What Healthcare Security in 2016 Can Tell Us About How to Train Better for 2017
The need for Security Awareness Training in Healthcare
One of the biggest threats to your organization’s information security can come from within the company itself. Apart from intentional “inside attacks” that come from corporate spies and disgruntled employees, uninformed and non-malicious employees are also potential threats. Often these users bring harm to your network by responding to phishing emails, visiting malware-infected websites, leaving their computer systems unsupervised, storing login information in unsecured locations, or giving out sensitive information over the phone. This usually happens due to untrained employees who are not aware of ways they could be leaking out critical organizational information. To ensure this does not happen, one of the best ways is to conduct organization-wide information security awareness training that can range from classroom training sessions to regular email reminders or even security awareness posters. This can help ensure that employees have a total understanding of the organization’s information security policy and are regularly updated and consciously aware of emerging threats.
Security awareness training in healthcare holds significance from many perspectives. Not only is it important to comply with healthcare regulations, it also plays a role in driving a team approach to healthcare security to include workplace ethics, risky behavior and potential beneficial outcomes that result from being security-aware.
Healthcare Security in 2016
According to a study conducted by TrapX Labs of TrapX Security, the healthcare industry was hit by about 93 major cyber attacks in 2016, which is about 36 more attacks than in 2015. This estimates to about a 63% increase in the number of cyber-attacks in 2016.
Among the major attacks were those on Newkirk Products, Banner Health, 21st Century Oncology and Valley Anesthesiology Consultants. 31% of major reported HIPAA data breaches were conducted by sophisticated cyber criminals in 2016, which amounts to a 300% increase over the past three years.
TrapX researchers also pointed two major trends in 2016: the increase of ransomware in the healthcare industry, and the continued evolution of medical device hijacking. MEDJACK, as TrapX calls it, uses backdoors in medical devices such as life-support equipment. Hackers make used of emailed links or corrupt websites to load the tools into the devices.
“Once inside the network, these attackers move laterally in search of high-profile targets from which they can ultimately exfiltrate intellectual property and patient data,” says Moshe Ben-Simon, co-founder and VP of services at TrapX Labs.
“Unfortunately, hospitals do not seem to be able to detect MEDJACK or remediate it,” explains Simon. “The great majority of existing cyber-defense suites do not seem able to detect attackers moving laterally from these compromised devices.”
Similarly, ransomware attacks have also become more diverse on medium and large sized healthcare organizations. According to a survey by Solutionary in July 2016, the healthcare industry is frequently targeted with malware mainly because the organizations are ready to pay a ransom for recovering their valuable patient data.
Another weak link is lack of awareness and training of healthcare employees. According to Chief Research Officer of Security Scorecard Alex Heid, “Security is only as strong as the weakest link, and employees are often the lowest-hanging fruit when it comes to phishing, spear phishing and other social engineering attacks.” He said, “The low social engineering scores among a multitude of healthcare organizations show that security awareness and employee training are likely not sufficient.” According to Heid, a hacker only needs a single piece of information about the organization to exploit an employee through social engineering techniques into providing sensitive information or access to the organization’s network.
Where Internet of Things (IoT) devices greatly assist medical staff in carrying out their duties effectively, they also pose security threats where there is usually no mechanism to mitigate them. IoT devices have been making headlines in the past because of their exploitable weaknesses. “As long as these IoT devices are manufactured with poor security standards, the vulnerability doesn’t only lie within the devices themselves, but they also pose a risk to any hospital, treatment center, or individual using the device,” said Heid.
Security Scorecard 2016 Healthcare Report revealed that companies ranking low in social engineering were found to have more active detected malware infections. Other than misconfigured networks, outdated web applications are also common in the healthcare industry, and simple web application attacks on these websites can provide useful information to hackers. This information can then be used for insurance fraud and identity theft.
What to do in 2017?
Let us have a look at how we can train healthcare employees better in 2017 to prepare themselves for the ever emerging cyber security risks.
An Information Security Handbook
A handbook can be a good starting point for new employees. It is not possible for employees to remember every aspect of security taught to them in class-room style trainings, and a handbook can serve the purpose of providing them with the required guidelines whenever needed. A hospital information security handbook should contain all security-related policies, procedures and standards.
The content of the handbook should cover:
- Frequently Asked Questions (FAQs)
- Everyday best security practices
- Key Contacts in case of emergency
- Policies and procedures related to information security
Develop a communication channel for Real-Time Guidance
A real-time communication channel can help in two ways. Employees that need quick help can get answers to their security-related questions, and urgent security issues can be quickly escalated.
Classroom-Style Awareness Sessions
A handbook and real-time communication channel have their own part in creating security awareness, but for engaging employees in a more dynamic way you need to involve them in awareness and participatory sessions where they not only learn through lectures but also by sharing their knowledge with each other.
Moreover, it is also important to hold these awareness sessions regularly, as it is a natural tendency for people to forget. Conscious effort is required time and again to remind them.
Setting up a Security Awareness Program in Healthcare
The goal of such programs is to increase organizational awareness and real implementation of security best practices. A security awareness program should be for all new and old employees across all departments, and reinforced regularly.
An effective security awareness program must begin by considering the following four main components.
- Communication: it should regularly be a part of conversation at your organization. In other words, upper management must regularly remind employees about why it is essential and vital for successfully running business operations. This can be in the form of emails, posters, classroom-style trainings, or even routine conversations.
- Checklist: a checklist or a number of checklists should be developed to make sure that all best practices are being followed throughout your organization. It could contain any key points, such as: what to do when an employee joins or leaves; how often should the employees be reminded; and how to communicate with partners or customers after a security breach.
- Content: Your information security awareness trainings must cover all relevant content, and employees should be able to refer to it whenever needed. These could include job role security guidelines, training material, a security handbook or information security policy.
- Controls: No matter how strong your security awareness program is, human error is still bound to happen at one point or another. Even with all the training, an employee may open a malicious email in a hurry, or may plug in an infected flash disk into the computer. This is where controls are necessary to prevent people and systems from doing more than their roles require, without appropriate approval.
- Monitoring Solution: For network associated risks, healthcare providers need to implement a monitoring solution that continuously examines the organization’s exposed services across the network and vulnerable web applications.
Healthcare Security Awareness Tips and Resources
Though there is no rule of thumb to fix security gaps that lie within healthcare organizations, past experiences in the industry have taught healthcare experts some important lessons.
Whenever developing a healthcare security awareness training, keeping the following tips in mind can help design a better strategy.
Maintain a Top-down Approach
A top-down approach is more affective in improving user awareness and ensuring that the staff abides by the required protocols. It is advisable to roll out the program quarterly or biannually to remind the employees of the protocols they are supposed to be following and rewarding those who are.
Refer to Health and Cyber Security Standards when Devising Awareness Training
When developing a model for security awareness training, get help from security standards like HIPAA and the National Institute of Standards and Technology (NIST) as a foundation to define healthcare and role-based cybersecurity education.
Engage Non-IT Staff to Avoid Human Error
Non-IT staff such as doctors and nurses should be practically educated on how to handle Protected Health Information while it is being accessed.
To know more about healthcare security awareness and training, check our resources below: