How security leaders can ease healthcare workers’ EHR-related burnout

Staff experiencing burnout in healthcare settings is not something that security leaders typically worry about – unless, maybe, it is the security team itself that is suffering from it. Healthcare CISOs and privacy officers worry more about the confidentiality and integrity of protected health information (PHI), and – especially when it comes to vital medical records, life-support systems, and billing – their availability.

If the HIPAA Privacy and Security rules don’t get violated, and the unfortunate threat-de-jour of being the victim of a ransomware attack is averted, “everything is fine”. However, it turns out that – by homing in on the user experience of security mechanisms and processes – the security team can be an ally to those whose job it is to worry about burnout across the healthcare ecosystem.

Unpacking the strain of EHR systems on healthcare professionals

Burnout is a stress reaction characterized by emotional exhaustion, depersonalization, and a lack of personal accomplishment. One factor frequently cited as contributing to burnout in the medical profession is the proliferation of Electronic Health Record (EHR) systems in providing patient care.

According to research published in the Journal of Primary Care & Community Health, factors contributing to EHR-related burnout include documentation and clerical burdens, complex usability, electronic messaging and inbox interruptions, as well as increased cognitive load and time demands.

EHR systems have been designed to facilitate the billing and documentation aspects of patient care, with health management and patient needs often being an afterthought. For example, charting solutions have recently been adding the ability for patients to exchange messages with their providers via patient portals. This addresses patients’ needs to communicate with their provider, but – without careful design –puts an additional burden on clinicians who now need to spend unbillable time to respond to messages that are interrupting their day.

In addition to broken or burdensome processes, it is clunky record management interfaces and system workflows that increase the friction experienced by healthcare professionals, over time contributing to burnout.

Security and user experience

Some of this should sound familiar to security professionals, as we are frequently being blamed for security mechanisms interrupting workflows, preventing access, and worsening the overall user experience. Things would be so easy if we didn’t have to put up with those security controls!

Thus, a call to action: Take a closer look at where in the ecosystem your policies and/or tooling might contribute to (or prevent the mitigation of) issues that play into a less-than-optimal user experience for your healthcare system’s workforce.

By (re-)evaluating how control requirements can be met without standing in the way of modernizing record management systems, CISOs may be able to identify opportunities that will help their CTOs with the task at hand while maintaining an appropriate risk posture. Let’s explore some specific examples…

Identity and access management

The user experience for authenticating into different systems often causes friction, be it for medical staff or in other professional settings. For example, having to remember passwords that meet complexity requirements, possibly different ones for different systems, and fumbling with hardware tokens needing to be plugged in, increases the burden on users who need to keep up with records across those systems.

Security leaders can:

• Identify opportunities to unify the login into different systems via Single Sign-On, either by connecting the systems to the same authentication solution in the backend or (preferably) by standing up a centralized identity provider that applications can authenticate against via SAML or similar standards.
• Replace password-based authentication mechanisms, and possibly physical- or phone-based tokens, with password-less logins. For example, can an RFID-based smartcard system, integrated with the organization’s badge and physical ID systems, reduce pain for users when logging into recordkeeping systems? Might biometrics be able to help?
• Embrace recent innovations in identity management. For example, OpenID’s Continuous Access Evaluation Protocol (CAEP) may allow you to lessen the requirement for frequent re-authentication of user sessions, since active sessions in applications can be terminated on-demand when risk parameters change (such as, a user’s permissions being revoked on the identity provider side).
• Evaluate whether flexible, role-based access control schemes can empower medical assistants to support doctors with data entry into EHR systems, while restricting their ability to alter critical data (prescriptions, etc.) on files and maintaining accountability for individual users.

System interoperability

A major factor contributing to EHR-related burnout is the fact that medical professionals must deal with disjointed systems for recordkeeping.

For example, charting systems may not be interoperable with the diagnostic equipment in a hospital, specialists may have to use one system in their practice and another one when enjoying their privileges at a clinic, and so on.

Security and privacy leaders can:

• Review whether recordkeeping policies prevent the exchange of data between systems because that would result in loss of provenance and governance over the records. Can requirements be reframed to facilitate more business-friendly information flows? (For example, investing into a central solution to manage the systems of record for different record types and automatically enforcing service level objectives for data retention in a consistent fashion might alleviate concerns over records being shared across multiple systems.)

Connectivity

Security policies may restrict which devices staff may be allowed to use for connecting remotely to systems via web interfaces or “thick clients” that need to be installed on a device. Access to record management systems may even be limited to secure networks on premise.

Security leaders can:

• Consider embracing “zero trust” principles. By strengthening trust into user identities and the devices they connect from, the security of networks becomes less relevant and may enable you to permit remote access to EHR systems, allowing medical professionals to embrace a more family-friendly schedule while still being productive at home.
• Determine under which circumstances Bring-your-own-Device (BYOD) policies might be allowable. Enabling staff to use their personal devices to access EHR systems may reduce friction experienced by switching back and forth between endpoints on a constant basis.

Awareness

Canned security awareness training not tailored to the roles of staff tends to be both ineffective and a bother to users. And doctor’s offices and hospital environments tend to have unique security challenges, for example when it comes to devices being shared by different staff members.

Security leaders can:

• Tailor awareness messaging to their audience. Include meaningful tips on how users can avoid friction when interacting with security features, for example by letting them anticipate when and why they might experience step-up authentication prompts, rather than the system surprising them when it’s least convenient.
• Review record management workflows and whether security prompts might interrupt staff at inconvenient times in the workflow. Can prompts be moved elsewhere in the process without reducing their effectiveness, or possibly even increasing it?
• Can expectations for user behavior be removed by automation? For example, if users no longer have to actively remember to lock the screen of a device because sessions time out automatically, it removes a distraction from their focus. (Conversely, the concept of introducing friction at the right place in the system might also help to shape user behavior.)

Learning how to foster human-centric security

By bringing actionable suggestions to IT and system leadership on how investments into security and privacy can also contribute to reducing stress in medical professionals, security leaders can both position themselves as valuable partners to the business and improve the security posture of their organization.

Propose a workshop to your CTO to identify user friction in the system that the security and compliance teams might be able to help alleviate. And strike up a conversation with your vendors. Research into human-centric security has picked up in recent years, but results are slow to make it into the solutions we buy. Encourage providers of security tech (and their product managers) to become more proactive about user experience and add related requirements to your selection criteria for choosing new suppliers.