Throughout the past several years of working with healthcare organizations large, small, and every size in between, it has not been an uncommon element we encounter wherein those organizations are looking to enhance their security posture greatly.
At the same time, there is inevitably a desire to avoid disrupting the end user population and enable them to carry on with their critical work without having to radically shift the “way things are done” solely due to security tools/capabilities inserting themselves intrusively into their operations. It’s a delicate balance, to be sure.
While it’s certainly possible to try and align both sides of that equation, at some point, it’s also necessary for any organization to face the reality of the threat landscape and the steps needed to avoid leaving themselves vulnerable to malicious attacks and exploitable pathways.
As we’ve conducted security-focused efforts at dozens, if not hundreds, of these healthcare organizations, we also commonly find a strong initial appetite from the IT and Security teams inside those organizations to go as far as possible with security tools and their capabilities.
Still, as we roll out those capabilities, they inevitably receive pushback and vocal complaints from end users. Often, some users are senior-level care staff and executives with strong opinions about the disruption those security tools and capabilities create for themselves and their teams.
Our encouragement for those IT and Security teams has been to try and avoid reactionary alterations in security planning due to these vocal users and instead take a measured and practical approach to educating those users and listening to their concerns while at the same time maintaining a firm resolve towards upholding the core security capabilities that are necessary for the organization to remain resilient and secure in the face of the threat landscape.
The users individually can often struggle to see the “big picture” related to security beyond the direct impact on their day-to-day from the security tools. Yet, they would be the first to acknowledge that they wouldn’t want to be held responsible if relaxing security controls led to a compromise or successful malicious attack on the organization.
It’s a patient safety challenge if an organization neglects its security hardening and maturity (e.g., ‘Lives are at stake’: hacking of US hospitals highlights deadly risk of ransomware | Hacking | The Guardian)
To aid in getting ahead of this anticipated end-user frustration and lack of broader understanding about the context of enhancing security capabilities, we’ve had much success combining security tools configuration/implementation with end-user communication and training efforts leading up to the rollout of those new security capabilities.
Users will often surprise you with how willing they are to embrace change when they’re given the benefit of the doubt and enough time/attention/effort up front to explain to them what’s changing, why, and how contextually it’s essential for the safety and integrity of the organization, and therefore its most critical assets – its patients.
We also find it equally critical to get buy-in acceptance and understanding from the senior executive team within the organization (bonus points if they also contribute towards the communications to the rest of the user population to help reinforce the united front the organization is taking and the seriousness with which it’s approaching security enhancements).
While this only partially removes the chance of users vocally objecting to or struggling with the changes, it can reduce the volume and intensity while enabling the IT and Security team to remain more resilient in the face of that feedback.
Adopting an optimal Zero Trust state and overall mature multi-layered security posture is no longer an optional path but a necessary and essential exercise.
Despite user frustrations, it is Virteva’s position that the user frustration is worth withstanding as they adapt to the changes in the name of a much greater ability to avoid catastrophic malicious attacks.
More recently, we’ve seen new precedents be set with healthcare institutions quite literally shutting their doors due to ransomware attacks (An Illinois hospital links closure to ransomware attack (nbcnews.com)) as well as CISOs face civil suits for neglecting cybersecurity minimum standards (SEC Sends Ominous Warning to CISOs and Cybersecurity Professionals With Wells Notice Concerning SolarWinds Breach | Katten Muchin Rosenman LLP – JDSupra).
Therefore, it’s no longer practical to “meet in the middle” with users and relax cybersecurity standards and approaches to appease their concerns, but rather to remain resilient in the face of that frustration and stay the course towards adopting security best practices even where it leads to alterations in how those users perform their day-to-day tasks.
