The last line of cyber-defense: a well-trained employee

The last line of cyber-defense: a well-trained employee
The last line of cyber-defense: a well-trained employee

Health care organizations are no strangers to security awareness training. The HIPAA privacy rule’s administrative requirement and administrative safeguard clearly state minimum training requirements for covered entities and business associates. The most common approach to meet these requirements is new-hire and annual computer-based training (CBT) courses, which range anywhere from a few minutes to several hours in length.

A growing body of evidence suggests that CBT training alone simply doesn’t work. For example, Verizon’s 2018 Data Breach Investigations Report reviewed more than 53,000 incidents from multiple industry segments. According to the report, health care is the only industry segment with a higher rate of internal threat actors (56 percent) than external threat actors (43 percent).

In this context, “threat actors” is cyber-speak for the folks who set in motion the series of events that lead to a compromise, breach, leak, etc. This could be a foreign national syndicate performing a well-thought out and rehearsed cyberattack on a hospital’s infrastructure, or it could be the harried data analyst who inadvertently clicked a phishing link in an email and began a chain reaction of malware installation and data exfiltration.

These attacks can circumnavigate expensive automated cybersecurity systems and even breach the last line of defense: a trained employee. The industry’s common approach toward security awareness training is failing to adequately prepare employees for the increasing volume of cyberattacks targeting health care.


Training tips from the airline industry

Security awareness generally boils down to a few basic principles, including being mindful of tailgating, maintaining a clean workspace, and recognizing suspicious links in emails. Because of the concepts’ simplicity, people tend to tune out training on these fundamental principles. This is similar to the FAA-mandated safety briefing at the start of every U.S. flight. Many people ignore flight attendants as they walk through the well-rehearsed script, even though it is a refresher on potentially lifesaving information.

Virgin Atlantic captured people’s attention in an innovative way by creating an entertaining video that conveyed the required safety information. Amazingly, within two weeks of its release, this video went viral and was viewed by 5.8 million people who weren’t even on a flight. This shows that thinking outside the box and adding humor is a great way to capture attention.

While it isn’t feasible to have people watch a training video at the start of each shift, repetition is required. Even the best training will fade from people’s minds if only conducted annually. One promising method is the just-in-time training usually associated with internal phishing campaigns.

While some organizations develop their own campaigns, most are using products to simplify the deployment and tracking of internal phishing emails. When an employee clicks a phishing link, they may be assigned mandatory security training or automatically enrolled in a security awareness class. This type of just-in-time training helps reinforce good email hygiene and maintain a security-focused mindset.

These are just a few ideas that may improve security awareness with only modest investment. If trainings deter even one potential data breach, they will have paid for themselves in spades.


NRHA commissioned the above piece from Allscripts, a trusted NRHA partner, for publication within the Association’s Rural Health Voices blog