Security Awareness Training

Security Awareness Training For Healthcare: A Comprehensive Guide

How security awareness training can help healthcare organizations keep their private patient data – which makes them an alluring target for hackers and cybercriminals – secure.

SAT for Healthcare

Breaches and cyberattacks are on the rise in the healthcare industry. With new patients coming in everyday for care and providing personal information like birthdates, social security numbers, places of employment, pre-existing conditions, contact information and more, it is unsurprising that the healthcare industry is at constant risk of data breach. And when the theft of patient’s data can be so incredibly damaging for both the patients and the organizations involved, anything that can be done to contribute positively to overall cybersecurity and prevent any negative impact to patient care delivery, safety and privacy is in the best interest of all healthcare entities. 

Advancements of digital technology and connectivity in healthcare have contributed to noticeable patient care delivery improvements, improved patients’ outcomes, and more effective population health management; however, as beneficial as these accelerations in technology and connectivity are, they also expose the healthcare industry to cyberattacks. 

Data since the start of the COVID-19 pandemic shows massive cybercriminal activity in the healthcare industry, with a rise in ransomware and data breaches. With cybercriminals taking advantage of hospitals and medical practices as they face continued difficulties stemming from the pandemic, Cybersecurity Ventures predicts that healthcare will suffer up to three times more cyberattacks in 2021 than the average amount for other industries. 

For this reason, it’s critical that organizations in the healthcare industry achieve and maintain a security-centric mindset, and the first step towards this goal is to ensure the necessary people understand the risks of cybercrime and know how to avoid potential threats. This is essential not only to protect patients, but also to comply with the compliance regulations required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). 

Security awareness training (SAT) is an effective tool for organizations to use to meet regulatory goals, but a good security awareness training program has more to offer than simply checking the compliance box – it can drive real changes in behavior amongst employees that will improve the security stance of the entire organization. 

What Is Security Awareness Training?

Security awareness training is an essential component of any organization’s security efforts. Used by IT and security professionals to mitigate user risk, security awareness training is designed to combat the threat of information security breaches. It does this by addressing the cybersecurity mistakes that employees might make when using email, the web, and even in the physical world. By equipping employees with the knowledge and understanding necessary for them to become a part of the solution, organizations can achieve real and substantial improvements to their overall cybersecurity strategy. 

Cyberattacks are on the rise, helped along in this upward trajectory by the introduction of widespread remote working as a response to the pandemic. The global cost of cybercrime increases by 15% every year and is projected to cost companies worldwide a shocking $10.5 trillion annually by 2025, which would be a significant increase from $3 trillion in 2015. The healthcare industry has seen a 45% rise in cyberattacks (over double the amount observed in other industries) since November of 2020, and the sector—which accounts for 79% of all reported breaches during the first ten months of 2020—remains one of the most heavily impacted industries overall.

In today’s complicated threat landscape, employee training is something that should not be overlooked or brushed over. Research suggests that human error is involved in over 95% of security breaches; just one mistake can result in data breach, significant financial loss and damage to the company’s reputation. Because of this, all employees, at every level of the organization, can benefit from SAT. Training should be informative and engaging and should effectively convey to employees what is expected of them, as well as the importance of their role in safeguarding sensitive data. 

With security awareness training, you can provide your workforce with formal cybersecurity education and testing to help protect your data from the various forms of cybercrime, including phishing and other social engineering attacks. Human error may be a big issue to overcome, but employees don’t have to be the weakest link—with the right training and ongoing support, they can be an invaluable asset within your security architecture. There are also a number of reasons why security awareness training is especially important in the healthcare sector, which we’ll take a look at in our next section. 

Why Should Healthcare Organizations Train Employees?

Ensure Compliance

Over the last decade, healthcare organizations have seen increasing pressure from governments to secure the protected health information, or “PHI”, of their patients. This pressure has resulted in the re-assessment of existing compliance standards and introduction of new compliance regulations, to ensure that all PHI remains confidential and secure at rest, in storage and in transit. One such regulation is the HIPAA act.

The HIPAA act is a federal legislative act that was introduced in the United States in 1996.  In the US, HIPAA serves as the primary healthcare law for protected health PHI for the entire country, and serves a similar purpose to a range of other non-US compliance regulations such as the General Data Protection Regulation (GDPR), Patient Data Act and the Digital Information Security in Healthcare Act (DISHA). 

