• Politics
  • Diversity, equity and inclusion
  • Financial Decision Making
  • Telehealth
  • Patient Experience
  • Leadership
  • Point of Care Tools
  • Product Solutions
  • Management
  • Technology
  • Healthcare Transformation
  • Data + Technology
  • Safer Hospitals
  • Business
  • Providers in Practice
  • Mergers and Acquisitions
  • AI & Data Analytics
  • Cybersecurity
  • Interoperability & EHRs
  • Medical Devices
  • Pop Health Tech
  • Precision Medicine
  • Virtual Care
  • Health equity

Who's to Blame for Healthcare's Cybersecurity Problem? Its Employees, For Starters

Article

Privacy and security extend beyond HIPAA. Here’s what healthcare leaders must know about training staff for ransomware, phishing, and more.

cybersecurity training,healthcare security,improve employee cybersecurity,hca news

Photo has been resized. (U.S. Navy photo by Mass Communication Specialist 2nd Class Taylor L. Jackson/Released)

Each week brings news of another healthcare data breach, cyberattack, or analysis bemoaning the space’s stark cybersecurity vulnerabilities. Hackers are battering hospitals, just as they are community clinics and supernova-size electronic health records (EHR) companies. Broadly, healthcare is waking up to threats that sneak in through its gaping cybersecurity holes, and the industry is learning that it’s at more risk than any other sector, period.

Healthcare organizations are also putting more muscle and brainpower into their cyberdefenses. Tackling the issue head-on is the only way to save patients’ valuable protected health information (PHI) from hackers—and is thus the only way that hospitals have a fighting shot at complying with the Health Insurance Portability and Accountability Act (HIPAA). And the problem might be one with a simple solution: training and best practices.

It turns out that most healthcare employees aren’t properly prepared to handle basic cybersecurity threats, according to a new report from the privacy and security awareness firm MediaPro.

Healthcare’s Cybersecurity Problem

In total, 78% of healthcare employees lacked some degree of knowledge that could help them ward off attempts to breach privacy and security, an 8% rise over the past year, according to the report, which polled more than 1000 medical workers, along with folks in other industries. Healthcare staffers performed worse at spotting signs of malware than professionals in other sectors, with 24% of medical employees overlooking the hazard, researchers found.

“By and large, I was a little surprised to see that healthcare, being the prime target for ransomware and phishing attacks these days, did more poorly than the rest of its counterparts,” said Colleen Huber, M.Ed, product manager of content design and development for MediaPro. “That was cause for concern.”

In total, 37% of healthcare employees were deemed risks, 41% novices, and 22% “heroes,” the 3 classifications established by MediaPro. The breakdown means that most of healthcare has, at best, a “good understanding of the basics,” and many employees “put their organizations at serious risk for a privacy or security incident,” according to the researchers.

What’s more, healthcare professionals lagged behind the general population in dealing with incident reporting, identifying personal information, physical security, identifying phishing attempts, identifying malware warning signs, cloud computing, and even working remotely or using social media.

Why? “The healthcare industry in general just has this fatigue,” Huber said. “They have so much to juggle in terms of complying with HIPAA and other laws and regulations, that security and privacy might not be top of mind when they think about their day-to-day.”

How Healthcare Leaders Can Improve Cybersecurity, Best Practices

Fortunately, healthcare executives and individual employees can do something about this bad news.

First, as exemplified by the industry’s response to phishing expeditions, healthcare stays quiet when something troubling is afoot. Roughly a quarter of respondents noticed suspicious activity but failed to report it, a trend that jeopardizes their organizations. Administrators should make clear how their staff can register such incidents—and that they won’t get in trouble for doing so, provided there was no data breach, Huber said.

Seeing something, she added, is only part of the solution. Staffers must also say something.

