Healthcare Security Awareness Training: The Needed Change

3 min read

This November marks 20 years since I performed my first HIPAA Security Awareness Training (SAT).  I remember it vividly, because it was exactly one month after the Proposed HIPAA Security Rule was published in October ’98. It wasn’t long before I had a calendar full of SATs booked for organizations across the country that needed to comply with the new requirements.

Fast forward to today and every week the news is filled with stories like those below (these two are pulled from recent editions of our IT Security News Blast) that demonstrate that two decades of SAT is not providing healthcare organizations with the cybersecurity they need.

  • Most Healthcare Workers Admit to Non-Secure Healthcare Data Sharing
    A disturbing 87% of healthcare workers admit to using non-secure email to send sensitive information, including PHI... Healthcare workers are 36% more likely to share regulated data such as patient information and credit card information via non-secure methods such as email than those working in financial services.
  • Largest Healthcare Data Breaches of 2016
    By the numbers: 329 breaches that, in sum, exposed more than 16 million patient records. That’s an order of magnitude increase from only 18 breaches in 2009.

Articles like these prompted me to take a look back through the 20 years of SAT presentations that we’ve used to train providers, payers, and clearinghouses – organizations with unique IT environments that operate in an industry that is among the most frequently targeted by “cyber” criminals.

As I scrolled through the decks, I wondered why, even after decades of instruction regarding IT security best practices, users are still so susceptible to the most basic tactics of cyber criminals? 

The Causes… (at least a few of them)

Looking back at our trainings from the past two decades made one thing clear: until a few years ago, the content really didn’t change very much. Legacy Security Awareness Trainings consistently covered the same four categories:

  • Security in the work environment
  • Regulated data which commonly has breach reporting requirements
  • Lists of best practices and policy statements on how users should behave and use technology
  • Basic security principles for those who have no real background in IT or data security

Even though the curriculum was solid, it failed to address the evolution of how users in a healthcare environment interact with technology and data. It lacked the round-the-clock perspective that today’s mobile-first society now clearly demands. In the last ~10 years, we’ve seen the following trends:

  • A growing number of personal devices users are bringing to, and using for, work
  • An increasing rate of introduction of new healthcare technologies that provide substantial benefits to doctors and patients and challenges to InfoSec pros who must secure these systems
  • A growing number of threats from outside cybercriminals, inside threat actors, hacktivists, and nation-states

These trends are what led us to change our approach in the early 2010’s. Since then we’ve gotten vastly better feedback on the effectiveness of our SAT materials. 

The Needed Change

The change we made was to shift our SAT message from “Here’s why this is important to the company,” to “Here’s why it’s important to you.” We focus on training people on a life skill – not just a work skill – one that centers around protecting themselves and using technology and information securely in all areas of their life.

Instead of presenting case studies of how breaches on healthcare organizations occur, we emphasize how every one of us is under attack 24/7/365. We have found that when people visualize security within their personal life and consider personal impacts and costs, information security and data protection become real in a new way.

To bring cybersecurity “closer to home,” we use real-world examples of how cybercriminals have caused harm to individuals and organizations alike. Once users understand the risk they face personally and what they can do to protect themselves, they are much more likely to buy into an organization’s cybersecurity program. For example, users on the lookout for phishing attempts, be they personal or professional in nature, can raise the red flag on a suspicious email that may have slipped past a technical defense.

Users who learn to protect personal pictures, bank accounts, and data, at home, at work, and in public, are critical to healthcare organizations’ cyber defenses. Cybersecurity is no longer just an inconvenient part of the job, it’s now an essential part of daily life and effective Security Awareness Trainings must address IT security beyond the office.