Under HIPAA, training requirements are flexible depending on the nature of your entity. However, training is mandatory under the administrative requirements of the HIPAA Security Rules. It’s important that you research which HIPAA requirements apply to your specific organization but, generally, if your organization is dealing with sensitive personal or private patient data, we would highly recommend implementing a HIPAA-compliant security awareness training platform. This will be important not only for demonstrating legal compliance, but also to help prevent costly fines as a result of data breaches. 

When it comes to securing patients’ information and cultivating a culture of security within the organization, HIPAA training for all employees managing personal data is key. This is because maintaining compliance requires a group effort; in order to limit the accidental or careless exposure of PHI and avoid potentially costly settlements, all workforce members need to have a solid understanding of how to securely transact with patient information. 

With inadequate training comes a gap in compliance, and the potential damages of non-compliance are significant. A study by the Ponemon Institute found that the cost to businesses of non-compliance was around 2.7 times higher than the cost of being compliant, with the average consequential cost for non-compliant organizations being $9.6 million USD. This figure includes business disruption, productivity loss, fines, penalties and other settlement costs. As well as direct financial loss, non-compliance can lead to license revocations, negative impacts to patient care, erosion of trust, and significant damage to the organization’s reputation.

Secure Your Organization Against Cyberattacks

Targeted cyberattacks are becoming increasingly sophisticated and common, with the healthcare industry in particular seeing a sharp upward swing in the number of attacks over the past few years. These attacks directly threaten not only the security of systems and important information, but also the health and safety of patients.

According to a recent report, in 2021, healthcare data breaches rose to 22.8 million patients impacted, up from 7.9 the previous year in a shocking 185% increase. Most of these security incidents occurred as a result of malicious cyberattacks, such as ransomware, social engineering, or third-party vendor attacks, which accounted for 73% of all breaches. Another 22% was the result of unauthorized access or disclosure, and the last 5% were caused by smaller thefts and losses, or improper disposals.

Ransomware in particular, which is often distributed via phishing emails, is putting healthcare organizations under great strain. The 2017 WannaCry ransomware attack was the largest ransomware attack ever, affecting a varied collection of entities, including the National Health Service in the UK. The NHS was brought to a standstill for several days with cancellations of thousands of appointments and operations, at an eventual cost to the UK government of £92 million. 

More recently, on May 14th 2021, the Irish Health Service computer system was targeted by another sophisticated ransomware attack, which forced hospitals to cancel routine appointments and saw a child protection IT system go down. Patient records were blocked, key services were disrupted, and workers’ ability to provide effective care was compromised. Attackers also threatened to leak sensitive data, opening patients up to further danger as the stolen data could be used in social engineering or phishing attacks. 

The COVID-19 pandemic and rising digitization can be credited with a particularly sharp increase in the number of breaches, as growing adoption of telehealth and remote patient monitoring have created a more fertile ground for cyberattacks on healthcare systems. According to Interpol, the pandemic also led to a shift in targets, as many attackers turned their attention from individuals and small businesses to government and critical health infrastructure. 

These types of attacks often occur as a result of healthcare employees responding to malicious emails. Security awareness training can teach users how to avoid harmful web pages and malicious links, as well as how to stop phishing attacks and keep devices updated and secure to protect against ransomware and malware.

Without proper support and training, employees cannot be expected to know how to correctly respond to threats such as these, thus the business is left vulnerable. Organizations should implement technological defense, such as antivirus software and email security in conjunction with a robust SAT program; good cyber security cannot be achieved without accounting for the human element. 

Prevent Supply Chain Attacks

Cybercriminals are increasingly targeting supply chains, a trend that is particularly dangerous for healthcare organizations due to the industry’s higher degree of reliance on a network of partners. Attackers have been known to undergo supply chain-based attacks when they have been unable to breach the actual target organization, or when they are aiming to target the larger industry via a key supplier. As healthcare relies heavily on supply chain vendors, third-party service providers and cloud-based systems, its organizations are at particular risk from attackers who use these avenues to steal confidential information, alter data, install malicious software, introduce unapproved functions or designs, or even introduce counterfeit devices into the organization. 

