According to a recent study by the Ponemon Institute, 36 percent of healthcare organizations and 55 percent of business associates that have been breached point to unintentional actions by their employees as the cause.
In November 2016 alone, 54 percent of breaches were caused by employee error – a record month for breaches.
Security, like proper hospital hygiene practices, won’t become ingrained without training and education. This is a paradigm that clinicians – who must update their medical knowledge to maintain accreditation – should understand.
Security, like proper hospital hygiene practices, won’t become ingrained without training and education
Consider this scenario:
A doctor – one who hasn’t received any cybersecurity training from his employers in months – accidentally hits “reply all” and sends an email about a complex patient case.
Doctors typically react to clear information about the risk and prevention of cyberattacks. This needs to move beyond introductory training sessions for new employees and partners to regular updates and refreshes.
“Physicians respond best when they understand why something is important, what the outcome could be and what the risks are. Then they become partners in the solution,” says Julian M. Goldman, MD, an anesthesiologist at Massachusetts General Hospital.
At North Carolina’s Mission Health, James Kelly, information security officer, says simulated phishing campaigns are proving effective at teaching clinicians about what risks look like in the real world. The campaigns, often administered by a third-party vendor, are sting operations that mimic real phishing attacks – emails from a colleague, a researcher, a billing company or even a daughter’s soccer coach.
Doctors tend to be grateful for the lessons learned.
“They understand that it could have led to a very, very bad outcome,” Kelly says. “They may be a little frustrated, but it does create a new awareness.”
Just as hospitals routinely run disaster drills, preparing for a bus crash or an earthquake, so too should they run IT-focused scenarios. What if the network went down for three hours? What if you were locked out of the EHR database during a ransomware attack?
Sharing news about incidents when they happen is also important. No department wants to go public with what looks like a failure, but the C-suite can support transparency by reminding everyone that breaches are as inevitable as any other kind of infection.
Hospitals have left themselves vulnerable to breaches because of a longstanding failure to train staff and partners. Training and regular updating are necessary because of the dynamic complexity of the healthcare environment.
Download the Cybersecurity Handbook for Healthcare CEOs to learn more.
Share this with others
READ MORE ARTICLES ON:
Sign up for the AT&T Business newsletter
Your feedback will help us to improve AT&T Business so you continue to have a great experience when visiting us!
This survey is conducted by an independent company ForeSee for AT&T.
Yes, I’ll give feedback!
Please provide the following information to access your document:
* To access your content, please check your browser settings to make sure pop-up windows are allowed.