Earlier today I chaired a fascinating seminar for patient groups and professional organisations which discussed healthcare acquired infections (HCAIs) and, in particular, what needs to be done to better prevent such infections in community (rather than hospital) settings.
As the meeting continued, I was struck by the surprising number of parallels that exist between what needs to be done to cut the risk of such infections and what needs to be done to improve information security.
For example, there were those a few years ago who thought the situation with HCAIs in hospital was so bad that nothing effective could be done. They have been proved wrong by the success of the initiatives taken over the last five or six years to reduce dramatically the incidence of MRSA and C Difficile in hospitals (80% and 60% reductions respectively). Likewise there are those who throw up their hands in horror about the current tide of cyber security problems and seem to believe that our systems will always be irredeemably compromised. Hopefully, they will also be proved wrong in a few years time.
The response to HCAIs was in the past seen as better and stronger technical solutions (i.e. ever more powerful antibiotics) and, whilst such solutions remain necessary for those who are infected, the sharp reductions have been achieved by other means – largely through achieving major changes in behaviour amongst staff and patients (i.e. better and more effective hand-washing, greater emphasis on cleanliness etc). This is mirrored by the increasing recognition that social engineering and behavioural change is an enormously important component of better cyber security and information assurance.
Similarly, without being too Cameron-esque about it, we all have to be in this together. Everyone has to play their part. Thus, patients and their visitors need to understand the importance of washing their hands with alcohol gel and remembering to do it. In the same way, individual computer users need to adopt precautions to prevent their systems being compromised. At the same time, product manufacturers must play their part in making their products less vulnerable to infection (e.g. catheter or commode design can be used to make HCAIs less likely, just as computer software and hardware can have security built in).
Likewise, you cannot help but notice that meetings, whether about HCAIs or addressing cyber security, always conclude that more public education is needed and that the message needs to start at primary school ….
Well, I thought they were interesting parallels ….