Workflow and IT Security and IT Operations and Considerations Regarding Informatics Solutions
Workflow in the context of healthcare can be defined as procedural work steps that are carried out by providers or other clinical staff to conduct routine patient care, clinical operations, observe regulatory constraints, and run other related business processes. If any of these common undertakings require health IT in any way, then it is very likely that either (or both) IT Security and IT Operations would be looped into these matters. To illustrate this, if a clinic required a simple database server, a couple of user PCs, and the appropriate installation of operating systems (OS), applications and other systems onto those machines, then an IT Operations professional or group would be best suited to conduct those implementations. That is not to say that current clinical staff is not capable of conducting said tasks, but it is more likely that they will not have the necessary time or resources to manage the initial deployment themselves. Subsequently, it is also imperative that these new systems and machines are well secured on the network that they are connected to, to ensure the safekeeping of any patient data and other sensitive information. Since, any unintended disclosure of said data, would most likely lead to regulatory penalties. So, if the same IT Operational staff is knowledgeable enough regarding security best-practices, they themselves could establish the necessary security controls. Otherwise, IT Security experts might need to be utilized.
Thus, from the very beginning, that is the setup of various health IT tools and systems, it is very likely that both IT Security and IT Operations would need to be involved in some capacity. Furthermore, it would be absolutely necessary for experts in both of these areas to elicit user knowledge and requirements from their stakeholders. This in turn gives way to a user-centered design. In this case, said stakeholders or users would be the clinical staff utilizing health IT. IT professionals tend to develop or implement solutions that they are the most comfortable with, or with the mindset that all implementations need to be standardized across the board. In some instances that may be the case but ensuring that stakeholders are looped into the process from start to finish ensures that the ultimate end-users of the technology are well equipped to adopt the technology and use it as effectively as possible. An example of this would be setting up the firewall configurations at a small clinic. IT Security best-practice tends to dictate a “pin-hole” approach when it comes to allowing network users to access external resources, specially those out in the world wide web. Meaning, that access tends to be set up in a least-privilege possible approach for users. For example, with this type of approach, a receptionist would most likely not be able to access social media sites from a PC connected to the clinic network. It is not likely that it was set up to prevent browsing social media during workhours, but instead to prevent the disclosure if important data or information through social media sites. An example would be an uploaded picture of a patient paper file that was included in the background of a selfie. So instead, what IT Security professionals recommend, is to allow certain categories of or (ideally) individual sites to certain individuals on an as-needed basis. So, for illustrative purposes, a brand-new medical references database has been released. Currently implemented firewall rules might pick up on the fact that this new site falls under a category along the lines of “Health and Medicine”. If such a firewall exists that allows for sites under this general category, then no further rules might be needed to allow traffic to the new database resource. However, if only certain clinicians should have access, or if the site is not currently categorized, then a brand-new firewall rule might need to be implemented by a network or IT security engineer. This is just one example of IT (and IT staff) contributing to a technology acceptance model for clinical health users.
Another technology with similar but slightly different implementation and configuration challenges to those of firewalls, are health information exchanges (HIE). In a similar fashion, while attempting to enhance the interoperability of a clinic’s electronic health record (EHR) with a new HIE, IT Operations would need to be involved. They would also need work with end-user stakeholders to ensure that the information or data being shared, such as forms, XML files, etc. are up to par with what staff use during their day-to-day operations and that systems work as intended post-deployment. Once again, the end goals of both IT Security and IT Operations are to secure data and maintain technology in an operational state, however a close secondary goal is to ensure that their supporting end-users can use health IT systems and tools efficiently and as intended.
Looping back to whom in clinical settings would stand to benefit from a user-centered design for workflows utilizing informatics solutions – that would be any user that intends to interact with said solution(s). A classic example of designing and implementing an IT technology to the benefit of IT Security and ease of use for end-users is Two-Factor Authentication (2FA). In the recent past, only passwords were required when users sought to gain access to potentially sensitive machines, systems, or data. However, with the advancement of computing power, hackers have leveraged said power to run complicated algorithms that can crack even some of the most complex of passwords (through multiple instances of trial and error). So, one solution that was born from this was the use of both physical and software tokens, a form of two-factor authentication. These tokens would be assigned to one and only one user and would display a constantly rotating string of random numbers or characters, that when used in conjunction with their login information would grant access. This in turn made guessing passwords exponentially more difficult for external threat actors. So, why bring up 2FA in a discussion of workflows for clinical staff? Well, if not already implemented, this is a potential solution that could positively benefit a healthcare setting. It would be best practice to assign tokens to all network accessing users. However, if hypothetically, only providers accessed sensitive platforms or data, then the development and implementation efforts for 2FA tokens would differ slightly in that only providers would be given physical fobs with tokens or made to download a secure authenticator application. This illustrates yet another important area of workflow observation – would providers feel more comfortable with physical tokens, or a smartphone application? Would those same tokens be required again when accessing even further sensitive applications or data once already logged in? A close analysis and requirements gathering would need to occur by the implementation team (most likely IT Security) to ensure that the new security control technology is adapted optimally for the intended users and their workflows.
