As countless countries have embarked on digitising their ecosystem, the increasing pace of healthcare technology adoption in recent years has fuelled a global race for innovation. Indeed, faster and more reliable internet connections, scalable cloud-computing services and a high penetration of smart mobile devices have opened a new frontier of access and delivery of healthcare services today. The business transformation promised by Electronic Medical Records (EMR), ePrescription, Telemedicine, and other digital services, has positively affected the field and energised an otherwise schizophrenic industry known for its innovative conservatism. However positive, his new ubiquitous access to medical services and related information exchange brought serious new challenges directly affecting extra-mural patient safety, so much so that the ‘first-do-no-harm’ rule has to retake centerstage in and around all technology-related processes. Inherently, designing and enforcing cyber security and technology safety policies and procedures shall become a mission-critical endeavour for every responsible government and care delivery organisation.
Easier said than done, reality suggests that in many emerging economies the barrier to such a seemingly easy undertaking resides in sizeable misconceptions across all levels of the healthcare ecosystem. Based on our long experience and observations, here are the top-five cascading misconceptions about digital health in general and cyber security in particular. I’m hoping most of you will be able to relate the following to your experiences.
1. Doing the right thing for the wrong reasons
Symptoms: In real life, these projects feel like a daily struggle in justifying the cost of digitisation and the existence of every digital health employee and consultant.
In countries with lower digital maturity levels, being patient-centric very often translates to just building a technology stack around the patient and doctors without measuring its added clinical value. The ‘success’ of most health tech projects is then measured in ‘scale of technology implementation’. You’ll hear and see CIO’s boasting about ‘what’ they’ve implemented and the integration level between systems, but rarely about enhancements in clinical processes or quantified impact of this technology on the health professionals or the patient. While it’s important to have focused on having interoperability and other data governance standards, the pit of these eHealth initiatives often remains miserably dry on measurable clinical outcomes. The result of this unfortunate oversight is a myriad of frustrated users aimlessly floating in a sea of failed technology pilots. The main reason behind this contagious behaviour is an immature clinical leadership running alongside politicians in a hurry.
2. Feeding on buzzwords
Symptoms: Buzzword-mania feeds so-called ‘innovation programmes’ which in turn increase the pressure on eHealth departments and clinicians alike to be seen as adopting these new technologies at any cost — including ethical ones. Adding the fuel of software-vendor-driven ‘free’ pilots into these buzzword fireworks, makes this national double-blind study just perfect.
In-line with the above, and before understanding the context within which technologies can add value to the patient’s journey, large investments would flow into drum-beating initiatives around Artificial Intelligence and other Blockchain stints. While today some applications are more mature than others, we’re still awaiting the clinical evidence behind the value of chatbots in healthcare or the sustainability of blockchain’s equation relating ‘its tremendous energy consumption to added health system performance’. In radiology, histopathology, and other clinical fields, artificial intelligence is already a well-documented transforming force. However, used without clear clinical purpose, technology buzzwords sell the shallow illusion of not missing out without proof of driving any measurable change in health outcomes or system performance. Worse, without clear policy and procedure oversight, the adoption of new technologies in clinical settings can put patients at an unnecessary risk of being physically harmed. An example of good governance can be seen in the NHS Digital’s Clinical Safety Program, and related standards, which have been made mandatory under the UK Health and Social Care Act of 2012. This programme manages all risks and the assurance of safety related to health IT software, as well as live safety incidents emanating from those. It is a well-established set of practices that has added a tremendous value to patient safety. And since now even machines are learning, it might be a good thing for healthcare decision-makers to keep up with the learning too. Or else, as seen by a machine, let’s not make artificial intelligence become the antonym of human ignorance.
3. Cyber security is the responsibility of the IT Department
Symptoms: Powerless cyber information security officers (CISO) and heads of Cyber Security Operations and Command (CSOC) fighting endless, unproductive and useless internal battles to integrate processes and distribute cyber security accountabilities across non-IT departments who don’t care.
