Make the training stick: How to engage users in cybersecurity practices

Riverside HealthCare achieved a 99 percent compliance rate with phishing campaigns after it educated (and perhaps scared) its staff into being cautious.
By Bill Siwicki
02:20 PM

Cyberattackers count on untrained computer users to react to electronic bait a certain way, and when they succeed it is because employees are not as engaged with cybersecurity practices as they should be. And that can include those who have already been through training.

Even though employees attend cybersecurity training programs, for instance, many come back afterward and do not apply what they just learned, according to Erik Devine, chief information security officer at Riverside HealthCare in Illinois.

Five years ago, Riverside had an 85 percent compliance rate when conducting phishing campaigns among its 3,000 employees, Devine said, and most did not know who to contact if they received a suspicious email.

“Our current rate is 97 to 99 percent compliance, depending on the type of test given,” he said. “It’s my job to engage the organization because without employees trained and engaged in information security, the landscape is just too large to protect.”

[Join Your Peers at HIMSS’ Healthcare Security Forum! Register Today]

What can other hospitals learn from Riverside’s success? Devine shared what has worked during the training as well as what to look for once the employees go back to their jobs.

Scaring users really works

Let’s face it: education and training can be boring.

“Who wants to learn about compliance and regulations?” Devine asked. “Many employees still think of information security as a regulation or compliance rule. Which it is, but it’s so much more. So we try to bring ‘the cool factor’ to training.”

[Also: Ransomware 2.0: It's coming, and healthcare needs to get prepared]

If healthcare organizations make security training fun, the argument goes, sometimes things will stick a little easier. Devine said that examples such as illustrating how hackers can crack into a car-wash and manipulate the robotic arms to damage automobiles or lock customers inside tends to pique trainee interest.

“Maybe it’s a bit of a scare tactic,” he said. “But we are in a cyber-war out there, it’s in the news all the time.”

Deliver an experience

Another element Devine tries to bring to the information security training classroom is experience. Riverside does that by running DNS poisoning or phishing campaigns to show employees what an exploit such as TabNabbing actually is, how it works and what to watch out for.

Tabnabbing, for anyone unfamiliar with the term, is a phishing attack wherein criminals impersonate a website to try and lure a visitor to input their username, password and other login credentials.

[Also: How 'zero trust' networks can help hospitals strengthen cybersecurity]

“We don’t do these techniques to shame employees, but it’s interesting to hear employees compare themselves to others when they fail or pass an information security exercise,” he added. “Experience truly has helped our health system in understanding cybersecurity.”

Make it personal

Devine said he tries to bring a personal interest into the training. That can mean demonstrating that while the hospital might be harmed, people also need to know that the government can punish individual employees as well for certain security infractions.

“Most care about their personal stuff first, so if I can link the personal and professional together, I tend to get better outcomes,” he said.

Making it personal also involves explaining what data people have that hackers might want or what makes people legitimate targets, because many employees think an attack wouldn’t happen to them.

Post-training problems to look for

After a class or presentation, users often go back to saving patients’ lives, dealing with difficult illnesses, or working on critical administrative tasks, and forget to change that password or take other steps to be more secure.

“When I state in a presentation you should be changing passwords to critical personal accounts because they sometimes link to professional accounts or critical data, only 20 percent of users change their passwords after the presentation,” Devine said.

While that applied to employees making that specific change, Devine said that only about 30 percent of users are unengaged with cybersecurity training more broadly.

Users unengaged with cybersecurity training will fall for the same tricks that have been used for 20 years. Engaged users, however, can help healthcare CIOs and CISOs protect an organization and its assets.

Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com


Like Healthcare IT News on Facebook and LinkedIn