8 Tips for Developing a Strong Security Culture
Riggi and other security experts offer these recommendations to help organizations develop a culture of security:
- Emphasize balance. One of the most common mistakes in approaching cybersecurity is placing too much emphasis on technology or training, notes Jinan Budge, principal analyst for security and risk at Forrester Research. “There needs to be a balance of people, training, technology and process. It’s not one or the other. It’s all of the above.”
- Focus on behavior. The 2021 Verizon Data Breach Investigations Report found that human error is involved in 85 percent of data breaches. This points to the need to encourage behavior change that emphasizes a more secure approach to technology use, according to Troy Ament, field CISO for healthcare and life sciences at Fortinet. “Empowering caregivers and clinic staff to use security best practices can aid in encompassing a culture of security throughout day-to-day operations,” he says. Positive reinforcement helps, Riggi adds; consider incentives and public recognition for individual employees who report suspicious emails or otherwise mitigate cybersecurity threats.
- Stay current. Healthcare has seen a “massive increase” in ransomware and phishing attacks targeting patient data and clinical research connected to COVID-19, says Marlon Harvey, principal architect within the customer experience healthcare practice at Cisco. The combination of remote work and virtual care adoption has also increased the need for secure connectivity. “Security needs are entirely different now for healthcare organizations than they were 18 months ago,” Harvey says. Ament emphasizes the adoption of approaches such as multifactor authentication and zero trust to better secure distributed systems.
- Don’t overload staff. Organizations face hundreds of cybersecurity threats every day, Riggi says. Communicating every threat would overwhelm staff and desensitize them to risk. Instead, security teams should summarize key issues and share them with management. In turn, managers should discuss these threats — as well as the right tactics for mitigating them — in regular staff meetings. Communicating in that setting helps staff understand that cybersecurity is part of the job, he adds.
- Target training resources. Remember that clinical staff don’t necessarily need the same in-depth knowledge of security practices as IT teams, Harvey says. In addition, conversations about security for frontline clinical staff should focus on how adopting best practices can increase efficiency and enable care delivery. Ament agrees: “The key is to make training digestible and implemented in their daily routines.”
- Train staff in the moment. “Asking someone in healthcare to spend an hour a year in security training is not going to work,” Budge said. She and the other experts recommend implementing training “in the moment.” This could be a pop-up prompt to try a stronger password, color-coded banners for external emails based on the potential threat they pose, posters and pamphlets in high-traffic areas, or making security experts available for informal conversations in the hospital cafeteria.
- Implement governance. Many organizations understandably prioritized urgency for care over security best practices in response to COVID-19. It’s important to make sure that both onsite and remote employees understand how to maintain security for devices, networks and virtual consults with patients or other physicians. “IT and cybersecurity departments have a big role to play as they re-evaluate some of the rushed technology decisions made over the past year,” Ament says. “Governance is crucial in ensuring that any project that’s underway has cybersecurity built into the entire lifecycle.”
- Practice empathy. Ultimately, Budge says, the best way to create a culture of security is to understand what will resonate with individual healthcare professionals. This requires an empathetic tone, a less punitive approach to errors and a willingness to listen to others’ needs. “Emotional vulnerabilities are quite heightened at the moment, particularly in a healthcare setting,” she says. “Security teams need to remember that it’s not about them — it’s about everyone else in the organization.”