This article was first published in HealthManagement.
In 1847 the father of infection control, Ignaz Semmelweis, took a position running maternity services in a Vienna hospital. During his time there he observed that women cared for by physicians were more likely to die (13-18%) from infection than women cared for by midwifes (2%). This led him to develop a theory that infection control was critical. He then implemented mandatory handwashing and saw the mortality rate from infection drop to 2%. Since then infection control has been a key part of all aspects of the care process. However, the question why physicians washed their hands less than midwives though was never really answered.
Today, health organisations face a new infection challenge, that of keeping their IT systems free of viruses and other attacks on their health, and they will need to treat this threat with the same seriousness.
IT is crucial to care in the 21st century
This starts by understanding that digital technology is now integral to healthcare. It touches all parts of the process: clinicians look at records electronically, lab tests are computerised, and ambulances are dispatched by computers. This role will continue to increase as we move to paperless, integrated and patient-centred approaches.
The risk of an attack on these systems will increase as they are accessed by and connected to others and the ownership and responsibility for their cleanliness gets blurred. For example with mobile carers, carers using Bring Your Own Devices, and patients wanting to contribute data from a fitness tracker—who is responsible for the digital cleanliness?
On 12 May 2017 the Wannacry computer malware provided a dramatic illustration of the risks. A significant number of global care organisations saw their work disrupted, and many more breathed a sigh of relief that they were not affected. While almost 50 services have been affected by malware and IT service failures in previous years, none have ever hit this hard or with such a global reach. Wannacry was the equivalent of letting two five-year olds loose in an operating theatre before beginning open heart surgery, and showed us all that our systems, our data access, our way of working does not support digital infection control.
Cybersecurity is infection control
In response, we all need to understand why these cyber issues occur, and what we can do to prevent them. This starts with getting the right governance and recognition at board level. Leaving it to junior members of staff means it won’t be getting the right attention until it hits the headlines. Boards now need to scrutinise digital cleanliness in the same way as they treat the latest infection control key performance indicators. Worrying about cyber security must not, however, be used as an excuse to avoid embracing digital technology and the opportunities it provides to transform how care is delivered.
In the same way that a ward has a hygiene owner, digital security needs its own champion. The advent of the Chief Clinical Information Officer and its appearance in the Wachter report (National Advisory Group on Health Information Technology in England 2016), for example, go some way to addressing this. In all this digital cleanliness has to be more than the equivalent of a poster asking you to wash your digital hands properly, but be recognised as a critical priority across the organisation.
In a connected world, cyber risks are Inevitable
Connectivity in health organisations brings real value to patients. For example to support continuity of care, or support peripatetic carers with mobile devices, a connection to the worldwide web is necessary, but that web is a potential source of digital infection. Connecting to it exposes the organisation to risks, and it needs to understand those risks, manage them, be ready for them and react effectively when they inevitably strike.
To do this healthcare providers need a digital strategy and a cyber security and resilience plan, just as they have an infection control plan. That strategy should be linked to patient care and recognise that it is not just about investing in technology, but in people and training. PA has found that people and behaviours are a factor in over 80% of high-impact cyber breaches. The kind of behaviour that puts information at risk ranges from the completely accidental (unaware), the careless or negligent, all the way to deliberately malicious. The best way to reduce these risks is through training and communication.