But healthcare organizations must indeed strive to create an “awareness culture,” Huber noted. A comprehensive approach to this could result in a system that fosters understanding of HIPAA, institutional policies, and evidence-based best practices. Further, everyday reinforcement tactics—like posters, verbal or written praise, and the reeducation of employees caught not adhering to guidelines—could help make privacy and security an everyday thought in the building, Huber said.

It’s also critical that healthcare decision makers create an environment that’s driven by the details. “The privacy and security decisions that we make sometimes exist in that gray area between good and best decisions,” Huber said. “Common sense and paying attention to the details help.” For instance, it might not be terrible for an employee to allow a person with a badge to enter the building if they shepherd the visitor to security, but it would be best for the employee to deny entry.

Details are also key when it comes to combating phishing and ransomware. Make sure employees check hyperlinks before they click and do not assume that an unknown sender is legitimate simply because they mentioned the employee’s name, Huber said. For ransomware, everyone should keep an eye out for files that are moving around on their own. They must know how their computers typically act and monitor their speed and firewall, she said.

Healthcare Cybersecurity Education Is Evolving

Luckily, high-tech innovations similar to those transforming medicine are also improving cybersecurity training, Huber said.

Training via smartphones and other mobile devices is a good first step for healthcare executives to consider, she said. This style keeps employees more engaged and eager to pay attention.

Artificial intelligence (AI) will also soon enter the picture. Algorithms will enable healthcare organizations to identify who needs what kind of training, and how and in what way, Huber said. This will strengthen the role of responsibility-based cybersecurity education, a practice in which individuals receive training tailored for them and their job demands.

Still, the best weapon a healthcare organization—and its leaders and employees—can have is already available to most.

“It’s common sense that is applied consistently and rigorously,” Huber said.

Related

The Worst Healthcare Cybersecurity Breaches of 2017

Cybersecurity Threats, Digital Failures Top Hospital Hazards List

Blockchain Could Be the Key to Healthcare's Cybersecurity Problem

Recent Videos
Image: Ron Southwick, Chief Healthcare Executive
Related Content
Images: AHA, Providence, and HIMSS

Cybersecurity panel: How hospitals can protect their patients and their systems

Ron Southwick
November 18th 2024
Article

Chief Healthcare Executive® presents the final installment in our series, with experts from HIMSS, the American Hospital Association, and Providence. In this episode, our panel offers advice on how health systems can improve.

How a small Texas hospital upgraded its technology | Data Book podcast

How a small Texas hospital upgraded its technology | Data Book podcast

Ron Southwick
June 20th 2024
Podcast

In the latest episode of our podcast, we talk with Lynn Falcone, the CEO of Cuero Health in Texas. She talks about moving to a new electronic medical record system, cybersecurity and much more.

Images: HIMSS, Providence, American Hospital Association

Cybersecurity panel: Hospitals are making progress, but aren’t keeping pace with attackers

Ron Southwick
November 11th 2024
Article

Chief Healthcare Executive presents the third installment from our conversation on cybersecurity, with experts from HIMSS, the American Hospital Association, and Providence.

The rise of third party cyberattacks in healthcare | Data Book podcast

The rise of third party cyberattacks in healthcare | Data Book podcast

Ron Southwick
March 11th 2024
Podcast

Dan Dodson, the CEO of Fortified Health Security, talks about the risks to hospitals, AI in attacks and defense, and what health systems can do to protect themselves.

Images: AHA, HIMSS, Providence

Cybersecurity panel: The scope of recent ransomware attacks in healthcare

Ron Southwick
October 28th 2024
Article

Chief Healthcare Executive hosted a discussion on cybersecurity with leading experts from the American Hospital Association, HIMSS and the Providence health system. They talked about the growing problem of cyberattacks.

Image: Clearwater

New cybersecurity bill is a step in the right direction, but needs more work | Viewpoint

Steve Cagle
October 27th 2024
Article

Cybersecurity issues aren’t confined to one corner of the sector—it's a challenge for the entire system, and it’s about time we all moved in the same direction.

© 2024 MJH Life Sciences

All rights reserved.