Oct 11 2021

8 Ways to Create a Strong Security Culture and Strengthen Incident Response in Healthcare

Hospitals and health systems cannot build a culture of security overnight. Being prepared is the first step of incident response planning.

Basic cyber hygiene is just as important for healthcare professionals as personal hygiene, according to John Riggi, senior adviser for cybersecurity and risk with the American Hospital Association and a 28-year veteran of the FBI.

“It should be second nature to lock the computer when you walk away and not to share passwords,” Riggi says. “We need to make that as routine as washing your hands before you see a patient and after you leave a patient’s room. For that routine to become muscle memory, that’s the state we’d like to achieve.”

With clinical staff often focusing their attention on making critical care decisions and juggling the needs of many patients at once, hospitals and health systems are especially vulnerable to phishing and ransomware attacks that take advantage of distracted workers. To mitigate this risk, technology and information security leaders are stepping up their efforts to create a culture of security — one in which managers can effectively communicate about the latest major threats and employees can take the right steps to address a threat.

Click the banner below to dig deeper into incident response with planning guidance from CDW.

8 Tips for Developing a Strong Security Culture

Riggi and other security experts offer these recommendations to help organizations develop a culture of security:

  1. Emphasize balance. One of the most common mistakes in approaching cybersecurity is placing too much emphasis on technology or training, notes Jinan Budge, principal analyst for security and risk at Forrester Research. “There needs to be a balance of people, training, technology and process. It’s not one or the other. It’s all of the above.”
  2. Focus on behavior. The 2021 Verizon Data Breach Investigations Report found that human error is involved in 85 percent of data breaches. This points to the need to encourage behavior change that emphasizes a more secure approach to technology use, according to Troy Ament, field CISO for healthcare and life sciences at Fortinet. “Empowering caregivers and clinic staff to use security best practices can aid in encompassing a culture of security throughout day-to-day operations,” he says. Positive reinforcement helps, Riggi adds; consider incentives and public recognition for individual employees who report suspicious emails or otherwise mitigate cybersecurity threats.
  3. Stay current. Healthcare has seen a “massive increase” in ransomware and phishing attacks targeting patient data and clinical research connected to COVID-19, says Marlon Harvey, principal architect within the customer experience healthcare practice at Cisco. The combination of remote work and virtual care adoption has also increased the need for secure connectivity. “Security needs are entirely different now for healthcare organizations than they were 18 months ago,” Harvey says. Ament emphasizes the adoption of approaches such as multifactor authentication and zero trust to better secure distributed systems.
  4. Don’t overload staff. Organizations face hundreds of cybersecurity threats every day, Riggi says. Communicating every threat would overwhelm staff and desensitize them to risk. Instead, security teams should summarize key issues and share them with management. In turn, managers should discuss these threats — as well as the right tactics for mitigating them — in regular staff meetings. Communicating in that setting helps staff understand that cybersecurity is part of the job, he adds.
  5. Target training resources. Remember that clinical staff don’t necessarily need the same in-depth knowledge of security practices as IT teams, Harvey says. In addition, conversations about security for frontline clinical staff should focus on how adopting best practices can increase efficiency and enable care delivery. Ament agrees: “The key is to make training digestible and implemented in their daily routines.”
  6. Train staff in the moment. “Asking someone in healthcare to spend an hour a year in security training is not going to work,” Budge said. She and the other experts recommend implementing training “in the moment.” This could be a pop-up prompt to try a stronger password, color-coded banners for external emails based on the potential threat they pose, posters and pamphlets in high-traffic areas, or making security experts available for informal conversations in the hospital cafeteria.
  7. Implement governance. Many organizations understandably prioritized urgency for care over security best practices in response to COVID-19. It’s important to make sure that both onsite and remote employees understand how to maintain security for devices, networks and virtual consults with patients or other physicians. “IT and cybersecurity departments have a big role to play as they re-evaluate some of the rushed technology decisions made over the past year,” Ament says. “Governance is crucial in ensuring that any project that’s underway has cybersecurity built into the entire lifecycle.”
  8. Practice empathy. Ultimately, Budge says, the best way to create a culture of security is to understand what will resonate with individual healthcare professionals. This requires an empathetic tone, a less punitive approach to errors and a willingness to listen to others’ needs. “Emotional vulnerabilities are quite heightened at the moment, particularly in a healthcare setting,” she says. “Security teams need to remember that it’s not about them — it’s about everyone else in the organization.”

EXPLORE: Learn how healthcare organizations can defend against evolving threats.

SelectStock/Getty Images