Executive Summary
Over the past year, the healthcare industry found itself under constant attack. Cybercriminals targeted vulnerable clinical networks and poor controls to gain privileged access to medical devices and databases on an almost daily basis. And the threats are only getting more serious. Hospital security decision makers typically understand these details and constantly worry that the next attack will take critical servers and endpoint devices offline or steal sensitive patient data. In response, they wisely invest in technical controls to protect their network. But for all their attention to the problem, they too often overlook the equally critical, human element in security. To get employees to incorporate security into their daily routines, organizations must craft a behavior change strategy, and develop content that’s worthy of employees’ attention.
Over the past year, the healthcare industry found itself under constant attack. Cybercriminals targeted vulnerable clinical networks and poor controls to gain privileged access to medical devices and databases on an almost daily basis. Consider that in just the first two months of 2018, 24 health care provider organizations reported data breaches affecting over 1,000 patients each, a 60% increase over the same time period last year. However, with only 53% of healthcare and public-sector security decision makers reporting a breach in the past year, it’s likely there are many more breaches going unreported.
The threats are only getting more serious. The number of ransomware attacks has surged in the healthcare industry and can cripple a hospital’s network and hinder services. Complicating matters, most hospital networks are “flat” rather than segmented, so infections can more easily propagate from IT to clinical networks. Healthcare data is also highly prized on the black market because there are so many lucrative ways to use it fraudulently, so it’s often a more attractive target than financial or other personal data.
Hospital security decision makers typically understand these details and constantly worry that the next attack will take critical servers and endpoint devices offline or steal sensitive patient data. In response, they wisely invest in technical controls to protect their network. But for all their attention to the problem, they too often overlook the equally critical, human element in security.
Insight Center
Healthcare is a high stress environment, where, understandably, information security training is often not the top priority. That said, it seems much lower on the priority list than it should be. According to Forrester’s Global Business Technographics Workforce Recontact Survey 2017, just 30% of global information workers at healthcare providers indicated they’ve received training on how to protect workplace data, and only 38% are even aware of their company’s security policies.
Most healthcare organizations do have security policies in place; what’s lacking is the attention to them. Without adequate security awareness and training, people will recklessly open email messages from strangers, click on suspicious links, and take other needless risks.
Healthcare employees are not to blame, as they weren’t hired for their security skills. As medical professionals first, they do what it takes to provide the best care, even if that sometimes means ignoring or going around security policies (as 4% report). For this industry especially, security policies that reduce productivity are at irreconcilable odds with the organization and its patients. Instead, employees should be inspired to act securely as part of their daily routine. Just as no one has to tell a surgeon to scrub before surgery, good security hygiene has to become ingrained in employee culture.
Craft a Behavior-Change Strategy
If your first instinct with a security campaign is to create posters with dos and don’ts, stop! You shouldn’t be thinking about creating an “awareness campaign,” but instead building an ongoing behavioral program. To get started, ask the following questions:
What problems are we targeting? Conduct a high-level risk assessment to determine the major issues facing your organization, and evaluate how staff behavior can exacerbate or mitigate those risks. Consider risks such as system outages, device malfunction, stolen data, or even worse, manipulated data.
What behaviors are we hoping for? Document how employee actions or inactions might contribute to the risks described above, then develop a list of desired behaviors and guidelines for making it a simple as possible for staff to adopt them. For example, is it easy for employees to contact security staff about a questionable email, and is there a simple, secure tool for sending sensitive information to patients?
What staff members are we targeting? While in some cases it’s important to appeal to the masses, some messages will lack relevance, and therefore impact, unless they’re tuned to a specific audience. Instructing all staff, for example, to take care filing patients’ paperwork is likely to be counterproductive if only a small percentage actually do this job. If people receive too many irrelevant security messages, they may start tuning out all security messages.
What tone will work with the staff? No two organizations are the same, and neither are the cultures and contexts in which they operate. So, take advantage of existing communication channels and cultural tone. Does your organization prefer weekly staff meeting announcements, newsletter case study examples, quarterly prizes for model behavior, or financial incentives? Work those into your behavior change strategy.
Develop Content That’s Worthy of Attention
One of the most common mistakes of behavior-change security programs is that the content is boring. To make sure employees don’t tune out when you most need their attention:
Make your message personal. Help employees understand why security is important to them and their families, and they’ll recognize their role in protecting company data. For example, explain to them how cybercriminals use phishing attacks and new attack methods through social media to steal personal data. Also describe common social-engineering tricks used to learn login credentials (such as posing as a fellow employee who needs help).
Reinforce the message at teachable moments. More-advanced organizations constantly look to build on initial education efforts by identifying teachable moments. Publicizing “near misses” or attacks that happened to peer organizations are quick wins, while some firms manufacture teachable moments by testing their staff — for example, by using phishing tests. The most advanced organizations put policy reminders at points where mistakes are likely to happen, such as a poster by the elevator asking whether employees have logged out of their machines before leaving, or pop-up alerts when someone tries to browse to a questionable website.
Test gamification tactics. If it’s a good fit for your organizational culture, consider encouraging friendly competition among staff, creating scenarios where employees compete with each other or for personal best scores. Tactics might include rewards for the team with the strongest passwords each quarter, the fewest data-loss-prevention (DLP) alerts, or highest scores on training surveys.
First and foremost, the goal of your security behavioral program should be to empathize with your colleagues and determine how security can best fit into their day-to-day responsibilities. Tie security objectives to their objectives. Health care providers should focus nonstop on patient care, service, and satisfaction, none of which can be delivered satisfactorily without attention to good security behavior.