Checking Out Security Before Using AI Tools in Healthcare episode artwork

EPISODE · May 9, 2023

Checking Out Security Before Using AI Tools in Healthcare

from Info Risk Today Podcast · host InfoRiskToday.com

Most healthcare workers don't check security protocols before trying out new generative AI tools such as ChatGPT, putting patient and other sensitive data at risk, said Sean Kennedy of software vendor Salesforce, which recently conducted research on potential security gaps in healthcare settings.

Episode metadata supplied by the publisher feed · Published May 9, 2023

Most healthcare workers don't check security protocols before trying out new generative AI tools such as ChatGPT, putting patient and other sensitive data at risk, said Sean Kennedy of software vendor Salesforce, which recently conducted research on potential security gaps in healthcare settings.

PodParley-generated summary based on available episode metadata and transcript content.

NOW PLAYING

Checking Out Security Before Using AI Tools in Healthcare

0:00 0:00
of MATCHES

TRANSCRIPT · AUTO-GENERATED

I'm Marianne Kobisak McGee, executive editor at Information Security Media Group. Today I'm speaking to Sean Kennedy, who is Vice president and General Manager of Global Health Strategy and Solutions at Salesforce. So Sean, I understand that Salesforce recently conducted research that digs into potential security gaps among healthcare sector workers, including in their use of generative AI technologies such as ChatGPT. What are some of the most concerning findings in your research overall and why?

Well, Marianne, it's clear that healthcare organizations recognize the importance of a security first culture, but the reality on the ground seems to indicate that existing trainings and tools could be improved. What we saw is that over 2/3 of healthcare workers say they have security first culture, but less than a third said they're familiar, very familiar with company security processes and protocols. Most say that having training needed to keep data secure. However, only 54% find security training to be efficient and almost one in five say that their security training is not relevant to their job.

Now, specific to generative AI, what we learned was that only 39% of healthcare workers check security protocols before trying a new tool or technology. And almost a quarter of respondents think that generative AI is safe to use at work. When it comes to the use of generative AI technologies, what should healthcare IT security teams be thinking about and how should that flow down to the end user, the frontline healthcare worker? Given our research indicates that 15% of healthcare organizations have already experimented with generative AI like ChatGPT or Dall E.

It's a really good question, you know, while we see the potential that generative AI has to transform the way healthcare employees work, it's not without its risks. The opportunity to reduce the administrative burden on our healthcare workers and address clinician burnout holds a lot of promises. Areas to apply generative AI but healthcare needs to account for the inherent concerns around privacy, around security and around bias. So we see that generative AI models require a large amount of data for training which can pull from sensitive patient information.

Health IT security teams really should ensure that data used to train generative AI models is de identified and anonymized to protect patient privacy. Additionally, access to the trained AI models and any generated data should be restricted to authorized personnel to prevent unauthorized use or data breaches. Now additionally, in a related cross industry study we published, we found that almost 2/3 agree there's bias in generated AI outputs. So bias is that another risk that healthcare needs to guard against.

And having a human in the loop and collaborative feedback mechanism in place can really help address that bias. So when applying generative AI, we recommend really an ethics first approach grounded in trusted data and human in the workflows to allow health organizations to safely and responsibly use generative AI to deliver on the intended purpose. So when it comes to generative AI, what sort of biases did you see? Well, we didn't report on the biases in the study, but what we're seeing in the industry is that there could be this bias that comes.

So when you think about some of the use cases that could exist out there, you can imagine figuring out ways to synthesize data more efficiently, support something like drafting in the form of a medical necessity letter in support of prior authorization or curating discharge instructions. There's some interest that we're seeing in the market around this. You want to make sure that any research that's done out there is going to be pulling from a broad set of information and recognizing that frequently the data that is available is, may not be all the data that's available, because data sits in a lot of silos in healthcare. So we just have to make sure that data that comes in kind of augments the decision making of the administrator or the clinician who wants to use it.

But that human really needs to look at it and judge it appropriately. So, Sean, we hear so much about employees that fall for phishing scams. We hear so much about major breaches that have been linked to phishing scams. Why does this keep happening despite the training that workers get?

And how can entities do a better job addressing these issues? I know some of your research sort of dug into the training issues as well. It has a lot to do with sophistication of attacks. They really mimic an email you'd expect to get yourself.

So couple that with human error and evolving tactics and you see why they're successful. So I think the way we look at is while employees may receive initial training on how to identify phishing attacks, it's really important to have ongoing and regular training programs to reinforce best practices and keep employees updated on the latest stress. Without that consistent reinforcement, like any of us, employees may forget the training or become complacent over time. Overall, organizations should adopt a multi layered approach that includes both technology and training to effectively combat those phishing attacks.

So Sean, with that said, what safeguards or best practices aren't being either put into place or are being underutilized that might prevent data security incidents from occurring even when a healthcare worker does fall for phishing scam? Based on our research, less than half of healthcare workers Use multifactor authentication every time. And almost 1 in 5 never use VPN for online work. These inconsistent best practices leave windows for opportunity for risk.

