Program with projects that support it. I have used this approach for longer than I care to admit in public,…
Alert and Alarm Fatigue: It’s Not Just For Clinicians Any More
By Drex DeFord
Drex DeFord, MSHI, MPA is a healthcare strategy consultant and adviser to CI Security of Bremerton, WA.
I’d like to say that we are lucky now that we have all adopted EHRs and used them to drive better, faster, cheaper, safer, easier-to-access care for patients and families. But based on my post-Meaningful Use experience, “luck” is one of the last words used by doctors, nurses, and other frontline caregivers.
The EHR came with a lot of noise. Distracting, aggravating, and even dangerous noise. There was some good stuff, too, and we thought we were doing the right thing. We had good intentions. But along with the good, EHRs have generated a bunch of unintended consequences.
One of those is alert fatigue, which contributes to physician burnout. In fact, most providers suffer from some level of alert and alarm fatigue. One of the most referenced articles from the past year was Atul Gawande’s New Yorker piece describing how doctors hate their computers. EHRs are a work in progress, and the challenge is enormous.
Just like the patient-facing folks, the cybersecurity team has its own seriously debilitating case of alert fatigue. It comes from the beeping and buzzing that is emanated by the multitude of security systems that we have purchased and installed.
They get alerts for things big and small. A staff member plugs a new device into the network. Someone logs in from another country. A user types their password incorrectly three times.
Somewhere in these alerts is an actual intruder and a real problem. Or even worse, it’s an intruder who is already in the network, biding their time in an effort to quietly find the organization’s data crown jewels, snag them, then quietly exit the electronic premises.
If you have a CISO and a dedicated cybersecurity team, then good for you. In many hospitals and most clinics, the responsibility for maintaining and managing cybersecurity tools is distributed across a small group of information technology professionals who have other, full-time day jobs, such as managing the network, storage systems, or applications.
Watching for cybersecurity alarms generated by this plethora of systems and then reacting to them – figuring out which ones are real versus false – has become a major burden. It is another unanticipated consequence of adding more technology, with the best intentions, to solve complicated problems.
Based on the number of breaches in healthcare, one can imagine that those tasked with watching cybersecurity alerts are feeling overwhelmed, a lot like their patient-facing teammates. What may be just as bad is that cybersecurity alarm distraction increases the likelihood that IT operators will make mistakes or have an accident – miss a patch or misconfigure a server – and cause the organization to suffer a self-inflicted breach.
Cybersecurity work is massively stressful. For the delivery of modern healthcare, these cybersecurity professionals are critical. One missed alert and entire hospitals can shut down. Physician practices have had to close their doors entirely.
Being a first responder (that’s what cyber-security professionals really are) is one of the most difficult jobs in the world. It takes unique skills, courage, and grit. And there aren’t enough cyber professionals to go around. Unfortunately, all the stress also takes a toll on the professionals themselves, especially when they are spread too thin across too many responsibilities.
When it comes to cybersecurity, there are better ways to manage both organizational and individual risk. For example, managed detection and response services can shift the burden of answering and investigating all those alarms to cybersecurity professionals who do this for a living, all day, every day. They are experts at figuring out what’s real and what’s not. Some can even integrate products that specifically target the Internet of Medical Things, doing both discovery and security analysis. They can do it all incredibly quickly using a combination of well-tuned technology and human review.
By pushing more of this responsibility to managed service organizations, a health system’s IT team can reclaim control of their time. They can shift attention back to the major IT initiatives that can help their organization grow and succeed. Maybe they will even have more time to work on projects to reduce healthcare burnout and alarm fatigue for everyone else in the organization.