Healthcare has become a uniquely complex and high-risk digital environment. Most organizations deal with a patchwork of legacy systems, cloud migrations, and evolving third-party ecosystems, all of which make maintaining security feel like trying to patch holes in a leaky ship while mandated to sail full speed ahead.
With this backdrop, it’s no wonder many organizations and teams fall back on “check-the-box” compliance to manage risk.
It should go without saying, but passing an audit doesn’t mean you’re secure. Breaches often happen not because of sophisticated attackers, but because a well-intentioned employee clicks the wrong link, misconfigures a system, or shares sensitive data in an attempt to help and simply do their job. And in healthcare, where “helping” is a defining cultural trait, the risk can be even more pronounced.
It’s time to rethink how we approach security training and awareness in healthcare.
Rethinking Traditional Compliance Training
Traditional compliance training often fails to address actual risk because it uses:
- Generic, outdated content that doesn’t reflect current threats.
- Design focused on clearing audits rather than addressing actual risks.
- Training on topics like phishing, HIPAA, or anti-fraud without adequately reflecting how risks are interconnected.
In my experience, more holistic, risk-informed, role-relevant training that integrates threats and workflows into a single conversation delivers much better results. This involves moving away from mundane annual modules toward continuous, contextual education that adapts to the reality of the risks your organization faces in real life.
Accounting for the Human Factor
Your staff is both your biggest security asset and your biggest vulnerability. Most breaches don’t stem from malice—they happen because people are trying to do their jobs quickly and efficiently.
Healthcare workers are helpers by nature, and attackers know it. Social engineering exploits their instinct to assist, as seen in the Change Healthcare breach and countless phishing campaigns.
To mitigate this, design workflows with a “happy path” that makes secure behavior the easiest, most convenient option. If staff need to bypass security controls to get their job done, that’s not a user failure; it’s an engineering failure.
The Three Es: Education, Engineering, Enforcement
I’ve found that you can build a strong security program by aligning your people, processes, and technology across three pillars, or the “three Es”:
1. Education: Use continuous and relevant education tailored to real threats, as opposed to generic modules. Threat profiling can be used to focus training on actual organizational risks, such as misconfigurations, API security, or third-party risks. You can drive engagement using positive reinforcement and gamification, whether it’s competitions during Cybersecurity Awareness Month or public recognition for phishing reports.
2. Engineering: Build secure-by-default systems that reduce the opportunity for error and prioritize visibility—you can’t fix what you can’t see. The idea is to eliminate the need for staff to find workarounds by giving them tools that align with their day-to-day workflows, ultimately reducing the emergence of shadow IT. After all, shadow IT signals unmet needs, not simply policy violations.
3. Enforcement: It can be delicate, but it’s important to balance positive reinforcement with meaningful consequences, which means publicly recognizing good behavior while consistently and fairly addressing violations. Your policies should be clearly communicated and tied to real workflows, so team members know what’s expected and why it matters.
Healthcare-Specific Challenges and Threats
Healthcare relies heavily on third-party vendors and partners, which significantly expands the attack surface. A single compromise can create a ripple effect that impacts clinics, payers, and providers downstream.
Identity and access management (IAM) is vital but very hard to do in large legacy organizations. Still, many healthcare organizations struggle with:
- Poor visibility into accounts and access levels.
- Overly permissive access due to operational convenience.
- Unmonitored service accounts that create persistent risk.
An effective IAM roadmap for healthcare organizations should focus on clarity, control, and user accountability, but without losing operational efficiency.
The Bottom Line: Align Policy with Reality
It sounds intuitive, but you’d be surprised how many organizations fail to deploy policies that reflect how people actually work. Instead, they often focus too much on how higher-ups think they should work. Policies created solely to pass audits but that conflict with your operational reality are simply ineffective. And they can even be legally risky.
So, what do effective policies look like? For one, they guide behavior without negatively impacting productivity. They should be communicated in plain language, rather than using legal jargon. And they should be supported by workflows and tools that make compliance the easiest path.
Ultimately, security isn’t just a technical challenge; it’s also a cultural one. You need to align your people, processes, and technology to create a culture where secure practices are the intuitive norm and a part of everyday operations.
By applying the three Es—education, engineering, and enforcement—you move beyond a “check-the-box” compliance mentality and toward meaningful risk reduction. The ultimate goal is to empower your teams to make the right choices by design.
In a sector defined by caring for and helping others, a culture of secure care is the next logical step.
About Mike Levin
Mike Levin is the General Counsel and Chief Information Security Officer at Solera Health. Michael J. Levin is a cybersecurity executive with over 15 years of experience in public and private sectors. He most recently served as Deputy CISO at 3M Company, implementing robust security strategies for a global organization. Previously, as Senior Vice President at UnitedHealth Group, he built and led the Cyber Defense program. Mr. Levin’s public sector experience includes directing the Continuous Diagnostic & Mitigation (CDM) program at the U.S. Department of Health and Human Services, where he led critical cybersecurity initiatives.
