Security

Improving Cybersecurity Training for Healthcare Staff

Annual cybersecurity training may help healthcare organizations stay compliant, but it doesn’t mean they’re more secure.

Teta Alim

Teta Alim is the managing editor of HealthTech. Teta previously worked as a digital journalist in Washington, D.C.

Employees across many industries have become familiar with some sort of annual cybersecurity training at their organizations, from watching informational videos to participating in simulated phishing attempts.

For heavily regulated sectors such as finance or healthcare, these trainings may tick a box for compliance purposes. However, actually making the organization more secure is a different concern.

“Now there’s a realization that, at a user level, security and compliance are not the same thing,” says Ryan Witt, vice president of industry solutions at Proofpoint. “In the actual safeguarding of data and of an institution, security and compliance are two distinct disciplines.”

As malicious actors continue to target healthcare organizations, role-based cybersecurity training is becoming essential for staff members, whether they’re patient-facing or working in the back office. Training that is relevant to a specific role can help team members develop a better sense of vigilance and scrutiny that will only improve an organization’s security posture.

Click the banner below to read the recent CDW Cybersecurity Research Report.

x_security_q325_animated_click_desktop_03

x_security_q325_animated_click_mobile_03

Why Is There a Need for Role-Based Security Training?

According to a 2024 Proofpoint report, 71% of workers admitted to acting in a way that put security at risk, such as clicking links from unknown senders or sharing credentials with an unconfirmed source.

So, why not just tell employees to reduce risky actions? It’s likely that they need to take such risks as part of their job, such as downloading resumes for HR, confirming credentials at the IT help desk or accessing medical data as a researcher.

“They’re not doing anything wrong,” Witt explains. “But these trainings need to support them so that they can fulfill their roles and still have safeguards in place. After all, they’re the ones who are getting the lion’s share of the attacks.”

Their roles may not be well known outside of the organization, but they may work in vulnerable ways or have access to sellable data that makes them desirable as marks.

“If you are a healthcare institution and you have any sort of research component as part of your organization, you are exponentially more attacked,” Witt says. “We’ve seen strong examples where particularly nation-state actors are trying to get access to data that’s valuable that they can monetize.”

Organizations should especially have customized training for the help desk, which malicious actors are more likely to target, Witt adds. It’s common for the help desk to receive requests to reset authentication methods because someone purchases a new phone, for example. How can that help desk employee verify that this is a legitimate request coming from within the organization?

“They’re driven to want to help, and it’s an attribute you really want to see as part of your team, but a threat actor can prey upon that,” Witt says.

For example, consider a help desk employee who receives a request to change a password for someone claiming to be an oncologist onsite in a hospital’s emergency department. That help desk employee should be wary because oncologists are not usually in the ED.

“That’s the level of education, at an industry level, at a role level, that we’re trying now to build into our own curriculum,” Witt says. “Someone who has worked at a healthcare organization for a long time may be able to make that connection, but what about someone newer to the help desk and to the hospital? So, that needs to be a part of the training.”

Role-based security training should also include those with public personas or visible profiles, such as a noteworthy orthopedic surgeon or a doctor who makes frequent media appearances.

“The bad actors have figured out that not every email address or every person within an organization is treated equally or has the same level of vulnerability,” Witt adds. “There are certain people within those organizations and certain departments that have exponentially higher vulnerability.”

They’re driven to want to help, and it’s an attribute you really want to see as part of your team, but a threat actor can prey upon that.”

Ryan Witt Vice President of Industry Solutions, Proofpoint

Effective Approaches to Role-Based Security Training

Rather than creating a massive annual training module that employees are likely to put off until the last minute, Witt suggests scheduling shorter trainings more often.

“We’ve seen a strong pivot to these bite-sized trainings,” he says. “Sometimes, they even happen in real time, related to a recent cyber event. They’re a quick refresher, making the lessons much more relevant and easier to adopt.”

As the use of generative artificial intelligence and other AI-assisted strategies becomes more commonplace, role-based security training will also need to evolve so that employees can take better precautions.

Deepfake videos are a tactic scammers have recently used in their phishing attempts, but Witt says he’s more interested in “shallowfakes,” or content that is changed minutely so that a user may think that what is being said is not totally out of place or character.

“They may require deeper consideration and analysis, and there may be the need to deploy sandbox technology to give everyone a bit of a pause to say, ‘Let's examine this a bit further,’” he says.

Even amid all the rapid technological changes, humans remain a critical part of cybersecurity. Exploiting zero-day vulnerabilities requires a certain level of technical skill, so it’s much easier for a cybercriminal organization to arm one of its attackers to launch a phishing attempt on an unsuspecting employee with minimal effort.

“Humans are the targets, so there’s recognition in the industry that the training needs to pivot to mitigate those risks,” Witt says.

For healthcare organizations, improved cybersecurity training supports effective care delivery and prevents harm to patients. In the past, that wasn’t always the mindset, and the perception was that learning security tools and conducting training negatively impacted workflow. That skepticism may still exist, but at least there is a growing culture change.

“I’ve seen a complete metamorphosis,” Witt says. “If your institution doesn't have the right security posture in place, and you have no ability to provide patient care for a period of time, you are not living up to your mission.”

Igor Suka/Getty Images