The Frontline: Cybersecurity Training for Healthcare Workers
Laura M. Cascella, MA
In recent years, “cybersecurity” has become a top buzzword in business and public sectors, including healthcare. The need to protect proprietary and sensitive information is increasingly challenging as technology expands and evolves. Complex networks and data exchanges, cloud-based services, social media, online portals, the Internet of Things, and other technologies have introduced opportunities and efficiencies but also potential threats.
For healthcare organizations — from small practices to large systems — devising actionable, well-defined cybersecurity strategies is imperative as cyberattacks against the healthcare industry and their associated costs continue to grow. Atop the list of strategies, perhaps at the pinnacle, is developing and executing a robust cybersecurity training program for staff members. Although staff training might seem more nebulous than a concrete process, such as installing a firewall or patching software, its benefits should not be underscored.
The Importance of Cybersecurity Training
Staff members are a frontline resource in preventing cyberattacks, but they also can represent a significant vulnerability for organizations. Verizon’s 2018 Data Breach Investigations Report notes that, “Healthcare is the only industry where the threat from inside is greater than that from outside. Human error is a major contributor to those stats.”1 A Medscape article echoes this concern, stating that “Many physicians, providers, and employees unknowingly engage in risky behavior on their home and work computers.”2
A survey of more than 600 healthcare professionals conducted by Merlin International and the Ponemon Institute revealed that about half of the participants felt that “lack of employee awareness and training affects their ability to achieve a strong security posture;” almost three-fourths of participants “cited insufficient staffing as the biggest obstacle to maintaining a fully effective security posture.”3
Staff awareness of best practices related to cybersecurity and data protection, as well as a thorough understanding of organizational security protocols, are the basis of a solid training program and crucial to each organization’s cybersecurity plan.
Developing a Robust Training Program
Healthcare organizations vary in size, location, patient population, clinical staff, systems, and so on. Because each organization is unique, a one-size-fits-all training approach for cybersecurity is unrealistic; however, it is likely that many organizations face similar threats and will want to educate staff on similar topics. When devising educational outreach related to cybersecurity, consider the following topics for inclusion:4
- Common ways that breaches occur, such as lost or stolen laptops, data sharing over unsecured networks, inappropriate access to systems, and careless security practices
- Common cyber threats — such as ransomware, phishing, spyware, distributed-denial-of-service attacks, Trojan horses, worms, and pretexting — and how they are executed
- Best practices for preventing data breaches and cyberattacks, including:
- Implementing technical safeguards such as data encryption, two-factor or multi-factor authentication, strong passwords or passphrases, and system lockouts
- Sharing confidential or sensitive information via approved, secure communication channels
- Avoiding accessing confidential or sensitive information on public computers or over public or unsecured wireless connections
- Knowing red flags for cyberattacks, such as suspicious URLs or domain names, unsolicited emails requesting personal information, offers that seem too good to be true, emails containing odd messaging or typos/grammatical issues, requests for money, and messages containing threats
- Avoiding risky online behaviors, such as bypassing virus protection alerts, clicking on pop-up ads, visiting sites with security issues, using the same password for multiple sites, opening email attachments from unknown sources, and failing to sign out of shared computers
- Being aware of how cybercriminals might access social media to glean key information that will allow them to crack passwords and breach accounts
- Taking physical precautions to prevent inadvertently disclosing protected information, such as using privacy screens, avoiding writing down or sharing passwords, logging out of systems after use, and following policies related to taking mobile devices or hardcopy data outside organizational premises
- Possible consequences of cybersecurity lapses, including loss of systems, interruptions to patient care and processes, possible patient harm, financial losses, and impact to the organization’s reputation
- Organizational policies and protocols that support a culture of security, including:
- Compliance with state and federal privacy and security laws
- Procedures for conducting risk assessments and gap analyses
- Rules related to social media and use of personal electronic devices
- Strategies for securely storing and disposing of protected information (hard copy and electronic)
- Procedures for reporting behaviors and actions that violate the organization’s privacy and security policies as well as continued assurance of a nonpunitive environment for raising concerns
- Disciplinary actions for deviating from established policies and protocols
- Procedures for responding to suspected or known breaches or cyberattacks, including incident reporting protocols and staff roles and responsibilities
- Strategies for managing loss of systems or access to electronic health records
- Resources for continued learning about cybersecurity best practices and breach prevention protocols, such as The Office of the National Coordinator for Health Information Technology, the Federal Bureau of Investigation, and the U.S. Department of Health and Human Services
Conducting a security risk assessment (as required by HIPAA for covered entities and business associates) can help define the specific needs of each organization so that training can be focused or customized as needed.
Other Training Considerations
Individuals in charge of developing and organizing staff education should consider various training formats and activities to keep individuals engaged and aware. For example, using simulated phishing emails can help staff learn to identify cybersecurity red flags. Reviewing actual scenarios of healthcare breaches and cyberattacks, including discussing what occurred, how it occurred, and ways to prevent similar incidents also might be beneficial. Other options include periodic email reminders, interactive modules, posters, team discussions, and role playing.
Educators also should be mindful that staff members will have varying levels of technical knowledge and aptitude. Training sessions and materials should be clear and understandable to all participants. Focusing on need-to-know information and avoiding technical jargon can support participant understanding and retention of information.5
In Summary
Cultivating a knowledgeable and well-educated staff is one of the preeminent ways that healthcare organizations can protect against security breaches and cyberattacks. By developing a comprehensive staff education program on cybersecurity best practices, policies, and protocols, organizations can help ensure that staff members are an asset rather than a vulnerability.
Resources
For more information on cybersecurity, go to the following MedPro resources:
- 10 Ways to Establish a Security Culture at Your Healthcare Organization
- Passwords: A New Approach to an Old-School Security Strategy
- Risk Resources: Cybersecurity
- Risk Tips: Using Physical Safeguards to Prevent Security Breaches
- Risk Tips: Using Technology-Based Safeguards to Prevent Security Breaches
- Video: Online Vulnerabilities for Healthcare Organizations
Endnotes
1 Verizon. (2018). 2018 data breach investigations report: Executive summary. Retrieved from https://enterprise.verizon.com/resources/reports/dbir/
2 Hood, G. A., (2017, April 25). How to prevent costly and dangerous cyberattacks. Medscape. Retrieved from https://www.medscape.com/viewarticle/878592_3
3 Merlin International. (2018, March 12). Merlin International & Ponemon Institute cybersecurity study signals dangerous diagnosis for healthcare industry. BusinessWire. Retrieved from www.businesswire.com/news/home/20180312005302/en/Merlin-International-Ponemon-Institute-Cybersecurity-Study-Signals
4 Hood, How to prevent costly and dangerous cyberattacks; Shryock, T. (2017, February 10). Top tips for protecting a practice from hackers. Medical Economics. Retrieved from www.medicaleconomics.com/medical-economics-blog/top-tips-protecting-practice-hackers; Weil, S. (2017, February 10). How 4 key practices can prevent ransomware incidents. Health Data Management. Retrieved from www.healthdatamanagement.com/opinion/how-4-key-practices-can-prevent-ransomware-incidents; Downing, K. (2017). AHIMA guidelines: The cybersecurity plan. Retrieved from http://journal.ahima.org/ahima-guidelines-cybersecurity-plan/
5 Snell, E. (Ed.) (2017). Training employees to avoid healthcare data security threats. HealthIT Security. Retrieved from https://healthitsecurity.com/features/training-employees-to-avoid-healthcare-data-security-threats