It’s a fact: More than 80% of data breaches involve a human in some way. That could involve someone falling for a spear-phishing campaign designed to solicit credentials, clicking on a malicious link, or a simple error that leaves a security vulnerability open to bad actors. Creating a culture of security in your organization will keep security at the forefront of everything from operations to care delivery.
Monitoring and maintaining the security of IT infrastructure is often overemphasized within hospitals and health systems, while the human side of reducing risk is often under-emphasized. And unlike APIs, software, and technology hardware, employees can’t be patched; they can’t be reconfigured; and they can’t be reset after making a mistake.
The answer is training, continual training to help create a culture of security within your hospital or health system. But with so many competing training programs — everything from HIPAA and regulatory compliance to handwashing and job-specific training — it’s difficult to break through the noise and gain traction. But as the average recovery cost for a healthcare organization after a breach has now passed the $10 million mark in 2022, a 40% increase from 2020, the time for definitive action is now.
If a doctor, nurse, or other hospital employee sees a suspicious package in a hallway, chances are good they will alert the physical security department who will take appropriate measures. But what about a suspicious email? Some IT departments don’t want to know, believing it’s just more work for them. But for every potentially damaging email that’s deleted without taking any action, there could be thousands more in waiting.
The key to creating a mature and robust security awareness program starts with executive leadership support, followed by continual training to reinforce the security message. Across industries, some companies have a dedicated position for security awareness or give an existing IT person some additional duties as a security awareness officer. With continued IT staffing shortages in healthcare, that might not be possible, so consider outsourcing security awareness and training to a vendor well-versed in the unique nature of healthcare.
Some healthcare organizations are minimally training their staff for compliance, hoping it will be sufficient. But minimal training delivered once a year can’t address the dynamic nature of cyber threats, which are continually evolving. As organizations harden their security posture in response to specific threats, new threats emerge that companies may not be aware of.
Two recent emerging threats:
- Last August, the FBI warned healthcare organizations about a fraud scheme where scammers impersonate law enforcement or government personnel, targeting specific individuals to extort money or steal personally identifiable information. The scammers spoof authentic phone numbers and use names of real security personnel, informing the target they missed a court date and owe a fine or are subject to arrest unless they comply.
- The following month, a new, sophisticated phishing attack was revealed, using multiple fake email accounts to trick a user into believing he/she is part of a conversation among colleagues. Called multi-persona impersonation, multiple interactions take place to convince the target the conversation is real before a malicious link is sent. The “grooming” process can take weeks, underscoring the lengths hackers will go to steal information.
The SANS Institute, a leading authority on cybersecurity training, certifications, and resources, recommends monthly training noting, “Organizations that engage and train their workforce only annually or on an ad hoc basis cannot effectively change behavior and are thus stuck at the compliance level, checking the box.” The information security organization recommends monthly training that’s “communicated engagingly and positively that encourages behavioral change” to help employees understand the importance of cybersecurity so that they will actively recognize, prevent, and report incidents.
Training doesn’t have to be overly formal. Some of the most effective training involves humorous videos depicting fictional hospital employees failing at HIPAA security or allowing someone to openly walk through administrative areas simply because they have an official-looking badge. This kind of training connects with trainees, offering better retention and creating an “a-ha!” moment when they are later faced with a similar situation.
To make it more fun, you might hold a prize drawing among those who report a potential security incident during a certain time period. The key is a constant drumbeat of training that helps create the culture of security that healthcare organizations need.
To build on the training, phishing exercises carried out by your organization’s security group can help gauge the effectiveness of the training. Users who struggle with identifying phishing scams should receive additional training. Phishing training is complex and requires purpose-built tools, such as education software designed to be impactful, but also something employees don’t dread. Phishing education software can also give IT tools to create fake emails, and some vendors provide dashboards or other metrics to determine effectiveness by employee or department. Third-party vendors can also conduct phishing campaigns on behalf of organizations.
It’s recommended that each employee is phished at least once a quarter. Some healthcare organizations phish everyone during a limited time, which can create bottlenecks for IT staff. Consider a drip email campaign of weekly or bi-weekly emails that phish each employee quarterly.
Creating a culture of security is critical for hospitals and health systems, as important as the physical security of network infrastructure, monitoring network traffic, and maintaining a robust software patching program. Given the tight IT workforce environment and competing demands on existing IT staff, outsourcing a managed security awareness and training program might make sense.
About Don Kelly
Don Kelly is the Manager of the Virtual Information Security Program at Fortified Health Security, healthcare’s cybersecurity partner protecting patient data and reducing risk for healthcare organizations. By partnering with healthcare organizations through a host of managed service offerings and technical security solutions.
