Blog

The Delicate Balance of Security Versus Usability

Apr 20, 2021

Why Does This Have to Be So Hard?

As a security practitioner, how often have you heard the refrain from your colleagues that one of the security protocols that were so carefully thought-out and expertly implemented are just too difficult to deal with? Perhaps you have sighed when you had to adhere to your own security protocol? As a security evangelist, you understand the necessity of adhering to a set of security requirements, but as a normal staff member, you can understand the frustration of your non-security coworkers.

Is there ever such a thing as being a “normal” staff member after you have crossed into the elite world of information security? It seems that once one becomes aware of all the vulnerabilities and threats, it is impossible to go back to the halcyon days of security complacency. In fact, one of the primary responsibilities of a security practitioner is to teach others about security awareness both on the job, and, many times, outside of work as well.

The Delicate Balance of Security Versus Usability Another Triangle to Consider

The familiar CIA triangle, which delineates the concepts of confidentiality, integrity, and availability is only part of the security landscape. To the security professional, the CIA triad reigns supreme. However, to the average person, the CIA triad is a novel notion. The triangle that resonates more strongly with your staff is the usability triangle.

The usability triangle shows the competing aspects of security, functionality, and ease of use. This model is often used to describe why a system can never be one-hundred percent secure, because as one moves towards one area, the other two become weaker. The triangle is also applicable as a “security frustration” barometer. The more security that is added to a system, the less functional and usable it becomes for the average person.

In Healthcare, The Stakes Are Higher

As mentioned in a previous post , security in a healthcare environment is unlike many other professions, including many critical infrastructure sectors. It would be rare that an immediate action in an automobile factory, or a commercial facilities location, could result in the same dire consequences as a decision made in a surgical operatory. A security practice that would function normally in other industries may not be the best fit for a hospital emergency room. Could “ease of use” outweigh security in this situation?

All security practitioners know how to implement various security mechanisms to protect data. For example, something as simple as a multi-factor authentication system is a near-perfect solution for protecting vital records in most organizations. However, in a surgical environment, a delay in care due to a security feature can result in death to a patient. Is functionality more important than security?

As more medical devices become wireless, the security implications become more pronounced, and unique to the information security profession. As was reported in 2007 , the wireless capabilities had to be disabled in the pacemaker of the U.S. Vice President for fear of a compromise by malicious actors. The Internet of Medical Things (IoMT) is discussed further here .

These scenarios illustrate where a trained healthcare security practitioner would need to know the best approach to these distinctive situations.

The Perspective of the Provider

In an ordinary setting, a colleague may get annoyed at a security implementation. This is where a security practitioner would use many of the soft skills to seek compliance with a security function. Tools such as security awareness training, and technical measures would also be effective methods for security observance.

In a critical healthcare setting, a medical provider would grow intolerant if the usability triangle is weighted heavily towards the security direction. Even in a non-emergency environment, such as a laboratory, certain security practices can hinder life-saving care. A healthcare security practitioner understands that some security measures surpass the annoyance stage, rising to the dangerous. This is where the specialized knowledge gained through healthcare security training is invaluable.

Information Security Balanced Against Healthcare Ethics

The Ethics of Healthcare practitioners are no laughing matter. From the Hippocratic Oath of the physicians, the Nightingale Pledge in use by some nursing institutions, and the Code of Ethics and Oath of Emergency Medical Technicians (EMT), preservation of life is paramount to all other interests. The code of ethics for information security practitioners cannot compete with these lofty goals. This does not minimize the importance of the code of ethics of information security. In fact, the ethics of an information security practitioner is equal to many other certified and licensed professionals. Using the (ISC)² Code of Ethics as an example, the canons of ethics are succinctly stated:

  • Protect society, the common good, necessary public trust and confidence, and the infrastructure.
  • Act honorably, honestly, justly, responsibly, and legally.
  • Provide diligent and competent service to principals.
  • Advance and protect the profession.
  • Other security organizations promote a similar proclamation and sentiments.

The key is to balance the ethics of preserving life against the ethics of protecting a system and its data. This is truly a difficult topic; however, it is not without solutions. A trained healthcare security practitioner can dance along the line of both ethical values, supporting life-saving measures, while also preserving the security and privacy of the data that provides valuable information for the healthcare professionals, and patients.

Which Training is the Best?

Whenever the subject of training is presented, one always wonders “which training is the best”? This makes sense, no one wants to waste time with a training program that offers no tangible benefits. Unfortunately, in the field of healthcare information security, there are not many training offerings or options. One can (and should) learn security as it pertains to the Health Insurance Portability and Accountability Act (HIPAA). The same is true of the security aspects of the Health Information Technology (HITECH) act. These are certainly worthy of study; however, they do not fulfill the deeper understanding of the security and privacy in a healthcare environment from a practical level. The only training that presents the complete criteria is the Healthcare Information Security and Privacy Practitioner (HCISPP) credential offered by (ISC)².

The HCISPP Common Body of Knowledge (CBK) includes all aspects of security and privacy in a healthcare setting. The information gained through the study of the CBK is not only useful in achieving the certification, but it offers actionable, practical knowledge for any security practitioner in the healthcare field. Attaining the HCISPP certification shows a dedication to the healthcare security profession, which translates to a more valuable member of a healthcare security team.

How the HCISPP Certification Can Help You to Succeed

If you are currently a security practitioner working in the healthcare field, or you are looking to enter the area of healthcare security, the Healthcare Information Security and Privacy Practitioner (HCISPP) certification offered by (ISC)² is the perfect vehicle to enhance your knowledge and skills. Not only does this credential give you the skills you need to function at the highest levels of a healthcare organization, but it shows your employer that you possess specialized knowledge and dedication specific to the healthcare profession.

Download our white paper, Not All Life Savers Wear White Coats , to learn more.