Hospitals have been repeatedly targeted by ransomware hackers, who seize sensitive patient data or hack into hospitals’ IT systems and hold it for ransom.
In April 2020, INTERPOL detected a significant increase in cyberattacks against hospitals around the world. With the increased use of technology and electronic medical records, there is a growing need for cybersecurity best practices as well as cybersecurity training in healthcare.
Who’s Responsible for Cybersecurity in Healthcare?Healthcare organizations have a responsibility to protect their patients’ data and sensitive information. Even though healthcare has evolved to use patient identification numbers, it is still linked to pertinent information such as patient social security numbers and accounting information. Employees are essential in cybersecurity and serve as the front line of defense to protect data.
Information technology (IT) is submerged in healthcare operations. While not all IT personnel are dedicated to cybersecurity functions, protecting systems is an essential IT function. However, all employees, not just IT professionals, are responsible for implementing cybersecurity best practices.
Steps to Building a Strong Cybersecurity Training ProgramAccording to Cybint, “95 percent of cybersecurity breaches are due to human error.” Cyber criminals and hackers will target employees to infiltrate an organization’s system. Here are considerations for building a strong training program:
- Identifying and assessing internet or network-connected operations: The first step in building a cybersecurity training program is identifying and assessing internet-connected operations. Take an inventory of internet-connected devices and operations that are vulnerable to hacking and cyber intrusion.
- Training needs and options for cybersecurity: Next determine the training needs for employees based on these identified devices and operations. Cybersecurity training can include different delivery methods such as classroom or face-to-face, computer-based training, simulations and more. A blended approach is often best, but there are other considerations when developing a program.
- All-hands! Training every employeeCybersecurity training is needed for all employees, regardless of their position. Every employee utilizes digital programs and devices including email, mobile phones and tablets, and Wi-Fi.
- Managers and supervisors: Managers and supervisors are responsible for their teams, which can include training. They are also imperative in developing a cybersecurity-conscious culture, incorporating cybersecurity awareness into meetings, huddles, team discussions, and the working environment.
- Physicians and nurses: A physician’s and nurse’s primary role is patient care. They have unique factors that may affect their availability for training, but it’s imperative they receive specialized cybersecurity training.
- Accounting and billing: Accounting and billing are increased targets for hackers, because they include pertinent information such as social security numbers, financial accounts, insurance billing statements, and more. Employees in this area should have an advanced training plan for cybersecurity.
- Vendors, consultants, and subcontractors: Healthcare organizations use vendors, consultants, and subcontractors, but it is the healthcare organizations’ responsibility to ensure these third parties comply with their cybersecurity requirements.
- Remote workers and business travel: What happens when employees are working offsite? It is essential that organizations are secured even if employees access their email or other software program outside of a network firewall. Organizations must consider solutions such as VPN, protocols for accessing open Wi-Fi networks, encryption, data and sensitive information storage, and more.
Develop a Training Maintenance and Contingency PlanOnce a training plan has been established, it must be regularly assessed and updated. Healthcare organizations should aim to conduct:
- Audits and quality improvement: Quality improvement and regular audits are required in an effective cybersecurity training program. This includes cybersecurity testing to identify gaps, such as running a phishing test, used by cybersecurity and IT professionals to create mock phishing emails and/or webpages that are sent to employees.
- Contingency plan for data breaches and hacks: Data breaches and hacks are a constant threat. Healthcare organizations must have a contingency plan to respond in case of a data breach or ransomware attack. This should include collaboration with IT, cybersecurity, emergency management, and disaster preparedness. This contingency plan should be clearly communicated and it’s highly recommended that organizations conduct drills or exercises to practice their response.
For more training insights, visit APU.