The last line of cyber-defense: a well-trained employee
Healthcare organizations are no strangers to security awareness training. The HIPAA Privacy Rule’s Administrative requirement 45 CFR §164.530 and the Administrative Safeguard 45 CFR §164.308 clearly state minimum security awareness training requirements for covered entities and business associates. The most common approach to meet these requirements is new-hire and annual computer-based training (CBT) courses, which range anywhere from a few minutes to several hours in length.
A growing body of evidence suggests that CBT training alone simply doesn’t work. For example, Verizon’s 2018 Data Breach Investigations Report reviewed more than 53,000 incidents from multiple industry segments. The report shows healthcare to be the only industry segment with a higher rate of internal threat actors (56%) to external threat actors (43%).
In this context, the term “threat actors” is cyber-speak for the folks who set in motion the series of events which leads to a compromise, breach, leak, etc. This could be a foreign national syndicate performing a well thought out and rehearsed cyber-attack on a hospital’s infrastructure. Or it could be the harried data analyst who inadvertently clicked on a phishing link in an email and began a chain reaction of malware installation and data exfiltration.
These attacks sliced through the automated cybersecurity systems for which companies spend millions of dollars per year and pierced that last line of human defense: the well-trained employee. The industry’s common approach for information security awareness training is failing to adequately prepare employees for the increasing volume of cyberattacks targeting healthcare.
Training tips from the airline industry
Security awareness generally boils down to a few basic principles, including topics such as being mindful for tailgating, maintaining a clean workspace and recognizing suspicious links in emails. Because of the simplicity in the concepts, people tend to tune out security awareness training on these fundamental principles. This is similar to the FAA-mandated safety briefing at the start of every U.S. flight. Many of us have observed people ignoring flight attendants as they walk through the well-rehearsed script, even though it is a refresher on potentially lifesaving information.
Virgin Atlantic captured people’s attention in an innovative way by creating an entertaining and humorous video and simultaneously conveyed all the required information. Amazingly, within two weeks of release this video went viral was viewed by 5.8 million viewers that weren’t even on a flight. This is a remarkable response to a security awareness training video. It shows that thinking outside the box and adding humor is a great way to capture attention.
While it isn’t feasible to have people watch a training video at the start of each shift, repetition is required. Even the best training will fade from people’s minds if only conducted annually. One method which is proving success is the just-in-time training usually associated with internal phishing campaigns.
While some organizations develop their own internal phishing campaigns, most are using one of several products in the industry which simplify the deployment and tracking of internal phishing emails. When an employee clicks on a phishing link, they may be assigned mandatory security training or automatically enrolled in a security awareness class. This type of just-in-time training helps reinforce good email hygiene and maintain a security mindset.
These are just a couple of ideas that may help improve security awareness training with only modest investment. If the investments deter just one potential data breach, they will have paid for themselves in spades.