Many healthcare organizations are still busy teaching their employees how to email and app safely. That's where generative AI came in last year. Sietske Rozie: 'Many employees are not sufficiently aware of the risks of using Large Language Models such as ChatGPT. In our opinion, banning is not the best way to deal with this. encouraging safe behavior is.
AI has much to offer healthcare, but also creates new challenges in the area of information security, Sietske Rozie believes. She provides training through the Information Security Behavior in Healthcare program. "We have been training information security professionals at healthcare organizations for a few years now. We want to understand employee behavior through analysis. That way we can choose the right intervention to improve behavior regarding information security and privacy."
Sietske Rozie is hosting a session at Care & ict on behalf of Information Security Behavior in Care . So did colleagues of hers two years ago. "But we are several steps further now. Back then De Wegwijzer was not yet implemented, now it is. We know our target group better and we know what they need and what they get stuck on. In addition, we now know better how to give administrators actionable perspectives on information security and privacy."
Autopilot
Rozie: "The intentions of healthcare employees are really good, but as human beings we all function on autopilot 95 percent of the time, so our behavior is largely unconscious. Healthcare employees really don't think in the morning 'let me see how many data breaches I can cause today'.
But during work, nevertheless, things often go wrong. And I understand that very well. Especially when time is short, it is very tempting to send an e-mail via unsecured mail or to use WhatsApp instead of Siilo, for example. Or if the work phone is empty and there is no charger nearby to use the private phone. And how many people forget to lock the computer when they walk away from their workplace?"
Unsafe use AI
AI creates new challenges. Programs like ChatGPT are still so new that many people don't know how to use them safely. But it is accessible and available to everyone.
Rozie: "During an online meeting, information security professionals in our network indicated that they see healthcare workers using Large Language Models such as chat GPT. Virtually no healthcare organizations have yet established codes of conduct or house rules about this use."
House rules shared
"We then shared the house rules regarding applying LLMs from MUMC because they were already further along in this. You can imagine that ChatGPT can help summarize the minutes of the departmental meeting or find a differential diagnosis based on history and additional examinations. And that only involves text. Also consider audio and images as input for such AI models."
"From agencies, network organizations and VWS, there are no rules yet for the use of large language modules. And there is no control on it. Any employee can take an account. There are already paid and even business accounts possible for companies that OpenAI says are more secure. The question is what is wise.
"You could, of course, log from the healthcare organization's ICT department whether and when your employees go to the Open AI website at work for ChatGPT. But then what do you do with that? In my opinion, banning the use is not the way to go. Better to teach your employees how to do it safely. The target behavior as we call it could be responsible use of LLMs. Then you have to see how to achieve that after that. Compare it to a toddler who wants to go up the stairs. You can leave the stair gate closed, but you can also teach the toddler to get up the stairs safely. He will ultimately benefit more from that."
The floor on
Behavior change is not something you achieve from behind a desk. What it's all about, according to Rozie, is getting out on the floor. "Look over the shoulder of care workers. And get to the bottom of their behavior. Also ask them why they do things. That improves the relationship with the employees. They feel heard when they can explain why they don't use programs to safely mail, for example."
"I remember a conversation with a medical specialist. I asked him if he used Zivver to mail securely. He indicated that he didn't use that program because he didn't feel he was being taken seriously. He indicated that he worked all day with great medical equipment. He had none to work with mediocre software."
"If you know that, you can take a measure that does work. If you don't ask, you won't discover that, for example, the setting of the Zivver software is not correct. If the healthcare professional doesn't know or doesn't know how to find you as an information security professional, he or she might think it's not considered important in the organization."
"A lot of money goes into e-learnings, education, poster campaigns etc about information security and privacy. But there is still too little measurement of the effect. In our program we give clear guidelines to improve information security. Choose your target behavior and start measuring it. Analyze employee behavior by talking to them. And see what you are going to address. Keep the target group in mind and choose your interventions accordingly. You approach a surgeon differently than a group of medical secretaries. Choose your interventions accordingly."
Healthcare administrators
A new target group for this year is healthcare administrators. The program is now focusing extra on them because information security behavior in many organizations receives too little administrative attention. Often, according to Rozie, this only happens when there is a concrete reason, such as an audit, a spot check by the IGJ, a fine from the AP or a cyber attack.
"We find that it is difficult for employees who are (co-)responsible for information security and privacy from their role to gain enough support. We are now investigating what will concretely help healthcare administrators in this regard and are going to offer them suggestions for action on this theme in various ways this year."
Sietske Rozie is hosting a session on information security behavior in healthcare at Care & ict 2024. Register for free below and join us on April 11 at 10:45 a.m. in partner theater 3.
