What’s Working: Cyber Security Success in Healthcare
A Wall Street Journal article reported that out of 450 data breaches at hospitals, health insurers, and other healthcare-related service providers who house sensitive patient information, 192 were blamed on insiders (99 were classified as accidental and 91 were a result of “insider wrongdoing”). To combat the human-centric nature of these threats, many healthcare organizations are focusing on human interventions such as awareness training and recruiting and looking for ways to harness community wisdom.
The Department of Health and Human Services reports that U.S. healthcare organizations are severely flawed when it comes to cybersecurity and lags other sectors in safeguarding systems and sensitive information. The healthcare industry is in the midst of a wave of IT modernization – including the large-scale move to electronic health records – so the focus is increasingly on protecting these digital assets that contain sensitive patient data.
Let’s take a look at some cyber security success stories in healthcare and resources the government and industry are sharing to help the healthcare community as a whole.
Focus on the Employee to Ensure Security
Maybe not surprising in a field whose focus is on people caring for people, many healthcare organizations are seeing cyber security success by focusing on current employees – and looking for new employees.
A recent study found that clinicians were more likely than either business or IT survey respondents to identify employee awareness and training, or lack there of, as a significant barrier to achieving a higher level of confidence in their security program. One CMIO in the study said, “The end-user education is important because that’s often the initial point of failure, where somebody gets through and then gets to deeper information.” And a CISO stated, “I think the human training is the most important element. If I had to make a choice about the one thing to spend money on, it would be about getting the word out, talking to people and training people about the risks.”
Beaumont Health Systems delivers security training in bite-sized chunks – 10-minute interactive sessions using the gamification style. Their quarterly training includes ‘You Are The Key to Security’, ‘Don’t Get Phished’, and ‘When Is A Friend Not A Friend’ for social networking tips. They are seeing success with this approach: “We are getting a lot more advance notice from our users who say I think this is spam or phishing, what do you want me to do with it? We’re getting more proactive employees,” says Scott Larsen, manager of cyber security operations.
Intermountain Healthcare holds regular security training and retraining sessions for all employees, and focuses on ongoing communication with regular email updates on how they can keep the health system’s protected health information and other data safe at work and at home on their mobile devices.
To ensure a pipeline of employees to combat security threats, Sentara Healthcare created the Cyber Student Staffing Program to recruit students in its home state of Virginia to be future cybersecurity workers. The program recruits students from around the region – mostly college, some high school – to work in the Sentara Healthcare information office as junior cyber risk staff who work side by side with information security professionals to gain valuable first-hand experience. The age range of ongoing part-time college student staff is late teens to early 30s.
Harness the Wisdom of the Crowd
Marc Probst, CIO of Intermountain Healthcare, stresses the need for community efforts around healthcare cyber security, stating “We have to work together. If we’re all going to go out and reinvent security then we’re all going to spend a lot of money and we’re never going to do it as well as we could if we start working together.”
Here are some resources to help with community building:
- The CDC and the Department of Health and Human Services provides a cyber discussion guide with several potential threat scenarios, coupled with a detailed list of questions to help organizations assess their level of preparedness.
- The Healthcare Information and Management Systems Society (HIMSS) hosts a Healthcare Cybersecurity Community.
- HIMSS also prepares monthly Healthcare and Cross-Sector Cybersecurity Reports that provide information on threats, vulnerabilities, mitigation information, reports, and resources.
- The National Health Information Sharing and Analysis Center brings together a community of critical infrastructure owners and operators within the healthcare sector. The community is primarily focused on sharing timely, actionable and relevant information with each other including intelligence on threats, advice and best practices, and mitigation strategies.
Support Human-Centered Security with Technology
Healthcare organizations can augment their emphasis on employee education and organization-to-organization collaboration with technology that assumes some of the burden. Employee monitoring solutions such as Teramind provide ongoing listening of insider activity. The software can be configured to deliver alerts based on organization-specific suspicious activity. In addition, organizations can track emails and file transfers to help mitigate against inadvertent or intended threats.