Privacy and security extend beyond HIPAA. Here’s what healthcare leaders must know about training staff for ransomware, phishing, and more.
Photo has been resized. (U.S. Navy photo by Mass Communication Specialist 2nd Class Taylor L. Jackson/Released)
Each week brings news of another healthcare data breach, cyberattack, or analysis bemoaning the space’s stark cybersecurity vulnerabilities. Hackers are battering hospitals, just as they are community clinics and supernova-size electronic health records (EHR) companies. Broadly, healthcare is waking up to threats that sneak in through its gaping cybersecurity holes, and the industry is learning that it’s at more risk than any other sector, period.
Healthcare organizations are also putting more muscle and brainpower into their cyberdefenses. Tackling the issue head-on is the only way to save patients’ valuable protected health information (PHI) from hackers—and is thus the only way that hospitals have a fighting shot at complying with the Health Insurance Portability and Accountability Act (HIPAA). And the problem might be one with a simple solution: training and best practices.
It turns out that most healthcare employees aren’t properly prepared to handle basic cybersecurity threats, according to a new report from the privacy and security awareness firm MediaPro.
In total, 78% of healthcare employees lacked some degree of knowledge that could help them ward off attempts to breach privacy and security, an 8% rise over the past year, according to the report, which polled more than 1000 medical workers, along with folks in other industries. Healthcare staffers performed worse at spotting signs of malware than professionals in other sectors, with 24% of medical employees overlooking the hazard, researchers found.
“By and large, I was a little surprised to see that healthcare, being the prime target for ransomware and phishing attacks these days, did more poorly than the rest of its counterparts,” said Colleen Huber, M.Ed, product manager of content design and development for MediaPro. “That was cause for concern.”
In total, 37% of healthcare employees were deemed risks, 41% novices, and 22% “heroes,” the 3 classifications established by MediaPro. The breakdown means that most of healthcare has, at best, a “good understanding of the basics,” and many employees “put their organizations at serious risk for a privacy or security incident,” according to the researchers.
What’s more, healthcare professionals lagged behind the general population in dealing with incident reporting, identifying personal information, physical security, identifying phishing attempts, identifying malware warning signs, cloud computing, and even working remotely or using social media.
Why? “The healthcare industry in general just has this fatigue,” Huber said. “They have so much to juggle in terms of complying with HIPAA and other laws and regulations, that security and privacy might not be top of mind when they think about their day-to-day.”
Fortunately, healthcare executives and individual employees can do something about this bad news.
First, as exemplified by the industry’s response to phishing expeditions, healthcare stays quiet when something troubling is afoot. Roughly a quarter of respondents noticed suspicious activity but failed to report it, a trend that jeopardizes their organizations. Administrators should make clear how their staff can register such incidents—and that they won’t get in trouble for doing so, provided there was no data breach, Huber said.
Seeing something, she added, is only part of the solution. Staffers must also say something.
But healthcare organizations must indeed strive to create an “awareness culture,” Huber noted. A comprehensive approach to this could result in a system that fosters understanding of HIPAA, institutional policies, and evidence-based best practices. Further, everyday reinforcement tactics—like posters, verbal or written praise, and the reeducation of employees caught not adhering to guidelines—could help make privacy and security an everyday thought in the building, Huber said.
It’s also critical that healthcare decision makers create an environment that’s driven by the details. “The privacy and security decisions that we make sometimes exist in that gray area between good and best decisions,” Huber said. “Common sense and paying attention to the details help.” For instance, it might not be terrible for an employee to allow a person with a badge to enter the building if they shepherd the visitor to security, but it would be best for the employee to deny entry.
Details are also key when it comes to combating phishing and ransomware. Make sure employees check hyperlinks before they click and do not assume that an unknown sender is legitimate simply because they mentioned the employee’s name, Huber said. For ransomware, everyone should keep an eye out for files that are moving around on their own. They must know how their computers typically act and monitor their speed and firewall, she said.
Luckily, high-tech innovations similar to those transforming medicine are also improving cybersecurity training, Huber said.
Training via smartphones and other mobile devices is a good first step for healthcare executives to consider, she said. This style keeps employees more engaged and eager to pay attention.
Artificial intelligence (AI) will also soon enter the picture. Algorithms will enable healthcare organizations to identify who needs what kind of training, and how and in what way, Huber said. This will strengthen the role of responsibility-based cybersecurity education, a practice in which individuals receive training tailored for them and their job demands.
Still, the best weapon a healthcare organization—and its leaders and employees—can have is already available to most.
“It’s common sense that is applied consistently and rigorously,” Huber said.