Health leaders, it’s time to prioritize cybersecurity culture and employee awareness

The healthcare industry has been hit hard by the pandemic, and not just for the obvious reasons. The past year created the perfect storm for cybercriminals to take advantage of the world’s disruption and target vulnerable health systems, costing the healthcare industry $21 billion in ransomware payments and downtime. With a 470% increase in attacks from 2019 to 2020, it is now crucial for healthcare systems, hospitals, and other health-related organizations to prioritize the security of sensitive information and patients. The only way to do this is by educating employees with contextual cybersecurity awareness training and emphasizing the importance of a strong cybersecurity culture.

Although all industries and organizations can fall victim to cybercriminal attacks, the healthcare industry is even more vulnerable as they cannot afford to lose access to patient health records. Knowing this, cybercriminals have doubled down on ransomware and phishing campaigns, almost guaranteeing speedy payments from desperate healthcare workers who cannot afford to put their patients’ health at risk.

To put this alarmingly high increase in attacks at bay, health leaders need to prioritize the human element of the cybersecurity strategy. Healthcare organizations may not have previously required to invest as much time, effort, and resources on security training, but healthcare organizations have no other option in today's risk environment.

Here are three steps healthcare leaders across the U.S. should be considering immediately to secure and fortify their organization:

Assess current systems, technology, and culture. Outdated systems are more vulnerable to attacks, and with a global pandemic raging on for the past year, updating these systems might not have been top of mind for many healthcare organizations. In addition to reassessing cybersecurity technology, organizations should evaluate their entire security culture and employee sentiment towards that culture. This will give leaders a strong sense of whether or not employees feel confident in recognizing and remediate threats and where to go from there.
Identify gaps in security knowledge. Humans are the targets for these growing attacks, so organizations must empower their workforce with the right tools and expertise to effectively deter attacks themselves. Surveying your workforce is a great way to set a clear baseline for what is missing from your cybersecurity repertoire and identify the kind of content to build into a coaching strategy. It’s important to consider that not all employees will need the same security awareness knowledge. Employees should be equipped with applicable information based on their unique, risky actions that will likely expose themselves or the organization to potential threats. Once these gaps in security knowledge are identified, the organization can actively work towards closing them with a layered approach that incorporates both technology and coaching.
Build an individualized cybersecurity coaching strategy. As busy as your employees may be, it is crucial to arm them with the knowledge to protect your organization from a cyberattack. Healthcare workers already have non-traditional hours, so using long, generalized training seminars will not be effective. Instead, organizations should share personalized messages to each worker based on the specific behavior the employee carries out. These serve as microlearning moments that work within the busy schedules of the healthcare workforce and ensure that learning content is relevant to each employee’s specific actions. Sharing consistent, relevant touchpoints directly to an individual will lead to positive changes in behavior over time, ultimately protecting the broader organization.

Healthcare organizations must take the time to assess current security systems and strategies, even if they have not yet encountered any major cyber incidents. It’s essential to get ahead of these threats with relevant and vigilant education to the entire employee base. As phishing and ransomware attempts become more and more sophisticated over time, personalized guidance will proactively make employees aware of how their specific behaviors might put their organizations and patient data at risk - and deter them from making damaging mistakes.

Sai Venkataraman, Co-founder and CEO of SecurityAdvisor.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.