The PhishLabs Blog

Building Powerful Security Awareness Training for the Healthcare Industry

Posted by Lindsey Havens on Jan 27, '17

Training.jpgOver the past couple of weeks, we’ve written a lot about the current state of security in the healthcare industry, and why things need to change.

We’ve also covered the main causes of healthcare data breaches, and noted that powerful security awareness training is the most natural starting point for security conscious healthcare organization.

But so far, we haven’t really covered what should be included in a healthcare specific security awareness training program. After all, while some aspects of security are relevant to every industry, healthcare organizations are faced with a few highly specific problems that need to be addressed.

Before we consider what should be included, though, it’s worth looking at things from another perspective.

Why Most Security Awareness Training is Worthless

The sad fact is that most security awareness training is worse than useless. Not only does it not improve the security knowledge and behaviors of employees, it convinces them that security is a tedious waste of their time.

The content is dry and irrelevant, the teaching methods are outdated, and the sessions are typically just once per year. Under those circumstances, what chance do busy healthcare professionals have of actually learning anything?

But in many ways, the current state of security awareness training in the healthcare industry isn’t surprising. In fact, it makes perfect sense when you consider one truth:

Most healthcare organizations are overly focussed on compliance.

Now, HIPAA compliance is non-optional for healthcare organizations, but being compliant doesn’t guarantee a strong security profile. In fact, focusing purely on compliance almost guarantees your organization’s security will be extremely poor.

And when it comes to security awareness training, HIPAA regulations are vague at best. So long as you can prove your new employees are trained upon hire, and that your workforce is retrained whenever major policy changes occur, you’re officially compliant.

But does that sound like the basis for a powerful training program? Not really.

So here’s the first stage of creating a powerful program for your organization: Convince your executive board that compliance is not the aim of security awareness training. After all, a well constructed program will always be compliant, but compliant programs are very rarely well constructed.

Getting Executive Buy-In

If you’ve been following the blog recently, you’ll already be aware that healthcare is attacked more than any other industry. If you’re a healthcare CISO, or you’re involved in healthcare security, you’ve no doubt experienced the massive rise in attacks yourself.

Thankfully, the majority of healthcare executives are starting to understand the importance of security, and as a result it should now be possible to secure some of the additional funding you’ve been hoping for.

But with so many different areas of security to consider, obtaining funding for a truly powerful security awareness training program may still be a challenge. To combat this, you’ll need to develop a business case that accurately portrays the need for (and value of) such a program.

As a starting point, consider this. According to a Ponemon Institute study, 89 percent of healthcare organizations have been breached in the past two years.

And analysis of those breaches found something very interesting. A massive 77 percent of healthcare breaches are caused by one factor: human error.

Of course, that human error manifests itself in many different ways. It’s healthcare managers leaving laptops on trains. It’s improper disposal of sensitive data. It’s busy employees clicking on phishing links.

But no matter the precise circumstances, the cause remains the same. And that’s precisely why security awareness training should be your organization’s single biggest security priority.

Last month we wrote a series of posts designed to help security professionals build an air-tight business case for security awareness training. From measuring ROI to calculating your organization’s cost of phishing, we’ve done our best to make your job as easy as it can possibly be.

Content is King

Once you have the green light from your executive board, you can really get started. Unsurprisingly, the most important element of any training program will always be its content.

As we’ve already mentioned, human error is the greatest cause of healthcare breaches. But when developing a program to address this, more information is required.

Further analysis of healthcare breaches finds that the vast majority fall into just three categories:

  • Physical loss or theft of devices
  • Administrative mistakes (e.g. emailing sensitive data to the wrong recipient)
  • Clicking on links in malicious emails

If your security awareness training program covers nothing but these three areas, you could still reduce your chance of being breached by more than 50 percent.

Developing content for your training program won’t be a quick or easy job, and it will need to be updated regularly to ensure it remains relevant. In an ideal world, you would include real life examples, and stress the importance of remaining security conscious at all times.

But whatever you choose to include, your training must be interesting. Making use of multiple formats, such as in-person, text, and video, helps to keep trainees engaged, and dramatically improves the impact of training. Likewise, ensuring your training program is regularly reinforced makes a huge difference. Annual training has been repeatedly proven to achieve almost nothing, so consider providing reinforcement material at least monthly.

The bottom line is this. If your training is boring or infrequent, nobody will be engaged, and nobody will remember.

Test, Tweak, Repeat

In truth, security training is never really about awareness, it’s about behavior. And unless you regularly  test and track your employees’ security behaviors, there’s no way of knowing whether your training program is a success.

But here’s the problem: Almost nobody does it.

If you’re committed to enhancing your organization’s security profile, and you know human error is a huge cause of breaches, then testing is essential. You need to know whether your program helps employees identify phishing emails, or properly dispose of sensitive data, or challenge unauthorized personnel in restricted areas.

More importantly, you need to know how much these behaviors improve as your training program progresses, and whether or not subsequent changes are beneficial.

Truly powerful security awareness training programs have a significant and measurable impact on security behaviors, and include built-in metrics to prove it. And when you have this on hand, maintaining funding over the long term is simplicity itself.

Tomorrow is Too Late

Of course, there’s one major problem with security awareness training: It doesn’t fix the problem overnight.

That’s why, if you’re serious about raising the security profile of your organization, it’s imperative that you get started as soon as possible.

To find out more about how security awareness training could benefit your organization, or to arrange a demonstration of our training services, contact us today.


From February 19-23, PhishLabs will be at HIMSS 17 booth 6689 in Orlando, Florida. If you’d like to meet with us to discuss our 24/7 protection against attacks targeting your employees, systems, and data, please get in touch

Topics: Phishing, security awareness training, EDT, Healthcare

   

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Upcoming Events

Calendar_Mock_

Posts by Topic

see all