Why Security Awareness Training in Healthcare Must be Part of Your Security Strategy
1. What is Security Awareness Training?
The healthcare industry is arguably one of the most information-intensive. Personal health data is part of a critical pathway that impacts our everyday lives and health. The integrity and confidentiality of these data is paramount, not only for individual well-being but for continued innovation within the industry.
Being part of the big data revolution, at a time when the landscape of cybercrime has never been so threatening, has meant that the healthcare industry is a prime target for cyber attack. In 2014 the FBI gave out a warning that the healthcare industry was neglectful in its attitude to cyber-security threats when compared to other industry sectors. The result of this is borne out in evidence found by IBM X-Force Research, which shows that the healthcare industry was the most frequently attacked industry in 2015. This is likely due to the unique position that the healthcare industry finds itself in: Healthcare faces a gap between handling the massive data generated by the wider industry, and understanding and mitigating the threats posed by cybercrime.
The situation is also compounded by the speed at which technology is changing. New ways of generating sensitive information are entering the information arena. According to research by PWC, 86% of clinicians believe that mobile apps will be an important part of patient health management in the next few years. And the entry of the internet of things (IoT) into healthcare adds a new layer of data protection previously not experienced.
With all of these variables coming into play, we need to take a pro-active stance and build a program of security awareness. Security awareness uses education and knowledge to tackle the specter of security threats, in all its forms. Security awareness covers the whole gamut of security and builds up a knowledge base across your extended workforce around security issues that they can call upon to help mitigate risks. Security awareness training brings everyone in the organization together under an umbrella of training. It ensures that the playing field of knowledge around cyber security threats is level. Security awareness is about:
- Creating a culture of pro-active security—understanding what is happening in the wider security landscape, such as the significance of phishing
- Creating a respect for individuals’ privacy
- Knowing what protected health information (PHI) actually is and why it needs to be protected
- Understanding that security is part of the whole organization and impacts everyone
- Knowing which security and privacy rules apply to healthcare and what impact they have
Done well, security awareness training can become as integral a part of your overall security strategy as the technology you use to prevent the cyber attacks.
2. Why Do You Need Security Awareness Training in Healthcare?
Security and privacy cut across a number of legal frameworks within the USA. There is a good deal of general legislation and guidelines that cover data protection and privacy and some that are more focused on healthcare. The USA has a mosaic approach to data protection with no overarching federal law to cover the security issues surrounding personal information. There are two main areas of healthcare legislation that cover the protection of personal data or protected health information (PHI): the Health Insurance Portability and Accountability Act (HIPPA), and Health Information Technology for Economic and Clinical Health (HITECH). The two acts work in unison to cover the security expectations of the whole healthcare eco-system, extending outwards to healthcare providers business associates. Together, the acts set requirements to disclose data breaches, which are:
HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414: The rule requires that any breach of PHI must be disclosed to both patients and the government (breach meaning unauthorized data being used or disclosed). There are some nuances around the formal classification of a breach, but with the introduction of the HIPPA “omnibus rule,” which requires a risk assessment to set a breach as “low probability” for exposure, the chances are you have to declare the breach.
HITECH, Section 13407 is enforced by the Federal Trade Commission (FTC). The act allows the data protection rules to be extended to all entities not specifically covered by HIPPA: for example, extended business associates of healthcare providers, business associates being anyone, such as contractors and sub-contractors who are involved in any health-related data handling. One of the stipulations of the ruling is that for a breach involving more than 500 users you also must inform the media.
Breaches of 500 or more individuals are placed on a public register, jokingly called the “wall of shame,” which you can view here: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
The resultant fines from HIPAA and HITECH breaches can be costly. Some examples include:
- $4.8 million HIPPA fine imposed upon the New York and Presbyterian Hospital and Columbia University, which involved the breach of PHI of 6,800 individuals
- $4 million HIPPA fine on Stanford Hospital & Clinics for the breach of 20,000 patient records, which was caused by a business associate posting the records to a publically accessible website
- $1.725 million fine levied on Concentra Health Services, which experienced a breach when an unencrypted laptop with patient records on was stolen from an employee’s car
Security awareness in healthcare cuts across many layers. As well as the legislative drivers that demand security awareness, a healthcare team approach to security is driven by:
Ethics: Healthcare has by definition a layer of ethics attached to the practice. Healthcare data and in particular PHI are part of the ethical layer that all of us expect to be respected. We all, at some point, share health information with medical practitioners, so there is a personal element to the ethics of data protection as well as an organizational benefit.
Risky behavior is very common: A study by Cisco found that risky security behavior was almost the norm in an organization, with many respondents admitting to putting data at risk at work. Improvement of behavior towards security as an issue is a key selling point, especially to C-level executives who need to oversee a company-wide security strategy.
Benefits of security awareness: The whole organization and individuals benefit from being security-aware. Individuals workers can “do their bit” by thwarting cyber-attacks. As cyber-threats against healthcare become more prevalent, the inclusion of all into the security equation is ever more important.
The climate of increasing threats against healthcare coupled with the need for legislative compliance makes healthcare a key industry for security awareness training. Creating an educated workforce that understands the implications of cyber-security on them and the industry is part of the overall healthcare security strategy. This is only compounded by the human element present in the most successful security threats, which are based on social engineering, e.g., phishing.