Due to the far broader base of possible breach points available for hackers to work with and the potential for supply chain attacks to stay under the radar for some time as they exploit existing relationships with trusted channels, this form of attack poses a significant threat to healthcare organizations. Security awareness training teaches employees how to spot common cyberattacks such as phishing and account compromise, and to be aware of attacks coming from people who may not be who they seem. With this type of thinking, healthcare staff’s overall susceptibility to phishing and other human-centric cyberattacks decreases, which helps prevent the effects of a supply chain attack from impacting the organization, as well as protecting your partner organizations against attack. 

What Features Should Healthcare Organizations Look For In A SAT Solution?

Engaging Content

To ensure employees get the most out of their SAT and retain as much of their learning as possible, it is important to make sure the training they receive is delivered regularly and comprises bitesize, engaging content; things like good immersion, gamified training, quizzes, tests, humor and storytelling techniques go a long way in achieving this. 

We recommend looking for a solution that cover the following topics:

  • Overview of HIPAA and working with PHI
  • Phishing
  • Social media threats
  • How to spot malicious webpages
  • The importance of keeping devices updated

Employees are much more likely to learn and put into practice what they have learned if training materials manage to keep them properly engaged, so anyone considering SAT for their employees should make this a priority. 

Accessibility

Making an ongoing investment in the security education of your workforce is a great way to nurture employees’ sense of personal investment in the organization’s cyber safety, giving them an active role in the fight against potentially devastating breaches. However, a sure-fire way to undermine this sense of shared responsibility is to make SAT an inconvenience in their work lives. It’s important to make sure training content can be accessed by employees no matter their role or location. To do this, choose a solution that’s mobile-friendly, available offline, customizable, available in all of your employees’ native languages, and delivered in bitesize modules. 

If training is too rigid to easily slot into available spaces in your employee’s day, they’re unlikely to engage with it, as it will become a blocker that prevents them from doing their jobs.

Phishing Simulations

Security awareness training and phishing simulations go hand in hand. Phishing is a cybercrime where a target is contacted via email, text, or telephone by an attacker posing as a trusted individual or legitimate institution; the attacker attempts to trick the target into handing over sensitive data such as passwords or financial information. Phishing is one of the most prevalent cyberattacks facing organizations today, particularly in the healthcare sector. In 2020 alone, 140,000 phishing emails were sent to National Health Service (NHS) staff in the UK.  

Criminals go to great lengths to ensure their emails are as realistic and convincing as possible, so making sure your people are capable of recognizing phishing emails is imperative to your organization’s security. 

Phishing simulations allow admins to send fake “phishing” emails to employees and record how they respond to them. This allows users to learn what phishing emails look like in the real world, and it allows admins to see who in the organization is likely to fall for a real phishing email, and direct more training to them. Phishing simulations should be customizable, with clear reporting for admins to measure who falls for the “attack”. We’d also recommend looking for a solution that enables end users to report suspected phishing attacks from within the email inbox, via a plugin in their email client. 

Management & Reporting

It’s important to measure progress over time, both for the organizations and for individual users, and to be able to track phishing campaigns. A good SAT solution will have a reporting tool built-in to show you how well employees are responding to the training, how much they’ve completed, and how their results have been throughout. This will help you target further training where needed and ensure everyone is operating at the same high standard.

Your chosen solution should feature a central management dashboard where you can easily onboard users and set up regular training that’s delivered every two weeks or every month. You should also be able to automatically administer further training to users who click on simulated phishing emails, and track training completion company-wide. 

From the dashboard, you should also be able to view automatically generated monthly reports. These should export into a range of formats to showcase return on investment, and be easy to plug into your other systems via API integration.

Easy Deployment

SAT needs to be quick and easy to set up, so we recommend you choose a cloud-based solution. Some organizations may not have the dedicated security resources to set up complex programs, and with cyberattacks being so frequent, you’ll want protection in place as quickly as possible.

Most cloud-based solutions enable you to add users easily via CSV or active directory integrations, which enable you to deploy the solution in just a few minutes. You should also be able to quickly add domains and IP addresses to ensure delivery of simulated phishing emails, and have access to a wide range of phishing templates that you can easily set up and customize for campaigns. 


Summary

In the past few years, healthcare organizations have been involved in a large number of data breaches, which often occur as the result of employees mishandling patients’ information, misplacing devices which contain electronic protected health information (ePHI), or a variety of other mistakes that stem from a general lack of training. Implementing a robust security awareness training solution is a vital first step towards providing employees with the right tools to become a part of the solution in the organization-wide effort to maintain a high standard of security, as well as becoming HIPAA compliant.