AHRQ Health IT Tools on Workflow: Root Cause Analysis and its Use for Workflow Challenges in IT Security and IT Operations
Navigating through the Agency for Healthcare Research and Quality‘s (AHRQ) website on workflow tools for health IT, one will find that there are numerous tools that can be leveraged to gain a complete understanding of workflows in healthcare settings. Because the AHRQ has identified almost 100 tools, they have grouped them based on common characteristics, into “parent” categories. Some of these categories are Data Collection, Process Improvement, Process Mapping, Risk Assessment, Task Analysis, and Usability to name just a few.
One tool that stood out due to it being an all too familiar technique used during both my IT Security and IT Operations days, is Root Cause Analysis. This tool, found under the AHRQ’s Risk Assessment tools category is described as a “technique used to determine why a problem occurred” with the goal of identifying a problem’s origin by pinpointing the exact issue, why it occurred, and developing methods to prevent or drastically reducing the probability of the issue reoccurring in the future. To showcase this tool’s effectiveness in relation to IT Security, a common security concern will be examined through a Root Cause Analysis lens.
That common security concern is unwanted network intrusion or disturbance. To pick up again on the topics of networking and proper access, real-life, continuous issues that plague organizations that are front facing towards the web are those that include dealing with and fending off external threats. Two of those being threat actors attempting to gain access to safeguarded systems, applications, or data and the other fending off network disruptions. Said network disruptions are sometimes initiated by malicious threat actors, as well. A common means of doing so is what is known as a Distributed Denial of Service (DDoS) attack. This is a type of cyber attack that floods a network or machine with internet connection/traffic requests from various sources to overload the target. This in turn slows or renders the target incapacitated and thus cannot process any additional requests, be it legitimate or not. The main goal being to disrupt operations temporarily or indefinitely. These tend to be troublesome issues to deal with. So much that both areas of IT Security and IT Operations are sought out to assist during an attack. The common sequence of events begins with staff from both IT areas attempting to fend off the attack, while also trying to operationalize the machines, servers, or network being targeted. Ideally, if there are any existing backups, those would be spun up to handle the legitimate traffic in the meantime, but only after careful analysis that they would also not be affected by the attack. Concurrently (or perhaps after the attack is dealt with given resources constraints), other staff will start to work on a Root Cause Analysis. It is common that during a DoS attack, an organization will attempt to cut-off the malicious traffic. Although a rather difficult task, networking engineers might be able to pinpoint where the traffic is coming from via IP addresses and then limiting said traffic via firewall rules. Again, during an attack of this kind, many IP addresses will be used as attack vectors, so such an approach can prove to be rather complex. So, if the root of the issue can be discerned (and hopefully stopped), the next step in a Root Cause Analysis is to identify the reason for the DoS attack and then subsequently implement measures that will prevent it from reoccurring again. In this case, after the network and its traffic has been properly analyzed by both IT Security and IT Operations personnel, then patchwork can begin to occur. If for example a clinic’s externally facing web application was the target of such an attack, and it was found that the application was not behind a firewall protecting it from external traffic, then the next logical solution would be to place said application behind a web application firewall (WAF). Appropriate security controls would also be needed and configured to allow legitimate external and internal traffic to the web application.
Ultimately, if such an issue were to occur at a healthcare setting and the targeted system was a vital health system, then the clinical staff would be greatly affected. Perhaps to the point of not being able to provide care to patients. As Wiggill states, “IT professionals need to put on their detective hats to identify the source of the issue and solve it before the business and the patients experience any adverse impact” (2016). So, because DoS attacks are relatively common, a lesson learned from such an attack would elicit an investment into backup technologies as part of the workflow reevaluation. In essence, having a segmented network, a WAF, or backup servers and databases could be a part of the planning and re-design of the workflow that would be affected by a D/DoS attack. For instance, not allowing clinical staff to have access to certain parts of the network would prevent the same staff from accidentally leaking information of a potential network opening to attackers (although there really should not be one to begin with). Another workflow redesign could be developing user guidelines on how to switch over to backup technologies if another attack were to occur. Of course, the investment and workflow changes would come about from what was learned from one of the AHRQ’s workflow tools used during this technological debacle, that being the Root Cause Analysis.