3. Who Are the Stakeholders Involved in the Training?
Security is about people. The human touch point is often the weak link in the chain. Cyber-threats take advantage of this by utilizing social engineering, as seen in the rise of phishing as a vector for attack. Security awareness is your tool in the fight against social engineering. But security awareness is also much more than this. It creates a level playing ground for your entire workforce and beyond, creating a ‘culture of security’.
With the addition of HITECH Section 13407, the number of stakeholders that need to be incorporated into a security-aware environment has been extended to cover all business associates that may have an interaction with personal data and PHI. This creates a highly diverse group, or eco-system, of stakeholders who are required to have a good understanding of the healthcare security landscape. This knowledgebase then allows adherence to the tenets of HIPPA and HITECH security rules. The end result of a security awareness program that encompasses all the possible players is an umbrella of security and privacy respect that will have positive outcomes across the entire eco-system.
Identifying who your key stakeholders are is the first part of the exercise in security awareness training. As mentioned previously, this has become a highly extended eco-system of players, brought into place by changes in the legislation governing information security in healthcare. Setting out your store in terms of who is a player will help guide your training exercise. However, the following list gives you an overview of the types of people involved in training:
- Front desk workers
- IT and tech staff
- Medics, including nurses, consultants and related roles such as social workers
- Healthcare call center workers and managers
- Medical claims handlers
- Laboratory technicians
Don’t forget: There needs to be a specific plan for bringing new employees on board, rather than waiting for the next security awareness training exercise. This will get them quickly up to speed and create a mind-set of security and privacy as they enter their post.
4. How to Sell Security Awareness to Your Stakeholders
We all know members of staff who grumble at anything outside of their immediate job remit. But because of legislation and the increasingly threatening nature of modern cyber-security, being security-aware is part of the role of a healthcare worker. All of us have the duty of caring for patient data. So how do we engage staff in the process of security awareness?
Security awareness training packages, if done well, will be configured to engage staff—engagement results in better understanding. Security can be a dry area, difficult to drum up interest in. However, well-designed security awareness training packages like AwareEd can be configured to work within the context of your organization to create tailored training campaigns—specific to your needs.
One of the ways that you can make sure that your team is benefiting from the sessions is to make the training interactive and unobtrusive. People can get irritated when their workday is interrupted, so offering ‘security over lunch’ or “brown-bag training”, which is an informal and less intrusive way of learning about security, can be highly effective. Another area that helps to focus training and make it highly relevant is to tailor the training campaigns to a person’s role in the organization.
Keeping security relevant and making it part of the normal program of workplace on boarding and training in your organization, will make it an easier all-round sell to your extended team.
Ultimately, security threats need to be accepted as a serious issue across healthcare. This means engagement across your organization: from your top-level management, across all major departments, and ultimately by the people who will be trained – your workers. Bringing them onboard with the message that, understanding how cyber security is a threat, how that threat works, and how to mitigate that threat as an individual, will benefit both themselves and the organization as a whole, is a fundamental message.
5. How to Set Up a Security Awareness Program in a Healthcare Environment
Now you have the buy-in from your extended team, you need to think about the co-ordination and setting up of your training program. Security awareness programs don’t have to be complicated to arrange. Automation is the key to success in managing these types of operations. Security awareness is a program that has to cater for a wide demographic. To ensure the effectiveness of security awareness training it needs to be palatable – with usability and accessibility of the training modules being key. It also has to have to have a high degree of reinforcement through continued and regular training sessions that closely mimic real-life security scenarios. Security awareness programs like AwareED have been specifically designed to help you make the process of on-boarding and engagement in your awareness training as easy as possible. AwareED allows you to create tailored packages of modules that suit a specific team of stakeholders or a security scenario—for example, phishing. Enrollment and customization are key features of an effective program. Being able to enroll your users and start security awareness training from a centralized cloud management interface makes it easy to set up a training program. It also gives you effective administration for continued training. Automation then kicks in and starts the training, serving the training modules to your user base in a way that is easily digestible and that engages, even the least technical of your team. To summarize, the prerequisites for setting up an effective security awareness training program are:
- Easy enrollment
- Good choice of modules to create tailored training packages for staff
- Automation of training packages to user base
- Continuation and repetition of the tailored packages
- Reporting and analysis to continually improve education
6. Getting Results and the Analysis
No security awareness program is complete without analysis of the training program and the outcome. Collating metrics and analyzing the results will show you how effective your campaign has been. This will give you the insight into any changes you may need to make to the program to improve the training; for example, changing the modules used. Security awareness tools like PhishSim will provide comprehensive reporting, which can be used for this purpose. Reporting can also provide evidence of return on investment that can be used to justify your use of security awareness training to C-level executives.
7. A Healthy Team
In 2015, over 112 million individuals had their personal data records breached via a healthcare industry breach. According to Experian, the financial losses to the healthcare industry were around $5.6 billion in 2015. But it isn’t just about the financial costs of lost data and the fines imposed. This is about patient care and the ethics that the healthcare industry is bound by. Of all industries, healthcare is, by the very nature of the job, a caring industry. Creating a culture of security through education will improve the standing of the industry as well as ultimately protect against financial losses.
But the security landscape is constantly changing. Cybercriminals are always upping their game to find new and innovative ways of exposing our data. Security awareness training is an ongoing exercise; it is about continuously improving the knowledge base of your extended team and giving them an understanding of what they are up against. A healthy security awareness program will create a healthy industry. Security awareness is a team effort. It gives us the tools to create a highly educated workforce where cyber-security threats can be dealt with by all as a team, before they become a breach.