What you need to know about the forces reshaping our industry.

Blog Post

Why does health care keep facing breaches and ransomware? Maybe it's time to revamp staff training.

By Andrew Rebhan

July 7, 2020

    For the past nine years, the security software firm SplashData has produced an annual "worst passwords list," and the entries are as mind-numbingly careless as you’d expect. The firm's analysis is based on millions of passwords that are leaked online and discovered in breaches throughout each year. For 2019, the three most-used worst passwords were (in order):

    Cheat sheets: What executive leaders need to know about cybersecurity

    1. 123456

    2. 123456789

    3. qwerty

    A few other offenders made the list, including "12345," "111111," "password," and my personal favorite: "dragon."

    It's worth noting that although the above list isn't specific to health care (and may include default passwords or passwords from outdated applications), these password flops should spur more than just a few chuckles—they carry serious implications for the health care industry.

    Why the health care industry needs to be on high alert

    As health providers have become increasingly reliant on technology and being online, new cyber threats have emerged. On a near-daily basis, I hear about another hacking incident and thousands of patients having their data potentially exposed, to the point where I have become a bit numb to the news of breaches.

    The Covid-19 crisis has further upped the stakes. Hospitals are more vulnerable than ever, given the need to hastily set up temporary care sites, the relaxation of HIPAA-related penalties for telehealth and care coordination, and the shift to remote work for employees. This vulnerability created a renewed focus on staff security training programs.

    The importance of security training, and where it falls short

    The standard forms of cyber defense are fairly well known at this point:

    • Use strong passwords (clearly room for improvement here);

    • Use two-factor authentication;

    • Make sure enterprise software is updated and fully patched; and

    • Ensure core systems are backed up for quick recovery, etc.

    These defensive measures are meant to address external threats, but internal security threats from staff require serious consideration too. In health care, workforce training (and documentation of that training) is a requirement for covered entities under the HIPAA Privacy Rule. These security training programs come in a variety of forms, including classroom lessons, online interactive tests, or newsletters—all meant to reinforce proper "security hygiene" among staff. Industry experts insist this training should occur frequently—ideally on a monthly basis rather than a single annual event.

    Employee training is already an essential part of an organization's security program, but many training and education efforts do not deliver optimal value. Why? Because these efforts are often solely focused on compliance, or worse, are focused on only singling out those who violate policy, fail some rule, or do something inappropriate.

    Security awareness should not be a temporary, isolated campaign, but something that is embedded in the organization's culture. Security training often fails to change staff behavior because employees do not feel a personal connection to the content—it's simply a mandated activity to meet a compliance goal.

    The solution: Focus on building intrinsic motivation with staff

    In the book Drive: The Surprising Truth About What Motivates Us, Daniel H. Pink evaluates the traditional thinking around how people are motivated by extrinsic rewards and punishments. His argument (which is rooted in self-determination theory research) is that the most effective form of motivation is intrinsic, and is driven by three core elements:

    1. Autonomy—the desire to have control over our actions;

    2. Mastery—the urge to improve at something and build competency; and

    3. Purpose—the need/longing to feel like our actions contribute to something meaningful.

    So how might we apply Pink’s three motivational factors to staff security training? Here’s my take:

    1. Autonomy: Show employees what's in their control.

      Security headlines are almost always negative, focusing on the actions of external bad actors, and given the high volume of breaches occurring in health care, it can feel like a hopeless battle. In some sense, we've come to accept breaches as inevitable, which may lead some employees to weaken their security vigilance.

      However, surveys show that up to one-third of health care security incidents can be attributed to "negligent insiders," or employees who make careless or unintentional mistakes. So, if a significant number of security incidents arise due to insiders, then that means employees do have something within their control, and their choices are meaningful in terms of upholding the organization's security posture.

    2. Mastery: Tap into employees' desire to improve.

      It's unrealistic to expect every member of your staff to be a security expert, but consistent and impactful training can keep your workforce engaged and on guard to build a sense of security "muscle memory." Timely and actionable feedback, along with incorporating elements of gamification (e.g., awards for properly dealing with cyber threats) can also build up an employee's desire to improve his or her cyber defense skills.

    3. Purpose: Demonstrate the downstream value of security training.

      To get alignment between staff and security leadership, there needs to be a common understanding of the risks involved and an appreciation for the downstream value of security training. Many employees feel that security is someone else’s responsibility. For example, clinicians may feel that business-imposed training for security compliance gets in the way of patient care. Leaders should ensure that messaging to clinicians around cybersecurity expands the definition of "quality care" to include the protection of patient data and privacy.

      Likewise, the Chief Information Security Officer (CISO) role should be accountable for more than just reducing organizational risk. A hospital CISO may not directly interact with patients, but security incidents that expose personal information or shut down operations can directly harm patients. The shared goals of patient safety and stable operations give cyber-risk management a higher purpose.

    Additional considerations for delivering effective security education

    Tailor training and education where possible: Most security programs follow a one-size-fits-all structure. This type of training can be convenient, but it can result in some employees feeling as if the content does not apply to them, especially across large complex organizations. There are aspects of ongoing trainings that apply to employees at all levels, but specific roles deserve a more custom approach.

    Make security training feel real: Training videos have become a staple for most security programs, but this type of passive training needs to be coupled with active training, such as simulated phishing campaigns. Other actions may include sharing data from recent verified threats, as some staff may still view security training as purely hypothetical unless they are directly affected. Some industry events have hired former professional hackers to demonstrate to attendees how they can easily infiltrate their data, like signing into someone’s social media account with a few basic bits of information.

    Ensure remote employees are set up for success: Covid-19 forced many organizations to shift a large segment of their staff to work remotely. Suddenly, many security and IT leaders had to make sure remote staff could properly connect to networks to do their jobs, and this also opened up new avenues for threats. To help, the American Medical Association and the American Hospital Association created a home and office security guide for physicians that provides a list of fundamental considerations for employees to secure personal computers, smartphones, tablets, and home networks.

    Extend security leadership beyond the CISO: Historically, security efforts have been isolated to the IT department, but organizations need an enterprise-wide approach. Health system executives must work in collaboration with IT and security leaders to ready their organizations to withstand and combat cyberattacks. To help with this, our team has a series of security cheat sheets that can bring your C-suite and Board leaders up to speed regarding their role in upholding a safe work environment.

    Paint a picture of a cyber-resilient organization

    Explore the ecosystem of preparation efforts required for cyber resilience, key actions for IT leaders, and top lessons for non-IT leaders.

    Download Now

    Have a Question?


    Ask our experts a question on any topic in health care by visiting our member portal, AskAdvisory.