Cybersecurity training and education in the healthcare industry

According to a recent study by the Ponemon Institute, 36 percent of healthcare organizations and 55 percent of business associates that have been breached point to unintentional actions by their employees as the cause.

In November 2016 alone, 54 percent of breaches were caused by employee error – a record month for breaches.

Security, like proper hospital hygiene practices, won’t become ingrained without training and education. This is a paradigm that clinicians – who must update their medical knowledge to maintain accreditation – should understand.

Consider this scenario:

A doctor – one who hasn’t received any cybersecurity training from his employers in months – accidentally hits “reply all” and sends an email about a complex patient case.   

• Threat: Unauthorized recipients see confidential protected health information.   
• Solution: Automatically encrypt any email containing patient information. Put in place a secondary email application for emails containing patient information that validates the message’s recipient.

Moving beyond introductory training

Doctors typically react to clear information about the risk and prevention of cyberattacks. This needs to move beyond introductory training sessions for new employees and partners to regular updates and refreshes.

“Physicians respond best when they understand why something is important, what the outcome could be and what the risks are. Then they become partners in the solution,” says Julian M. Goldman, MD, an anesthesiologist at Massachusetts General Hospital.

At North Carolina’s Mission Health, James Kelly, information security officer, says simulated phishing campaigns are proving effective at teaching clinicians about what risks look like in the real world. The campaigns, often administered by a third-party vendor, are sting operations that mimic real phishing attacks – emails from a colleague, a researcher, a billing company or even a daughter’s soccer coach.

Doctors tend to be grateful for the lessons learned.

“They understand that it could have led to a very, very bad outcome,” Kelly says. “They may be a little frustrated, but it does create a new awareness.”

Just as hospitals routinely run disaster drills, preparing for a bus crash or an earthquake, so too should they run IT-focused scenarios. What if the network went down for three hours? What if you were locked out of the EHR database during a ransomware attack?

Sharing news about incidents when they happen is also important. No department wants to go public with what looks like a failure, but the C-suite can support transparency by reminding everyone that breaches are as inevitable as any other kind of infection.

Bottom line

Hospitals have left themselves vulnerable to breaches because of a longstanding failure to train staff and partners. Training and regular updating are necessary because of the dynamic complexity of the healthcare environment.