Human Factors and IT Security and IT Operations – Challenging Areas Affecting Humans and Human Factors Based Solutions
A challenging and often tedious aspect of IT that users regularly deal with is login security. IT professionals are constantly suggesting that stronger passwords be used when creating an account or updating an existing password. I equate it to your parents making you eat your vegetables growing up. Sure, eating vegetables is a bummer, but they are good for you! The same can be said about complex passwords. It is not expected that users make passwords long and over-cumbersome, but it is also encouraged that users become more creative with their passwords and not just rely on old reliable “password123”. It is also very strongly encouraged to not reuse passwords, specially when logging into work or sensitive systems or applications, such as financial platforms. To be frank, that is quite a lot to ask of humans. I am a security driven individual, and often find myself being lazy and reusing the same password, or not adding extra non-alpha numeric characters. So, I can’t blame regular users of health IT for straying from best practice, when we as humans are wired to not think like computers and find numerous best suited and secure passwords, while remembering all of them. I have ran into some impressive individuals who can recite long strings of characters that do not make any sense, and claim those are passwords (now that I think about it, this is a quite foolish thing to do in a public setting). But, for those of us who have a particularly hard time remembering such lengthy strings of characters, there are tools that can be used to securely store passwords. These are often referred to as lockboxes, or programs that securely store passwords via encryption. Accessing the passwords usually requires the use of one master password and perhaps 2FA, as well. I would argue that at least a third of support calls that I dealt with while working at an IT Help Desk involved dealing with frustrated users that had forgotten their password(s). So, it is no surprise that technologists took aim at this user pain area and innovated a secure solution that could aid human performance and reduce frustrations with technology. This is an example of leveraging technology to reduce some of the mental strain resulting from technology from end-users so they can focus their own processing capabilities towards other matters.
A second IT Security related challenge that humans are historically substandard at, is successfully identifying instances of malicious phishing. Humans tend to be quite terrible at discerning cyber threats. Identifying phishing emails is one of those threat vectors. As someone who was tasked with creating phishing campaigns for user cybersecurity training and seeing the resulting metrics, I can confirm that you could always count on a sizable number of individuals falling for a simple phishing email. From entry level non-IT employees, to seasoned IT Security professionals, there were always a select few individuals clicking on suspicious links or opening malicious files. But this should not come as a huge surprise, as the human brain is wired to be curious, short-sighted, and overly trusting. In fact, there is a whole field of engineering that studies the psychological manipulation of individuals into performing actions that would grant unwanted access to confidential resources or information, or Social Engineering. Threat actors spent their livelihoods studying this field in order to take advantage of these human deficiencies. So how do we combat these threat actors, but also keep in mind human factors like those previously mentioned? We came up with an innovative way of leveraging certain aspects of the technology in place to help users make informed decisions before performing an action. An example of a decision support tool used was to code a simple HTML banner segment into all incoming email that would change in appearance based on the origin of the communication. If an email was external or come from a non-trusted source (that is a source not yet vetted and not necessarily malicious), then the banner atop of the email would be a yellow color with some warning text. This would draw the attention of the user and remind them of security best-practices when dealing with email communication from external sources. Alternatively, if an email was from a previously vetted and trusted source, a green banner would be displayed. Although a simple decision support tool, it proved to be quite effective, as clicks and redirection to external sites from suspicious email were down thereafter. Of course, this same tool and challenge is not exclusive to the financial industry. There are instances of phishing at DePaul university, and surely in the healthcare industry as well. Before leaving my previous employer, we saw a sizable upward trend in COVID-19 and work from home related phishing scams at both my organization and the technological landscape at large. The fact is that phishing remains a very popular and relatively easy vector for threat actors to launch attacks with. It preys on human vulnerabilities and has the capabilities to remain current with current events. In fact, phishing ranked 2nd in a 2020 list of High-Risk Entry Points for Hackers in the Healthcare Industry, as reported by Wandera, a cloud security solutions firm. A staggering 56% of healthcare organizations had reported being affected by phishing attacks (SafetyDetectives).
Works Cited
Twilio. (n.d.). What is Two-factor authentication (2FA)? Authy. Retrieved November 2, 2021, from https://authy.com/what-is-2fa/.
Agency for Healthcare Research and Quality (AHRQ). (n.d.). Root cause analysis. Root Cause Analysis | AHRQ Digital Healthcare Research: Informing Improvement in Care Quality, Safety, and Efficiency. Retrieved November 2, 2021, from https://digital.ahrq.gov/health-it-tools-and-resources/evaluation-resources/workflow-assessment-health-it-toolkit/all-workflow-tools/root-cause-analysis.
Healthcare Innovation. (2016, August 26). Tips for investigating common workflow issues. StackPath. Retrieved November 2, 2021, from https://www.hcinnovationgroup.com/interoperability-hie/article/13007935/tips-for-investigating-common-workflow-issues.
Team, S. D. C., Author, A. the, SafetyDetectives Cybersecurity Team (2021, May 20). Healthcare Cybersecurity: The biggest stats & trends in 2021. SafetyDetectives. Retrieved November 2, 2021, from https://www.safetydetectives.com/blog/healthcare-cybersecurity-statistics/.
Web Resources