Security

Why All Healthcare Workers Need Cybersecurity Training

Despite a surge in data breaches, only 1 in 4 employees receive it.

Mike Chapple is associate teaching professor of IT, analytics and operations at the University of Notre Dame.

Now more than ever, healthcare organizations find themselves on the front lines of cybersecurity battles. The records maintained by hospitals, medical practices and other healthcare providers contain extremely sensitive personal information.

Legislators recognized this risk 23 years ago when writing HIPAA, which introduced mandatory security and privacy requirements for protected health information.

The threat has only increased with the growing digitalization of medical records and the increasing number of Internet of Things tools in healthcare. Devices now outnumber people in healthcare settings by 3 to 1, but many of those devices lack sufficient safeguards. More than double the number of patient records were breached in the first half of 2019 than in the entire year prior.

Just as concerning, a recent poll found that 1 in 4 healthcare employees has never received cybersecurity training from their employer, and 1 in 5 saw no reason to learn about the issue at work.

Such gaps should underscore the need for wider awareness among healthcare leaders and the value of educating everyone. Let’s examine the key elements of a cybersecurity awareness program.

INSIDER EXCLUSIVE: Watch a CDW Bring IT On session to learn about the value of a cybersecurity assessment.

Get Executive Support for Cybersecurity Training

It’s difficult to conduct any type of nonmedical education in a healthcare setting. The nature of the work leads to a tight focus among healthcare professionals that tends to shut out anything unrelated to patient care.

Cybersecurity leaders shouldn’t view their task as overcoming this attitude but rather aligning themselves with it. The topic of cybersecurity is a vital element of continuing professional education that directly contributes to better patient service.

Patients depend on providers to protect sensitive information. When breaches occur, patients are directly harmed through the loss of their privacy — and possibly the theft of their identities. After all, “do no harm” relates to far more than face-to-face care.

Conveying this message in a healthcare setting is crucial, and will be best received coming from someone providers consider an authoritative professional colleague, not an IT staffer. Enlist the help of a senior executive with medical credibility to explain the reason this training is required and its impact on patient care.

Identify Problems and Areas of Opportunity

Once you’ve established the importance of a cybersecurity awareness training program by tying objectives to patient care, you must deliver. Efforts that focus on esoteric security issues or are too broad will fall flat and quickly lose providers’ attention.

Define clear and concise objectives for your organization’s cybersecurity awareness training based on the current threats facing your organization and the knowledge gaps of providers. Tailor your messages to clearly address those objectives.

Are ransomware infections bringing down medical devices after users attempt to download unauthorized software? Explain how this behavior can take down crucial devices and prevent them from being used in patient care.

Are office staffers releasing medical information to other providers over the phone without properly confirming patient permission? Your awareness program should provide practical advice on the appropriate way to confirm patient consent and transfer information in a secure manner.

The specific content of a program should vary based on your organization’s needs, and it should continuously evolve. Keep your finger on the pulse and use that information to keep your awareness campaigns fresh and relevant to providers.

Deliver Consistent Messages on Preferred Platforms

The purpose of your cybersecurity awareness program should be to keep important issues and vulnerabilities top of mind for everyone in your organization so that they react appropriately when making crucial decisions in their day-to-day work.

It is not a movement to make providers and other staff members aware that a security awareness program exists. As long as you’re delivering timely and effective content, you don’t need to advertise everything as a cybersecurity awareness effort. In fact, the message might be more effective without IT department branding.

As you determine the best methods of delivery, think about how your stakeholders receive other important information. Is email an effective means of communication, or do providers routinely ignore it? Ask the same questions about staff meetings, newsletters, posters and other communications tools that might support your program.

Cybersecurity awareness is a crucial undertaking for every healthcare organization. Securing the privacy and security of patient records does require strong technical controls, but the responsibility for protecting this information rests on the shoulders of all providers and staff members — all of whom should be adequately educated.

FatCamera/Getty Images