning employees that do not have any criminal intent but may go looking for patient information out of concern or to share information with a patient’s concerned family or friends. 

Liederman has been in the trenches working to figure out how to set up network gates so skilled clinicians and other valuable healthcare staff – employees who may have simply lapsed in judgment – are helped to stop themselves from breaching HIPAA.

There are also outside attacks that go beyond ransomware that destroy critical trust in a healthcare organization’s ability to keep patient data safe.

Some cybercriminals seek to steal personal data to extort individuals, Liederman said, monetizing their attacks by going after high-profile patients directly. An example was the late 2022 breach of Medibank, Australia’s largest private health insurer, which included the Prime Minister’s data. 

Nation-states that support cybergangs or have cyber espionage programs will also go after other government’s data, like the U.S. Federal Office of Personnel Management’s, to learn who can be compromised, Liederman said.

He said his presentation in Boston will cover the implementation of broader insider threat programs, offering tactics to prevent external threats that seek to extort individual patients and tips for how to work closely with the communications team to develop messaging about what your organization is doing for privacy and patient data protection. 

“Those kinds of privacy action communications are not done often,” Liederman noted. “Typically the only thing that we ever get is a notice of privacy practices, which is full of impenetrable boilerplate”

Liederman’s session, “Personal Safety: How cybersecurity and privacy protection generate trust in the healthcare system,” is scheduled for 10:55 a.m. on Friday, September 8, at the HIMSS Healthcare Cybersecurity Forum in Boston.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.