Healthcare finally made the shift–it went digital. Overdue, perhaps – and maybe less rapid than the transition by other industries – but nonetheless notable. The age of the Internet of Medical Things (IoMT) has dawned, and healthcare is riding the wave. You go, healthcare!
For healthcare organizations, the advent of IoMT means new technology tools like smart medical devices extending and streamlining care throughout the hospital. This gives clinicians more mobility and more efficiency in providing patient care. The shift to a completely digitized environment; however, gives the entire healthcare IT infrastructure something else to worry about: new cybersecurity risks.
Healthcare Cyber Threats Are Real
A recent study by Kaspersky confirms this cyber threat, with study data pointing to a significant lack of security awareness among healthcare organizations in both the U.S. and Canada. How big is this risk? Nearly one third (32%) of survey respondents said they had never received cybersecurity training from their employer, while 21% admitted they were not aware of the cybersecurity policy at their workplace.
This is a dangerously high level of exposure, especially when you consider the number of potential threats healthcare organizations face and the resulting impact on Personal Health Information (PHI) and associated data privacy regulations. Phishing attacks represent the biggest cybersecurity threat, cleverly disguised requests for login credentials to dupe unsuspecting employees into providing their usernames or passwords, which would then be used to gain unauthorized access to systems and data establishing an entry point into the target organization for data gathering and establishing an attack plan
Healthcare organizations urgently need a more proactive approach to security training.
Cybersecurity Isn’t Just a Tech Problem
When it comes to cybersecurity, awareness matters. But business leaders need to think beyond their IT department and instead focus on training all employees on how to identify and address key risks. Everyone across the organizations – regardless of his or her role – needs to be equipped with knowledge and skills to protect against threats or attacks. And it’s not enough to just do the bare minimum to meet compliance or other regulatory requirements. Organizations need blended learning & development (L&D) and other training strategies that empower your employees to protect against cyber-attacks.
The following L&D guidance for cybersecurity training will help healthcare organizations overcome these hurdles and make security training more effective – preventing untold costs in security incidents.
1. Make It Simple – and Clear
People can be a powerful force when it comes to preventing cybercrime. But individuals often believe they are not a target, which exposes the organization to tremendous risk. It’s important to address this misconception and explain the critical importance and benefits of leveraging a cybersecurity awareness and training program. Employee training should explain how threats work, and include recent examples of phishing messages. This will give learners a clear picture of how to detect possible threats, and respond accordingly. It is also recommended that organizations only focus on a single awareness and training topic per quarter to avoid overloading staff with too much information at one time.
2. Vary Your Training Techniques
Plan on using a blend of learning techniques to provide a combination of simulation and engagement. Why? This will build employee confidence in real-world security encounters. If you just lecture to your team, or more likely, have expert conduct the lecture, complete with ominous warnings about worst-case cybersecurity scenarios, your lesson may just backfire. You’ll scare them about hackers, but not inspire any behavioral change. By blending the training techniques in your learning management system to include interactive components, videos, and a few real-life examples, you stand a much better chance of having the learning stick.
3. Keep a Steady Drumbeat of Learning
Continuous reinforcement of key lessons is more effective than long learning sessions that can be hard to digest. You can still perform annual cybersecurity training. But also assign microlessons and short quizzes throughout the year to keep learning fresh and top of mind. This way, when it’s test time everybody’s ready to succeed. Thanks, coach!
4. Use Non-Experts
Perhaps the most important way to change employee behavior is by having the message about cybersecurity come from someone human and relatable. This approach can help employees build confidence in secure behaviors and avoid errors in real-world situations. Human behavior is more complex than just technical expertise. Including instructors with soft skills is crucial, according to a recent study of over 1,700 security pros from the SANS Institute. Enlist nontechnical staff members to create engaging learning modules, such as real-life examples your workforce can relate to.
The unique challenges of healthcare
It’s been well established that healthcare is now more vulnerable to breaches than any other industry, and the implications of an attack go far beyond data privacy. Cyber incidents can potentially compromise patient safety and interfere with care delivery. Yet, healthcare workers are not getting the consistent education they need to keep organization and patient data safe. These vulnerabilities are exacerbated by the unique challenges healthcare presents, which makes training extremely difficult.
Unfortunately, there is no single, all-encompassing formula for ensuring that employees actually learn and apply the cybersecurity lessons they’re taught. Training can, however, go a long way in mitigating threats. By aligning with these tips, you can ensure your healthcare organization is taking the optimal steps to prepare your team for the new IoMT world, and its related cybersecurity risks.
About Craig Smith
Craig Smith serves as the Executive Vice President of Operations for Absorb Software, a cloud-based learning management system (LMS) engineered to inspire learning and fuel business productivity. Rising through the Absorb leadership ranks, Craig started as the Director of Technology before pivoting to lead Operations as its Vice President. Craig continues to leverage his IT roots to elevate the Absorb customer experience, drawing on his time as a developer at Honeywell International, building websites for clients at Autodata Solutions and leading a team of developers at AGAT Laboratories.