Healthcare cybersecurity employee training best practices for CIOs and CISOs
Ransomware, in all of its pervasive forms, is associated with the vast majority of healthcare cyber incidents, and it is often a simple result of inadequate security training. Because of that inadequate security training, employees are using and re-using weak or already compromised passwords, clicking links they shouldn’t be, leaving databases unsecured, not applying security patches, or storing protected health information on USB drives and losing them.
Of those mistakes, weak passwords, phishing attacks and a lack of security patching are most often the root cause of most, if not all, of the ransomware attacks health IT leaders read about. Healthcare organizations can fix at least a big part of the problem by implementing employee security awareness training that is both engaging and consistent.
Easy to digest, and concise
“Any employee training provided should be easily digestible and to the point,” advised Kevin Lancaster, general manager of security solutions at Kaseya, a vendor of IT management software. “I have seen many training videos that were desperate to be hip and engaging, but wound up coming across as a bad joke.”
Even if they had succeeded at being engaging, they were often far too long, he added. It does not matter how great the data in a video is, if it is more than 5 minutes long, no one is paying attention to it, and they are dreading having to watch it, he contended. If employees are dreading or annoyed by training, they are not going to retain the information, he said.
"I have seen some organizations where IT will intentionally leave out random USB drives to see who picks it up and what they do with it."
Kevin Lancaster, Kaseya
“Aim to have your training videos be between 3 and 5 minutes long,” Lancaster suggested. “They should establish the subject and educate on it without trying to be flashy. They should be followed by a quick quiz that is easy to answer provided the respondent was paying attention to the training. You are not trying to stump people here, but at the same time asking ‘Is phishing bad? Yes or No?’ does not demonstrate ingestion of information.”
At the end of the day, the intent of any training, but especially security awareness training, should be that the recipient demonstrates they have adequately received and internalized the information, he said. If training does not do that, one is effectively crippling the rest of an organization’s security right out of the gate, he added.
Active training methods
In addition to passive training methods like videos, healthcare CIOs and CISOs should also employ active training methods, Lancaster advised. Passive training has its place and is a solid foundation to building a culture of security, but one must also build on that foundation, he said.
“One of the most effective types of active training is phishing simulation,” he suggested. “As the name implies, you mail out simulated phishing attempts to people in your organization and track their response. This helps you to get a better sense of security awareness of individuals in your organization.”
While one employee might be on top of their game, another might be submitting data to every phishing email that he gets. So it is best to direct limited training resources where they are most needed, he said. Lancaster said he has seen cases where just knowing that phishing simulation goes on in the organization and that management sees the results improves people’s caution with clicking on sketchy emails.
“I have seen some organizations where IT will intentionally leave out random USB drives to see who picks it up and what they do with it,” he added. “This allows the IT team to track whether or not people immediately brought the USB to them or if they instead plugged it into their machine. Where IT had access to credential compromise monitoring, I have seen them go and attempt to use those credentials on their organization’s network.”
Training for IT staff
On the side of training specific to IT staff members, simulating disaster recovery or incident response can be a very powerful tool, Lancaster said. The important takeaway with any simulation training is that it needs to be as realistic as possible, he noted.
“You train how you fight, and if you train less realistically you are going to be at a serious disadvantage when the real threat comes along,” he said. “On the other hand, if the training is identical to the real thing, you will be faster on the draw, and it will just be something you have done dozens or hundreds of times.”
On another front, employing positive reinforcement of training is a critical element of creating an organizational culture of security, Lancaster advised.
“Negative reinforcement has its place, but like any other organizational effort, if you only provide negative reinforcement for non-compliant employees, they will only be compliant enough to not be fired,” he pointed out. “If your organization gives out regular awards, add an award for cybersecurity. If you use active training simulations like you should, give whoever does best over the quarter a gift card.”
The message: Management values employees’ efforts
Tie cybersecurity into performance reviews, he added. Whatever it takes, as long as one is sending the message to employees that management values them and their contribution to the security of the organization, he said.
“When this gets brought up, many organizations wrongly believe that they are being told they need to devote significant resources to their positive reinforcement programs but nothing could be further from the truth,” he said. “A small reward once a quarter can go a long way. Most likely your organization already has a positive reinforcement system in place, it just needs to tie in cybersecurity.”
Employees like feeling appreciated in their workplace, he concluded, and fostering a culture where cybersecurity is appreciated and prioritized not only benefits the employee but the workplace as a whole.