To master cybersecurity, design systems around employee workflows
For nearly two years, the healthcare sector has been in the crosshairs of cybercriminals, thriving on outdated systems and banking on humans to open the door. In fact, in 2015, 60 percent of breaches were caused by insiders, according to the IBM 2016 Cyber Security Intelligence Index.
It’s an issue well-known to healthcare’s security leaders. However, it creates a major issue: How can an IT team build a well-secured system, while making sure it doesn’t interrupt clinicians’ ability to care for their patients?
For Marin General, a standalone community hospital, just north of San Francisco, it was easy: Focus on people.
Marin didn’t need to start from the ground up during its security upgrade in Jan. 2016, as it has the obvious tools in place like firewalls, antivirus and the like, according to Marin’s CISO Jason Johnson. But the systems were disparate and needed to be brought under a unified umbrella.
Typically, when security managers begin a project like this, they look at the current technology and focus on filling in the gaps, explained Johnson.
“But we took a different approach to focus on the person and people because we knew that would the hardest needle to move and the most difficult to change,” said Johnson. “We started to focus on the people in parallel to the tools in the stack.”
His team started an e-learning, webinar-style orientation during the workday, for which his staff was compensated. Johnson explained training didn’t just include PowerPoint slides and lectures on HIPAA. Rather, there were games and rewards, coupled with education about the real cost of a breach. Security awareness training is required annually for Marin, and it’s integrated within new employee orientation.
His team also partnered with marketing, which created ads for a bug bounty program called Security Sleuths. The program rewards its staff members who report phishing emails or concerns to the IT team.
“I thought it would be gimmicky, but the gamification really spoke to people in a way I didn’t anticipate,” said Johnson.
Johnson’s team also makes sure to have a visible presence and face. So that when staff has a pressing question, they know it’s easy to reach out to is team for an answer before they make a mistake and, for example, click on a malicious link.
User-friendly security tools
Marin also needed to upgrade its antivirus and a few other tools, but that process didn’t begin until the people aspect of the project was well underway.
When considering changes to workflows it was crucial to bring it down to the staff to understand their needs and the way they work on a daily basis, as “security people can get siloed in their way of thinking,” Johnson explained.
So instead of just drawing up new platforms, Johnson’s team spoke with staff for a more consumer-based approach to bring in new workflows.
“And sometimes it’s important to get more input than you think is necessary,” Johnson said.
One unique project was to enforce encrypted email for PHI, as no email portal is good enough. However, “if you impact a customer’s workflow with security, they’ll find a way around it.”
So instead of just forcing staff into a new behavior, Johnson’s team surveyed staff to find out who they talk to most often. From that information, Johnson’s team came up with the top organizations, then sent Marin engineers to those organizations to build a gateway or encryption tunnel.
“It was a huge resource strain, but it in the end it made our user base able to send email encrypted, seamlessly,” said Johnson. “We decided to make it better for them. It’s the customer-centric approach.”
To Johnson, it was crucial to partner with other internal stakeholders and get it out of IT. His team began to loop people in early -- especially critical leaders within the organization.
“It’s important to make sure top level leaders are supporting you,” said Johnson. “It’s easy for managers to do. But you get more involvement during the process when the board is supportive.”
Johnson’s team also partnered with contracting and the project management office to make security a requirement of every new contract or project.
“Before the C-suite can even get their pens out, every project stops by my desk for a standardized security review,” said Johnson.
To start, Johnson set a goal of 50 percent participation by the end of the year, in parallel to analyzing its security tools. In one year, Marin had 100 percent participation by partnering with HR.
Further, Marin has less than .5 percent click rate on malicious emails -- down from 63 percent just one year ago and has remained constant for 12 months. And his staff reports at least six reports of phishing each day.
Johnson’s team has also seen a 50 percent reduction in system vulnerabilities and 100 percent participation in staff security awareness efforts, along with engagement from physicians.
“Rather than trying to operate in the IT silo, and convince people they should do this, we did outreach with departments,” said Johnson. “It wasn’t just the normal shtick. And once people were convinced it was a good idea and everyone was on board, security became a requirement.”