Mention security awareness training in a healthcare setting and stress levels start to rise.
But it doesn’t have to be that way.
Last month we attended HIMSS, one of the largest healthcare specific IT conferences in the US. We wanted to show healthcare providers that security awareness training doesn’t have to be a huge burden, and that (done well) it can have a profound impact on a healthcare organization’s security profile.
But to do that, we needed to have frank conversations with as many healthcare providers as possible. We needed to find out what healthcare security professionals require from their security awareness training in terms of structure, content, and results.
And that’s exactly what we did.
This post is the result of dozens of conversations with healthcare professionals, where we quizzed them on exactly what they need from their security awareness training. So without further ado, here are the top seven demands from the healthcare industry:
Looking to purchase a powerful security awareness training program? PhishLabs T2 Employee Defense Training uses real-world phishing intelligence to transform employees from a security vulnerability into a powerful security asset. To arrange a live demonstration, click below.
1) Must Check the Box
The healthcare industry is obsessed with compliance.
And for good reason. HIPAA settlement fines are rising every year, so in the event that a breach does occur, no healthcare organization wants to risk being found non-compliant.
Under the HIPAA security rule, healthcare organizations are required to train all their employees to operate in a security conscious manner. That means they must understand security and adhere to all security policies and that all training participation must be recorded.
And that might all seem fairly simple, but it doesn’t always happen. A security awareness training program that appears to be compliant could easily be found not to be if subjected to additional scrutiny following a breach.
Many programs, for instance, are conducted just once per year, and include almost no testing whatsoever. In reality, these programs are never going to convince employees to operate in a security conscious manner and are instead far more likely to be seen as nothing more than an inconvenience.
Equally, many programs do not include a basic tracking facility, making the process of recording participation far more awkward than it needs to be.
Ultimately, in order to be useful to the healthcare industry, security awareness training must tick the compliance box thoroughly: That means it has to really change employee behaviors, and it must be easy to track. Simple, right?
2) Must Not Plug Into Existing Systems
Although this makes a lot of sense, we were surprised at just how many times it came up.
Healthcare organizations often have very limited security budgets, so any solution that must be ‘plugged into’ their network will usually prove to be more hassle than it’s worth. Believe it or not, this requirement actually discounts a significant proportion of managed security awareness training programs, which rely on local software for both deployment and tracking.
Thankfully we don’t fall into that boat - Our employee defense training (EDT) solutions are managed remotely and are delivered to the end user entirely through their web browser.
3) Must be Easy to Manage
Once again, so many aspects of healthcare security come back to one problem: Resources. Or, more specifically, lack of resources.
One of the most important things we learned from HIMSS this year was that while the healthcare industry is starting to become more security-savvy, security budgets and manpower are still very limited.
When it comes to security awareness training, that means self-service solutions, which are typically difficult to implement and manage, are rarely an option. For most healthcare organizations, the right fully managed program will strike the balance of providing the tailored content and analytics they need, while requiring almost no hands-on involvement.
4) Must be Healthcare Specific
This was a huge bone of contention for many healthcare security professionals at HIMSS. Too many security awareness training providers are offering pre-packaged programs with little or no attempt made to personalize the content.
But that’s crazy. Healthcare organizations are heavily targeted by threat actors who routinely take the time and care to produce industry specific phishing campaigns. In the face of that threat, generic training and testing content falls a long way short.
Instead, healthcare security professionals demand content that isn't just industry specific, but also reflects current trends in healthcare specific attacks. After all, training employees to identify and report a generic phishing email will not protect them against more sophisticated, healthcare specific phish.
But of course, individual healthcare organizations (and even many training providers) don’t have access to the latest phishing samples from real-world attacks against healthcare organizations. And without these there is simply no way to construct a powerful training and testing program.
Once again, the needs of the healthcare professionals we spoke to suggest that a powerful, fully managed system (from a provider that has access to real world samples) could be the best option.
5) Must Address a Major Healthcare Vulnerability: Doctors
Few professionals combine an extreme workload with lack of security knowledge to the same extent as doctors. Many of the security professionals we spoke to at HIMSS told horror stories of the dangerous security behaviors displayed on a daily basis by doctors at their organization.
One story in particular stood out: a doctor who routinely sent confidential patient records out via his personal email account because it was more convenient.
And that’s the problem. Security practices are often seen as an inconvenience, leading busy healthcare professionals to opt for fast, insecure alternatives.
Email security is easily the greatest threat facing the healthcare industry, but email security practices across the industry are well below average. In order to be effective, a security awareness training program must communicate the need for security in a way that is relatable to a healthcare audience. Not only that, it must seek to make acting in a security conscious manner as simple and easy as possible.
Finally, a powerful healthcare specific program must grasp the root of these problems: Time. For healthcare professionals, time is the single most important resource, so training programs must provide the greatest possible impact in the least amount of time.
That means not forcing employees who are already security conscious to sit through unnecessary training. It also means delivering training quickly, and at precisely the moment it is needed.
In our opinion, the best possible time to do this is immediately after an employee has failed a phishing simulation or other security awareness test.
6) Must Test Routinely, and Results Must Trend Upwards
This might seem obvious, but it’s a genuine problem faced by healthcare security professionals. Most security awareness training programs either test far too infrequently or fail to provide the intended benefits.
In many cases, they fail on both counts.
In order for a program to function as intended, then, it’s vital that employees are tested at least quarterly, and preferably monthly. Without this frequency, most employees will simply forget what they have learned.
More important even than frequency, though, are results. If there isn’t an observable upwards trend in test results, your program simply isn't doing what it as designed to do. If that’s the case, a significant redesign is likely needed.
Once again, a fully managed system will provide all of the above, with the added bonus that if ever results aren’t trending upwards it will be down to the vendor to make changes.
7) Must Reduce Breaches
An upwards trend in test results is great, but ultimately it’s reducing breaches that will benefit the organization. In order for that to happen, your training program must address the most common healthcare breach causes (phishing and human error), and it must do so in a way that prepares employees for real-world scenarios.
At PhishLabs we pride ourselves on providing the highest quality managed training programs available anywhere, which include tailored content delivered at precisely the moment it is needed, as well as frequent testing, full analytics, and absolutely no locally installed software.
Every single one of our healthcare clients has seen test results soar within months of enlisting our services, as well as a dramatic increase in real reported phishing emails. Naturally, these trends lead to a significant reduction in breaches.
By training your employees to identify and report phishing emails on sight, you could be saving your organizations tens or even hundreds of thousands of dollars in incident response, repairs, and breach fines.
To find out how much your healthcare organization could save by implementing a powerful employee defense training program, take a look at our cost of phishing susceptibility model.