by adgrooms on March 5, 2020

When you go tent camping, you typically don't have any reason to lock down your tent with a padlock. The possessions generally are lower in value and easily replaceable. The only threat is that bear getting to your peanut butter and honey sandwich, and he can have it. However, in your home, you have valuable items that you want to prevent other people from taking. This is one of the main selling points for including a door and a lock on a modern dwelling. But having a door and a lock comes with a slight inconvenience.

Here is an example we all experience at some point. You come home with the groceries for the week. So many that you have to get under the bag to keep it from breaking. But to get them inside, you have to stop at the door, find the right key, insert in the keyhole, unlock, and turn the door handle while balancing your groceries in the other arm. It would be a lot more convenient just to take the doors off your house so you could walk right in with your armful of groceries. Of course, this would allow anyone who wanted to step in and take whatever they want, including those groceries that you worked so hard to carry inside.

We see this analogy play out in healthcare security. A busy clinician needs to get into the EHR system, but there is the login again. They must enter a password before going any further. The seconds add up when they have to repeat this over and over throughout the day. It adds a strain to the workflow, and the little redundant inefficiencies trickle down to have secondary effects on other processes. Of course, patient health information should be secure, but are you over securing other data that doesn't need that much protection? If there isn't PHI or other information covered by HIPAA, does it need two-factor authentication every time you sign in? Probably not. For example, learning information on an app that a resident uses for decision help - if it isn't convenient to access, they probably won't use it. Maybe some data that clinicians need could be made easier to access.

There are three questions to ask about securing data:

*What is the value?

*What is the risk?

*What is the cost to protect it?

PHI is a valuable commodity to hackers that can keep producing over time. They can keep reselling it until the demand is gone. And that's just the first bad link in the journey of PHI data on the darknet. But other information is not valuable at all. If you have an app that is your hospital handbook, and the only personal information in it is a directory of all of the hospital's employees, then it probably doesn't need the same security as an EHR system. If you have scheduling software, what is the risk that a hacker breaks in to steal schedules? There are paper schedules that would be easier to walk in and take.

So what is the cost of protection? Locking down patient data with Fort Knox style protection will get the job done most of the time...until Brad Pitt and George Clooney show up with their friends to pull off a world-class caper. Ok, they probably won't be rappelling down the side of the hospital to steal your server, but if some hacker wants to break into your data, with enough time, care, and effort, they can break-in.

A key to combatting breaches is not to make it so hard for employees to access data that they get fed up and adopt unsafe practices.

One point of contention is policies that require frequently resetting passwords. Instead of using a password manager or having one robust password that is long (safe) and personal (easy to remember) to the user, they have to come up with ways to keep up with passwords for multiple systems that are periodically changing. Inadvertently, passwords get written on a post-it and stuck in a drawer.

Another overused security feature is the password lockout. The new password that you were just required to change is fresh in your mind until you don't need it for a day or have to enter it in a stressful moment. Then you try to enter it...then again...and again...until after five tries, you are locked out of the EHR when you need it most. Only a call to IT will solve your problems. While a threshold can hamper a brute force attack, the likelihood of guessing a password in five attempts, or one hundred for that matter, is slim to none. Setting unreasonably low password thresholds doesn't increase data protection by much and can cause some stressful situations for a busy clinician trying to remember which president's name spelled backward (along with their birth year) is their password for this particular EHR.

One of the most effective security measures is awareness. Everyone at your institution needs education on how to recognize phishing (not "fishing" that the bear in your tent does when he's not stealing your sandwich) and social engineering techniques. Hackers are more likely to be successful with these techniques than brute force password guessing.

Security and convenience are a balance.

Common sense measures should be applied to accessing data. Protect what needs to be protected. But consider the secondary implications of making data hard to access. And always remember, if the bear breaks into your tent while camping, give him the peanut butter and honey sandwich if he demands, but never your EHR password!