Healthcare Information Security

Cybersecurity News

Focusing on Employee Training for Stronger Health IT Security

A recent Most Wired hospital system prioritizes employee training measures to ensure that health IT security will continuously evolve along with the cybersecurity threats.

Health IT security can be improved through stronger employee training measures.

Source: Thinkstock

By Elizabeth Snell

- The American Hospital Association’s Hospital & Health Networks (H&HN) Most Wired rankings were released earlier this summer, and showed that providers are making great strides in their health IT security. Providers are looking toward secure messaging, secure texting, and more mobile devices to ensure patients receive proper care and that data stays safe.

Several WVU Medicine hospitals were recently named to the Most Wired list, including WVU Medicine-WVU Hospitals, UHC, Berkeley Medical Center, Jefferson Medical Center, and Camden Clark.

As cybersecurity threats continue to evolve, healthcare organizations must remain vigilant and ensure that they are properly prioritizing privacy and security, according to WVU Vice President and CIO Jim Venturella.

WVU is a hospital-integrated system with an academic medical center based out of Morgantown, West Virginia.

From a privacy standpoint, it often starts with the employees themselves, Venturella explained.

READ MORE: Addressing the Cybersecurity Skills Gap with Improved Training

“From orientation and the training they get, through their annual refresher training, it’s a focal area for us and for them,” he said. “Our Chief of Mission Security Officer is also in communication with staff members, so there’s different tips and messages that go out every month on a different topic. We try to keep it fresh throughout the year and hit them in multiple directions, so it stays top of line from an employee standpoint.”

The backend is also important, he added. This includes internal audits, so WVU knows what data is being accessed and who is accessing that data. The organization also reviews anything that comes up as a potential issue, which is then followed up on by the privacy group and the management team associated with it.

“From the security standpoint, for physician-to-physician communication, we use secure text,” Venturella noted. “We have Spok Mobile as our application that we use for that. We’ve also been given the ability, if [employees] do need to share information through email, there’s a secured email channel that can be used. The channel encrypts information, if it is going out.”

“If employees are consulting with another provider that becomes a good mechanism,” he continued. “We also have a secure file share, so if it’s a document that needs to be shared outside, there’s a secure encrypted way of sharing it between two of our providers.”

Finally, WVU utilizes a patient portal called MyWVUChart, ensuring that all messaging communication between a patient and a provider would go through that secure option. Available through Epic, the portal lets patients view their medical records, prescriptions, and test results. Patients can also schedule appointments, request prescription refills, and pay bills in a secure fashion.

Using employee training for a continuous learning process

READ MORE: Most Wired Org Focuses on Multi-Level Healthcare Data Security

The employee training process is a constant one to make sure it remains top of line, Venturella stated.

Even the screen savers that rotate through the system offer reminders about the different tools that are offered for staff members to maintain privacy and security while still being able to communicate with one another.

“They’re working with patients and that’s not the focus of what they’re doing, so we don’t want it to fall off,” he explained. “We’ll continually work to keep it a never-ending process to keep it out in front of people.”

It’s also important to make the tools simple to use, Venturella added.

“We have secured texting right now, but there’s a number of things that we’re working with and talking to different vendors on how we make that much more efficient and valuable for the clinicians,” he said. “A lot of the patient contact is embedded in what’s going on, and there’s also more capabilities that can be added. That way, it doesn’t feel like a burden for the physician to go to a secure texting app.”

READ MORE: Transforming How Employees Approach Healthcare Data Security

“There’s actually additional value that we can bring by them using it,” Venturella continued. “The more we can do that, the more they’ll be interested in going there versus just using regular texting.”

It’s important for new technologies to not interfere with physician or staff member workflow, Venturella maintained. WVU is working to ensure that it can find the right balance between innovation and security, while still keeping daily operations running smoothly.

“People do try and balance the convenience with security and I would say our philosophy has been changing over time, whereas convenience really trumps security in the past for a lot of groups,” he explained. “We have definitely flipped over the other edge, so that security does come first. We obviously want to do everything we can to make things efficient for our clinicians, but it can’t overtake the security needs that we have.”

Looking forward, Venturella said WVU is constantly evaluating the whole market as it continues to evolve from a tool standpoint around security. The organization has a lot of things in place currently, and there’s a number of things on the roadmap that it’s doing to continually enhance what it has already, he stated.

“We want to try and get higher levels of a secure environment and manage that risk, whether it’s from people trying to penetrate our network and get access to it or just the monitoring of what’s going on internally within the network,” Venturella stressed. “I don’t see that, unfortunately, going away or slowing down anytime soon.”

“That’s going to be an area that we’re going to continue to have to grow,” he continued. “And continue to talk to vendors and see what they’re offering and try and vet out what makes sense, what’s worth the money, and what really does limit or minimize the risk that we have around privacy and security.”

Other hospitals or provider organizations that are looking to improve their privacy and security options need to garner support from the executive and C-suite level, Venturella maintained.

“You need that to be able to go out and deal with some of the convenience issues,” he said. “And if you don’t have that, you’re going to be on an uphill battle all the way along. Whereas when you do get that senior level support, and truly the organization has bought in and realizes that security and privacy does have to trump convenience in different areas, you can actually get a lot more done.”

X

SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
BYOD
Cybersecurity
Data Breaches
Ransomware

Our privacy policy

no, thanks