Security awareness

Security Awareness Checklist for Healthcare Institutions

August 23, 2018 by Susan Morrow

Healthcare has taken the brunt of cybercrime for a number of years now. In 2016, IBM released data showing that healthcare was the number-one industry for cyberattacks. Now, in 2018, the cybercrime news is no better: the “Security Scorecard,” which illustrates how effective the cybersecurity measures of a given industry are, shows healthcare is near the bottom of the list compared to other industries.

This result is exemplified by the latest Ponemon/Merlin International study, the 2018 Impact of Cyber Insecurity on Healthcare Organizations, which showed that 62% of healthcare organizations experienced a cyberattack in the previous 12 months.

Ultimately, the ones most impacted by the industry’s instability is the patient. In a survey by Fortified Health Security, it was found that 40% of patients would be reticent to choose a healthcare organization that had been hacked. And then there are the costs of cybercrime on the industry, as well as the fines imposed though regulations such as HIPAA and GDPR.

Having an awareness of security that permeates the organization can help to mitigate these losses and manage disruption. Below is a checklist to help you work out where to focus your efforts in managing the cybersecurity challenges of healthcare.

Having a Healthy Awareness of Security

Having a checklist is a great place to start with any new task. It keeps your mind focused, and you can go back to check off what you’ve done. It can also be shared and collaborated on to make sure that everyone is singing from the same sheet. Here is a checklist for healthcare security to begin your journey to a healthy and cybersecure workplace.

#1 Get to Know the Cybercriminal

In business, if you know your competition you have a better chance of outcompeting them. The same is true for cybercrime. “Know thy enemy.”

Begin with the understanding that the healthcare industry has a number of common types of cybersecurity threat. These include phishing, ransomware and record exposure. Keeping in touch with what is happening in the industry will give you an insight into where to focus, often stretched, resources.

You’ll find there are often “seasons” of particular attack types in healthcare. The HIPAA Journal, for example, identified a large number of phishing attacks on healthcare establishments. Similarly, 2017 saw a spate of ransomware, culminating with the massive WannaCry attack which had major repercussions on the UK’s NHS.

Creating a successful security awareness program for your organization starts with understanding what you are up against and building the program around those threat types. Do your homework and build up a list of research areas and go to portals, like the OCR, to keep aware and ahead of the cybercriminal game. Use this knowledge to empower your workforce and make everyone a white-hat hacker.

#2 Map What Cybercriminals Want

Understanding the type of attacks you can face is only one part of the security awareness equation. You also need to know what parts of your healthcare organization are vulnerable and what the hacker is after.

Healthcare is a data-driven and data-rich industry. To create and utilize these data, the healthcare industry has also been an innovator in its use of technologies like the Internet of Things (IoT) and cloud computing. In fact, the healthcare is so enamored with the IoT that the market growth in healthcare is expected to increase by over one fifth to 2025. But new technologies bring with them new cybersecurity challenges, because they expand the attack surface and increase points of entry.

Mapping out the vulnerable places in your network and knowing what your data lifecycle looks like is part of the risk assessment needed to help protect your systems. After all, you can be sure that the cybercriminal targeting your organization will know this too.

#3 Create a Contact Plan

Part of being security-aware is knowing what to do when something happens. Healthcare organizations are often extremely busy and resources are limited; being able to manage a cyberthreat should not entail complicated contact hierarchies that might not be possible. Have clear points of contact and advisories written in non-technical language so that everyone can follow them. A good security awareness training program and policy should build this into the structure of your organization.

#4 Use the Right Tools for the Job

Cybercrime creates intersections at the point where human beings meet technology. You can use security awareness training programs to manage the human element of cybercrime, but you should also look to technology to slam the door in the cybercriminal’s face. Technology options include:

  • Encryption for data at rest (e.g. hard disk and database encryption) and data in transit (e.g. SSL/TLS for HTTPS)
  • Identity and Access Management (IAM) platforms for both employees and customers that offer assured identity and robust authentication;
  • Mobile security (e.g. wireless security and app management)
  • Cloud app security (e.g. the OWASP top ten advisories)
  • Disaster recovery such as secure, ransomware-resistant back-ups

#5 Double-Bolt the Door

One of the most important technologies at this human-being-technology intersection is the login credentials used to access applications, databases and other network resources. These login credentials or “authentication measures” are increasingly becoming the first port of call for hackers. If a hacker can trick a user into giving them their login credential, then they essentially have access to anything that user has access to. Worse still, spearphishing targets privileged users, such as system admins, who have access to sensitive data and databases.

Although security awareness training can help prevent many phishing attempts, one small slip can result in a major breach. One example of this is the Kaleida Health breach of 2017, where an employee’s email account was accessed via a phishing email.

When it comes to phishing, a dual approach is the best way to manage the threat. As well as training employees to spot a phishing email, you should implement a second-factor method to augment a password for network and resource access.


To give your healthcare organization a chance against the wave of cybercrime targeting the sector, you have to play the cybersecurity awareness card. Having a checklist of must-dos can give you the basis for a healthy and cybersecurity-knowledgeable organization that makes the criminal’s job much harder and yours much easier.



Threat Intelligence Report 2016, IBM X-Force

Merlin International & Ponemon Institute Cybersecurity Study Signals Dangerous Diagnosis for Healthcare Industry, BusinessWire

2018 Horizon Report, Fortified Health Security

Spate of Phishing Attacks on Healthcare Organizations Sees 90,000 Records Exposed, HIPAA Journal

Breach Portal, U.S. Department of Health and Human Services

Internet of Things (IoT) in Healthcare Market, Transparency Market Research

NY: Kaleida Health notifies 2,789 patients about phishing incident,

Posted: August 23, 2018
Susan Morrow
View Profile

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure. Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.