Build the Cybersecurity Culture Your Hospital Needs, Part 3: Engaging Users

This three-part series of blog posts was motivated by the healthcare industry’s continuing vulnerability to cyberattacks, as demonstrated by the hundreds of security breaches reported over the last year. We have already seen over twice as many breached patient records as 2018’s total of 15 million, with 332 incidents affecting almost 36 million records. The HIPAAjournal notes that 42 of August’s reported 49 breaches occurred in provider organizations. Some, maybe most providers have upgraded IT-based security protections and provided training to workers but whatever the strategies, they haven’t been adequate. Without a doubt, hospitals and other providers must do more.

Hopefully, the series will inspire providers to engage in an enduring effort to achieve a top-to-bottom cybersecurity culture that will effectively prevent or neutralize criminal attacks.  In Part 1 we outlined overall conceptual strategies for designing an enterprise-wide cybersecurity culture-building program that will protect patients from data compromise, empower employees, comply with HIPAA, and reinforce the viability of our healthcare organizations. In Part 2, we took a deeper dive into current-state assessment and planning activities, with a strong focus on the need for a deliberately disruptive plan of integrated actions to foster long-term culture change.

Here in Part 3, we offer recommendations for incorporating specific approaches in your hospital’s culture change plan, with the intention of charging up your workforce, keeping them engaged, and helping them integrate best cybersecurity practices into their everyday lives.



Build the CyberSecurity Culture Your Hospital Needs, Part 2: Necessary Disruption

This year we have already witnessed twice as many breached patient records as 2018’s total of 15 million, with 285 incidents reported through June. In just the first week of September, five providers reported patient data breaches caused by successful phishing exploits that affected at least 20,000 patients, according to industry watchdog HealthITSecurity. Though many hospitals have improved  IT-based security protections and provided training to workers, dangerous data breaches are increasing rapidly across most organizations, often due to employee negligence. It is apparent that hospitals must do much more to inspire a strong top-to-bottom cybersecurity culture that will deflect or neutralize criminal attacks.

In Part 1 of this series, we examined and outlined overall conceptual strategies for designing an efficient enterprise-wide cybersecurity program that will multi-task: protect patients from data compromise, empower employees, comply with HIPAA and other regulations, and help the executive leadership team sleep better at night. We considered essential criteria such as sustainability, scalability, and aligning cybersecurity awareness with the bigger vision: your organization’s strategic goals, employees’ self-interest, and patients’ privacy.

Here in Part 2,  we’ll take a deeper tactical dive into practical solutions for achieving a sustainable security culture. Part 3, coming soon, will offer a panoply of culture-change action items gathered from across the industry



Build the CyberSecurity Culture Your Hospital Needs, Part 1: Strategic Essentials

Hospitals are overdue. Their affirming HIPAA compliance is one thing — a very good thing — but it’s not enough to protect them from the dangerous cyber attacks the healthcare industry experiences every day. A giant leap from basic regulatory compliance to the challenging achievement of a genuine cybersecurity culture is needed. Healthcare workers must become highly sensitized to identifying the risks of criminal or inadvertent compromise to valuable personal, patient and organizational data, and then understand how to overcome potential threats effectively. Even with institutional policies, security officers, training programs, and technology-based security protections in place, many individuals continue to make poor decisions that expose important data to extreme risk of compromise and theft.

Your staff, executives and vendor partners must arrive at the point when they’re no longer learning about dangers and protections but have actually incorporated this knowledge into their mindsets and daily practice. Most security professionals know this is easier said than done. Twenty years from now, perhaps consistent security awareness will be second nature for healthcare workers, as it already is for most bank employees — without learning hard lessons from painful breaches first.  Let’s talk about how a transformative cybersecurity culture can be built proactively, starting today, instead of waiting until the worst happens to your hospital.



Service Desk: The First Line of Defense In Hospitals’ Shadow IT Crisis

Shadow IT is a concern for nearly 90% of organizations responding in a recent HDI research report about unauthorized cloud app use and its impact. As I reported in a post last year, the average healthcare organization uses an astounding 928 cloud services, but their IT departments reported knowing about just 60 cloud services on average. Employees bring cloud services into their work places for increased productivity, usually without the knowledge of IT, sometimes creating serious security risks. There is no one better positioned than the IT support center to help manage the use of shadow IT and mitigate the risks to your hospital. How?



Zero-Days: A Harsh Reality of Today’s Hospital Security

There is a lot of talk within healthcare about “zero-days.” Sounds like doomsday language, and yes, from a healthcare IT security perspective, it actually is. Zero-days — great risks for hospitals and payers — are suddenly a major aspect of the everyday vulnerability of personal health information and enterprise systems, including EHRs and financial management systems.

Here’s what you need to  know in one minute:



Prevent Your First (Next?) Security Breach

The news has been filled with examples of high profile healthcare data breaches recently.   February’s huge Anthem breach is notable  because it potentially affects 80 million people, over twice the number of individuals reported on the HHS “Wall of Shame” of medical data breaches since it was created over a decade ago.   That website reports an alarming number of breaches already this year, with about 350,000 more individuals affected, primarily by breaches of electronic data, but also because of improper disclosure of paper and films.