So one approach for health organizations is to deliver an infrastructure that protects the entire digital ecosystem, right? Designing a lot of intentional defaults into the company's technologies and processes, such as, you know, requiring multifactor authentication, implementing zero trust architecture. These defaults can help employees prioritize really what we call data ethics and privacy by default. So Sean, on a day to day basis in the work life of frontline healthcare workers, what other practices or maybe lack of best practices do you see that are putting organizations data and systems most at risk and why?

The research shows that healthcare workers are blending personal and corporate devices for work. So we've seen that one in three healthcare workers uses the same passwords for personal and work related logins and almost half have access work documentary systems from their personal devices. So there's a number of things they can do. Organizations can, they can implement comprehensive cybersecurity awareness programs for those frontline healthcare workers.

You'll look at that. Enforcing strict policies and procedures for password management, that's always a proven practice. Looking at that device usage, looking at their policies around software installation, around data handling, and certainly around incident reporting. It's also crucial to establish a strong security culture within the organization where cybersecurity is prioritized and recognizes a shared responsibility among all employees.

So Sean, based on the work that you've done in healthcare it, I know you spent some time doing that sort of work before Salesforce, what do you see from the trenches or what have you seen from the trenches and what are your suggestions for how healthcare sector entities can do a better job fortifying their security posture overall? Sure, yeah. And I've certainly been in this industry for a while now and you know, one of the things that I see is it's important to look at prioritizing trust as that number one value, which means emphasizing a strong culture of security awareness and improving cyber hygiene. And it's gotta begin on day one of that employment.

So when you enter the organization, this is the value that you're adopting very early on. It's a really important element of the organization's culture. Now beyond training, healthcare organizations need to consistently engage their employees to support culture of security and to have this trust first culture in implementing requirements like multifactor authentication. Zero trust architecture, where employees are only given access to the devices, to the applications and to the systems they need to do their job, adds additional layers of security to help reduce the chances of sensitive data being compromised or accessed.

And finally, Sean, as you kind of look at the health IT security landscape, anything that you're particularly excited about or things that you might find promising in terms of either adoption of best practices or emerging technologies? Well, listen, I think that in healthcare, there's a lot of technology available to us. And I think looking to some of the other industries and some of the ways that they're implementing these technologies, establishing best practices and sharing lessons learned, I think those are really important for us. Healthcare is on the cutting edge of a lot of technology and a lot of innovation happens in healthcare, but sometimes it's the basics that we can fall down on.

So I go back to some of these things like multifactor authentication may seem boring, it may seem so obvious, but it's also something that's not used across all of healthcare. In really getting to this idea of access based on least privilege and bringing in zero trust architecture, where we're really looking at who's accessing your network, giving them the access that they need, there's a degree of granularity there that's required in your infrastructure, but those are things that industries are finding a lot of value in to guard against unwanted disclosure of information. So those are things I'm really excited about. Well, thank you so much, Sean.

I've been speaking to Sean Kennedy. I'm Mary Ankel. Bessette McGee of Information Security Media Group. Thanks for joining us.

That Hoarder: Overcome Compulsive Hoarding That Hoarder Hoarding disorder is stigmatised and people who hoard feel vast amounts of shame. This podcast began life as an audio diary, an anonymous outlet for somebody with this weird condition. That Hoarder speaks about her experiences living with compulsive hoarding, she interviews therapists, academics, researchers, children of hoarders, professional organisers and influencers, and she shares insight and tips for others with the problem. Listened to by people who hoard as well as those who love them and those who work with them, Overcome Compulsive Hoarding with That Hoarder aims to shatter the stigma, share the truth and speak openly and honestly to improve lives. The Small Business Startup School – Business Notes | Financial Literacy | Retail Psychology – For Professionals & Entrepreneurs The Small Business Startup School Inc. Starting or buying a small business? While personal circumstances may vary, business patterns remain timeless. On The Small Business Startup School, we explore strategies, insights, and practical solutions to help entrepreneurs confidently navigate their journey.Hosted by Ola Williams—a retail entrepreneur, fintech founder, and financial coach with over two decades of experience—this podcast marries financial awareness and retail psychology with optimism to deliver actionable takeaways.Join us to learn, grow, and connect as we uncover the keys to business success.Let’s continue to learn together and be encouraged to keep on connecting! DIOSA. Carolina Sanper This podcast is a sacred space created by Carolina Sanper where you connect with your inner wisdom and embody your magnetic feminine power.It is the realization that the mystical realm is where you plant the seeds of your desired reality.It is a portal to your true essence: awareness, presence, and receiving with ease. Welcome home, DIOSA. 🖤 XXX Tech by SOVRYN Dr. Brian Sovryn The crossroads between technology, sensuality, and metaphysics - and the longest running anarchist podcast in the world! Brought to you by Dr. Brian Sovryn.

Frequently Asked Questions

How long is this episode of Info Risk Today Podcast?

Episode duration information is not available.

When was this Info Risk Today Podcast episode published?

This episode was published on May 9, 2023.

What is this episode about?

Most healthcare workers don't check security protocols before trying out new generative AI tools such as ChatGPT, putting patient and other sensitive data at risk, said Sean Kennedy of software vendor Salesforce, which recently conducted research on...

Can I download this Info Risk Today Podcast episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!