Hospitals are overdue. Their affirming HIPAA compliance is one thing — a very good thing — but it’s not enough to protect them from the dangerous cyber attacks the healthcare industry experiences every day. A giant leap from basic regulatory compliance to the challenging achievement of a genuine cybersecurity culture is needed. Healthcare workers must become highly sensitized to identifying the risks of criminal or inadvertent compromise to valuable personal, patient and organizational data, and then understand how to overcome potential threats effectively. Even with institutional policies, security officers, training programs, and technology-based security protections in place, many individuals continue to make poor decisions that expose important data to extreme risk of compromise and theft.
Your staff, executives and vendor partners must arrive at the point when they’re no longer learning about dangers and protections but have actually incorporated this knowledge into their mindsets and daily practice. Most security professionals know this is easier said than done. Twenty years from now, perhaps consistent security awareness will be second nature for healthcare workers, as it already is for most bank employees — without learning hard lessons from painful breaches first. Let’s talk about how a transformative cybersecurity culture can be built proactively, starting today, instead of waiting until the worst happens to your hospital.
Thanks to the HIPAAJournal, these graphics show the gravity of the data breach problem in healthcare, and how it is worsening each year.
The 2019 Verizon Data Breach Investigations Report (DBIR) tells us that the three most common forms of healthcare security breaches last year were related to employee actions or inaction (including error):
— hacked emails,
— internal abuse of database privileges, and
— social engineering of employees via email phishing expeditions.
Each of these abuses accounted for about 17 percent of breaches, for a total of 51 percent of breaches.
Healthcare organizations can design an efficient cybersecurity program that will multi-task: satisfy HIPAA and other regulations, empower employees, protect patients, and help the executive leadership team sleep better at night. Here are some high-level principles that provide an overall conceptual framework for cybersecurity culture change. Next week, we’ll take a deeper tactical dive in Part 2 of this series.
- Plan an engaging workforce initiative that the organization can sustain over years. Initial training followed by reinforcements here and there by the security officer or IT won’t do the job. Think of drivers’ education; classes and passing the test at 16 didn’t turn us into good drivers. Practice, continuous awareness of potent risks (including getting caught breaking the rules), caution, and actually hearing or seeing examples of injury and worse convert new drivers into safe drivers. So do near misses. The same principle applies in healthcare environments. Can cyber attacks threaten lives? Yes. Think about ransomware incidents in which most or all computer systems have been locked up, making patient care data, including treatment plans and surgery schedules unavailable to caregivers for days. Examples of other damage include compromise and sale of patient information and employee credentials, as well as hospitals’ financial data. Our data is worth big money to hackers, phishers and other bad actors.
- Align cybersecurity awareness with the bigger vision: your organization’s strategic goals, employees’ self-interest, patients’ privacy, and overall HIPAA compliance. This makes out-of-the-gate sense: these connections will help to convince leadership and staff that awareness that leads to genuine cultural change will add value — not just costs and hassle — in direct support of the organization’s viability and growth. Leadership also must demonstrate top-down commitment to cybersecurity as a major priority in order to get employees on board. All the security and HR offices’ programs will be at worst ho-hum and at best of short term interest unless a direct tie with leadership’s agendas is obvious.
- Convince staff that they must start thinking about the potentially faulty quality of their decisions, despite predispositions to believe otherwise. Hackers and social engineers are clever and motivated, and count on weaknesses in human judgment to gain damaging access to our proprietary data. They have learned that no one has unflawed judgments. We all need to understand how we use judgment in making rational decisions, and the factors that commonly impair judgment and lead to bad decisions. Only then can we get engaged enough to out-think people who pose threats.
- Yes, knowledge is power. Keep users informed. Consistently. Research in change management shows that people tend to assess the frequency, probability or likely cause of an event by the degree to which particular instances are remembered. The costs of the various forms of security breaches to individuals and specific organizations are often huge. The healthcare press tends to focus on big-picture size, costs, and frequency within our industry as a whole and not on the stories behind the headlines. Witness our graphics above; will you remember their content? Doubtful.People need stories that they can identify with — including reports of events and new cybercriminal methods that have affected real people and other organizations just like theirs — to get tuned in and stay there. The more vivid the stories the better for learning. When you were 16 (or 46), learning of the devastating injuries to a neighbor who was preoccupied with the car’s CD player (or today, a cellphone) may well have been transformative for you. We need to consistently communicate examples from our healthcare world.
- Assess and prioritize needs and risks. Plan to initially target the most at-risk departments, and build alliances across them. To take immediate charge of your awareness program, alliances of executives who are willing to collaborate in advocating and exemplifying cybersecurity practices must be created and nurtured. Think about departments such as Finance that are most vulnerable to phishing and hacking because they receive many emails from outsiders, including emails with attachments. Their managers and staffs need to be especially wary of potential danger — and managers/executives must be seen as leading the way. They must regularly communicate with staff, and should never violate security policy. This will speak volumes of credibility. If a manager copies sensitive files on a USB stick and takes it home, staff are likely to think “Why not?” and do the same.
- Develop a scalable change management plan to achieve longterm continuity and consistency, after defining strategic priorities that address your particular organization’s issues, goals, budgets and more. This initiative cannot be piecework or look like today’s topic du jour if employees are expected to become part of a constant cultural network of awareness, caution, and sense of responsibility. A cross-organization team drawn from the executive alliances we described above must develop and be committed to the change management plan. They will need to determine who is most affected and how they most effectively receive and process information. If thoughtfully created, the plan will address all the other elements of success the team identifies. All communications and resources should build understanding and encourage users to buy into the change. They must also be taught the necessary skills to be successful.
- Think simple. Everyone in your organization has his or her #1 job priorities, including those leading this security awareness effort. Overzealous planning and complex programming, especially when employees’ availability and most effective communications methods aren’t strongly considered, cannot be sustained. Similar issues occur when budgets change. Many programs sink under their own weight.
Cultural change programs don’t have to be costly or complicated. They need to be consistent over years — not weeks or months. This consistency, with engaging ongoing communication, is probably the most essential feature of a successful culture change initiative.
We recommend that you select a program manager that has experience leading successful cultural change and has strong knowledge of your organization. If you don’t have such a staff member, assign a strong manager who is passionate about security and privacy, and provide him or her with change management training — which requires very little cost in the scheme of your plans. Ideally, several members of your cybersecurity planning team should participate in one of the many security awareness change management workshops available to give them the learning resources they will need to succeed.
This is Part 1 of our new series on building a cybersecurity culture within your hospital or other healthcare organization. We have focused on an overview of strategic considerations.
Stay tuned for Part 2 where we will drill down into an array of innovative tactical approaches that will effectively and pleasantly engage your employees and executives, and support their transformation into an effective army against cybercrime.
Would you like to know more about Phoenix Health Systems and its capacity and experience in supporting critical hospital IT and privacy/security initiatives? Contact us here! We’ll respond within 24 hours.