Because on the surface the common context of cyber security is technology, the vast majority of healthcare professionals, including those in IT departments believe everything relating to this area is within the jurisdiction of the IT guys. While the role of a CISO is to be the legal custodian of the overall risk relating to protecting critical infrastructure, his/her accountability is only the sum of every single system user and their respective departments — and that stretches way outside of the IT-factory grounds. In fact, more than 80% of cyber risk management is related to the efficiency and maturity of the organisation’s integrated policies and procedures. For example, Identity and Access Management (IAM) is a multi-dimensional and multi-layered process which deals with privileges of humans and machines to access networks and systems, based on their roles in the organisation and the clearances given to them by their managers to do so — not (only) by the IT department. Moreover, beyond systems, these access rights must stretch to integrate physical location accesses with badged and non-badged areas. This means the process defining the security of the IT infrastructure must involve all departments, including building security. Henceforth, the role of a CISO is mere of an educator and empowered integrator of these integrated processes, which will translate in system’s workflow configurations, that will in turn help secure the overall enterprise.
4. Cyber security budget is the cost of compliance
Symptoms: Ticking the boxes on a list of policies and asking for budgets to bridge the gaps. It is not wrong to do so, it’s just sustainably inefficient. It’s doing the right things but not for the full reasons. The problem with policies is, the moment you tick all boxes in the list, 2 more boxes magically appear at the bottom.
Although the overall trend is an increase in cyber security budgets, the perception of this spend by most senior executives in developing nations is being ‘the cost of compliance’. In fact it is more related to legal and operational risk mitigation and much less to reputational and patient risks. The very idea that compliance guarantees security is wrong. The American healthcare insurance company, Anthem, is an example of an organisation that adhered to cyber security best practices and compliance rules. This however did not fully avert the data security breach suffered by the company in 2014, but Anthem’s prompt and efficient response helped to mitigate their liabilities. In another case, as hackers in 2018 claimed Medtronic’s pacemakers can be breached, one can only imagine the extent of the potential harm which could be inflicted to hundreds of thousands of cardiac patients across the globe. Therefore, in practice, the maturity of a healthcare delivery organisation cyber security programme’s indicators ought to be tightly related with patient safety, not only policy compliance. The concept of tying cyber security budgets to patient safety is not only a duty but also a much stronger and measurable incentive, that is specific to healthcare.
5. Keeping all cyber security incidents secret
Symptoms: A weird and secret chicken-run kicks off after a major security breach, scrambling to find a quick (technical) fix without notifying relevant authorities and/or important stakeholders (patients, nurses, doctors, users, etc). This is typically followed by a media backlash which ends up in finger-pointing and ultimately scapegoating. The whole circus typically repeats itself more than once a year without any single lesson learned.
Our live observations and confidential exchanges with colleagues from the field indicate this culture of secrecy is wide-spread in maturing digital settings. The culture of secrecy in cyber security is a synonym of very poor cyber preparedness. It is even more dangerous in healthcare settings because, as we have seen above, the lives of patients depend on it. Indeed, cyber security is increasingly seen as an IT priority, but rarely makes it to become a business —and therefore, a budget priority. In fact, reality suggests there’s a strong correlation between business priorities, budget allocations, and KPIs. The secret executive cover-ups of cyber incidents represents the moment in time they become aware of why cyber security must now become a budget priority. Sadly though, because the culture of blame often runs deep in these settings, it takes a very strong and mature leadership for these organisations to start actively learning by setting up a so-called ‘blackbox’ which allows them to capitalise on their now documented cyber mistakes. Because we often don’t know what we don’t know, raising the executive cyber security risk awareness should be on top of the duty list of any accountable healthcare organisation. Remember, first do not harm!
After diagnosing an illness, it often takes a period of acceptance from the patient before the healing process can even start. The same principles should apply to fixing all the aforementioned misconceptions about digitising healthcare services. These are not healthcare technology projects. These ought to be healthcare projects enabled by technology. Understanding this nuance will help setup a new culture that delivers radically different and sustainable outcomes. It’s a stacked leadership learning process which needs to start after nixing the denial. Finally, we ought to be learning from other people’s mistakes, because we can’t live long enough to make them all ourselves.
In a healthcare world blinded by technology, the most urgent challenges
to fix today remain people’s knowledge and the right framing policies.
___________________________
Mehdi Khaled is the Founder and Managing Partner of Seha - an independent, Singapore-based boutique healthcare and digital health advisory company. With over 25 years of global expertise and exposure to multiple healthcare settings, Mehdi is a medical doctor specialised in internal medicine, a software engineer and a certified cyber security specialist from Harvard University.
The author reports no conflicts of interests.
Comments