HEALTHTECH: How have you involved other stakeholders in sharing responsibilities around security? What works in connecting security priorities with patient care?
BARRERA: Depending on the culture of the security team, being too technical when it comes to spreading security awareness and partnership may not be the most appropriate move. When I was giving a training of sorts to a group of incoming residents recently, I was telling them that security is a shared responsibility, no matter how great our security tools are. I also try to connect that responsibility to something personal.
It takes a lot of hard work, because everyone is very busy. When clinicians have many patients to tend to, cybersecurity training can feel like a burden. But when you meet with other departments face to face, share the headlines, share the personal stories, it feels more meaningful. We also have committees that are made up of a cross-section of the organization. Over time, there’s incredible engagement with workers from other departments.
Within those committees, we also plan to do face-to-face “road shows.” After this outreach and in-person interaction, we get a lot of synergy, and we even have people who want to mentor others. So, people are paying attention, but that takes care and feeding. It really is like risk management in that it is a continuous cycle.
It helps that security is built into our culture. When leadership is engaged and supportive, that really makes all the difference, to be able to have all these activities, such as the road show and the yearly security awareness training that everyone is required to take. In some organizations, if someone doesn’t do the training, nothing happens. But at Jackson Health, we have 100% compliance. Everybody does their required learning because otherwise, their account gets disabled, and they have to go sit with HR to take it before they can return to their job.
DISCOVER: Strengthen your security with cost-effective training.
HEALTHTECH: How will AI/ML and data needs impact healthcare security moving forward?
BARRERA: We’re all at different degrees of adoption. I think one of the most critical things to realize is that even if you think your organization is not using AI, your users are. At Jackson Health, one of the first ways that we’re using AI is to do certain repetitive processes that are prone to errors if done by humans. One example is rescheduling appointments that have orders attached. The average human, even if they have a script, may just delete the appointment in order to create a new one, and then realize, “Oh, I’ve deleted the appointment with an order, three orders, five orders attached.” Those orders are gone. And so that process is being replaced with automation that is more accurate and efficient.
The IT security team works hand in hand with the data science team for application integration. Everything that comes in before procurement, we’re going through a security questionnaire. We are evaluating risk. At the time of deployment, we are scanning, we’re validating, so we’re learning about the solution.
I think, though, that there’s a very bright future for AI in healthcare. We have had a behavioral analytics solution that has leveraged AI for many years. So, we are continually looking at how we can bring efficiencies to our security operations center, which is the cornerstone of our incident response, and things like that. With the rate of attacks using AI against healthcare, we need to combat that with the same or better. We believe that when we bring in or are already using AI, that gives us a fighting edge on anything that happens.
We’re also working on communication and outreach. We’re shifting our policies for the health system on acceptable use of AI, being fully cognizant that people are constantly using it off the network. We do regulate a wider number of things that we can. For example, we don’t allow ChatGPT, Grok or other generative AI tools similar to those, but we know there are always ways employees can circumvent those controls. It’s up to us to maintain what’s acceptable use, patient privacy, and prevent data from wrongfully being exchanged. We want the AI solution we connect with to help achieve our health system’s slogan, which is “making miracles happen.”
