The rapidly changing role of technology in healthcare can make building an effective security awareness program challenging, with more and more connected devices sending and receiving endless amounts of healthcare data. According to a recent report from SecurityScorecard, 75 percent of healthcare organizations were hit by a malware attack in 2016. To complicate things, the industry ranks 15th out of 18 in social engineering, a common cause of security breach in which users are manipulated into revealing confidential information.
While many large breaches involves hackers, HealthITSecurity reports that the most costly healthcare breaches of 2015 originated from misconduct, including lost/stolen devices and mishandled data. Due to the explosion of wearables and BYOD in the healthcare industry, health information technology leaders must focus on building end-to-end security programs that, like patient experiences, are focused on people.
Building an effective, employee-centered security awareness program should focus on four points:
Many employees might not be aware of the cybersecurity risk for their organization. Employees should be regularly informed and reminded of the risks and vulnerabilities they face from the perspective of patient safety, financial losses and damage to reputation. They need to understand organizational policies and procedures, as well as their roles and responsibilities in keeping their business and patient data safe.
Security training should be tailored to each employee’s role. Staff members should be provided with the tools and resources to minimize risk and taught to be aware of vulnerabilities. This might involve additional training on existing devices, software or even basic security protocols around BYOD policies and device use.
Data security training should be ongoing. From clinicians to workers in patient financial services, healthcare staff are busy, and learning the latest regulations and laws may have been put on the back burner. Your employees will likely need retraining on HIPAA and HITECH standards, and ongoing education on how to handle new threats that they’re particularly vulnerable to as healthcare workers, such as phishing and other scams.
Encourage your employees to be accountable for security in their department and to keep up with developments in the industry as part of their growth as healthcare professionals. HIMSS provides multiple resources for professional development that range from education to certification.
To get a start on protecting your healthcare organization against social engineering hackers, keep your security team and staff aware of these common criminal techniques:
Entering facilities and impersonating healthcare staff
Manipulating healthcare staff to reveal information over the phone
Stealing unsupervised mobile devices from facilities
Digging through dumpsters for sensitive documents
While new technology in the healthcare industry poses challenges for healthcare IT leaders, taking the above steps to create an employee-centered security awareness program will go a long way in ensuring the safety of company and patient data.
The Internet of Things is posing cybersecurity risks to both public and private systems.