Informa Australia is part of the Informa Connect Division of Informa PLC
This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 3099067.
13 Feb 2023, by Amy Sarcevic
The safety of patients and the security of systems that help look after them may, at first glance, appear to be complementary features of a functioning healthcare setting.
But as Eddy Cheung from SA Health points out, safety and security are often in direct conflict within healthcare, resulting in situations that can put patients or their data at risk.
“Say a clinician needs to login to a system and determine whether a patient, who is haemorrhaging following a car crash, needs immediate surgery. In this scenario, seconds would matter, so having to go through multi-factor authentication [a series of steps to verify your identity] could threaten the patient’s life,” he said.
“That said, from a security perspective, we do still need to verify users through multi-factor authentication. If the wrong person logged on, the patient’s data could be exposed, which would carry secondary risks for them.
“Of course, patients’ lives always take priority, but that doesn’t mean we should totally forget about security. We need to find other ways to protect healthcare systems, without compromising patient safety.”
A better way
Mr Cheung and his team at SA Health have been exploring scenarios like this for the last six years.
The team starts out by identifying situations where safety and security might clash; then devising a solution that better meets the needs of clinicians and their patients.
In the example above, Mr Cheung came up with the idea of using a second authentication factor that runs independently without the clinicians’ input. This satisfies the multi-factor authentication requirement more safely.
“The clinician enters their password – that is step 1. Then, the second authentication factor, which is unique to the user but not visible to them, runs in the background and provides a second way to verify their identity.
“In this scenario, the clinician has only had to undertake one small step (entering their password) and hasn’t wasted valuable time entering a code that was sent to their mobile phone; or remembering the name of their first pet, for example. Yet, the security of the system has been maintained just as thoroughly.
“It’s a simple, but effective, solution that will make a profound difference to healthcare.”
Rethinking traditional technologies
In another scenario, Mr Cheung and colleagues found that traditional firewalls were interfering with the workflows of clinicians who operate remotely, or in varying locations.
“Traditional firewalls take into account the fixed location of users, so if someone logs on from a different setting or device, they can face security hurdles.
“Again, this wastes valuable clinician time, so we adapted our architecture to place emphasis on user identity, not user location.
“This is especially important now that the healthcare workforce is becoming more mobile,” he said.
Driving cultural change
Mr Cheung says rethinking the culture of security teams has been a large part of the process.
“A lot of security personnel have an ICT background and may not be used to thinking about clinical problems. Some of the processes they bring can also be black and white, focused on eliminating security risk but not considering context.
“We have radically shaken this up and encouraged security teams to take a broader view of the healthcare system in which they are working. They now come up with nuanced, context-based solutions.”
Equally, the initiative has encouraged healthcare professionals to be more security-minded. Before the new measures, Mr Cheung believes some clinicians may have been forced to circumvent security processes as they strive to improve patient’s health and wellbeing.
“Ultimately, clinicians have a duty – and a natural desire – to protect their patients in the best way they can. If this means side-stepping security processes, I would not be surprised. Nor would I blame them.
“If a remote clinician cannot login to patient software because of a firewall restriction, it might be reasonable of them, in that moment, to open up an online document and start taking patient notes that way.
“Of course, this would have negative longer term consequences for patient safety, as their data would not be adequately protected. But if clinicians are forced to prioritise short term safety needs, then of course, many will.
“This is why it is so important to consider the context and apply technologies in the right way to assist them, so clinicians are never faced with a trade-off like this.”
Addressing the increasingly hazardous environment
The measures are especially important, in light of recent cyber security statistics. According to the Office of the Australian Information Commissioner (OAIC), healthcare is the hardest hit sector for data breaches, accounting for 20 percent of notifiable incidents.
Mr Cheung hopes these statistics will get better over time, as more security solutions adapt to the needs of healthcare.
“We are just starting out in our journey, but have already noticed an improvement in clinicians’ attitudes towards security.
“Where security once presented friction, it is now creating harmony and improving the efficiency of everyday workflows. As a result, we have seen healthcare professionals who are now advocating for this change,” he concluded.
Eddy Cheung is a Senior Manager for Security Services at SA Health, where he is responsible for information security.
Hear more from Mr Cheung at the 2nd Annual Healthcare Cyber Security Conference – one of three conferences to take place at Connect Virtual Care.
One pass for Connect Virtual Care gives delegates access to the Healthcare Cyber Security Conference, the National Telehealth Conference and the Medication Safety & Efficiency Conference.
This year’s event will be held 27-28 April at the Hilton Sydney.
Informa Connect Australia is the nation's leading event organiser. Our events comprise of large scale exhibitions, industry conferences and highly specialised corporate training.
