On September 7, 2017, the largest breach in history was announced by Equifax, the company you trusted with your financial credit information, a whopping 143 million personal records. This breach eclipsed the Anthem breach by more than 60 million records. However, every day of every year now we have hacking or social engineering attempts on every system connected the Internet. The reality is that America’s data is under siege by a very determined and motivated group of cybercriminals. In the last 18 months healthcare has seen an unprecedented increase in the number of cyberattacks which have results in operational outages, disruption to care, public embarrassment and costly response and recovery activities.
Cybersecurity is serious business, and it’s everyone’s business; more importantly it’s everyone’s concern because not just businesses are under attack. Cyber extortion, cyber theft, and cyber fraud affects every demographic of our society, from the young, to those working, and our elderly. It knows no bounds, respects no ethical boundaries or limits. A person or an organization does not have to be the intended target of an attack to be affected. Often the release of a malware attack over the Internet is similar to a hurricane emerging from the ocean. Once released it follows its own path and leaves many victims in its wake. Only those who have the forethought and discipline to plan and prepare are able to mitigate the outcomes.
It’s time to change the culture and for education of the workforce from the boardroom to the boiler room to get real. Every user and every system is a potential target for exploitation. Often users’ perception is that it’s only the system (the network) that’s the target of malicious activity, but it is not. Environmental systems, medical devices, security systems, networked devices of all varieties, and personal devices can all present a threat to the enterprise. Education needs to heighten awareness, and it needs to connect the users’ everyday lives and use.
Executives in healthcare must understand that simply checking the compliance box does not cut it – compliance does not equal security. They must also understand that cybersecurity is not just an IT issue, it’s a critical business issue. They must set the example, they not only should be present during cybersecurity training, but they should participate in cybersecurity training.
Nothing affects culture more than a message and attention from the top: The CEO introducing the new employee and annual security refresher presentations; the EVP of Supply Chain speaking on third party vendor security; the CMO talking about medical device security and safety; or the CNO talking about respecting and observing privacy rules on the floor. Serious, effective education starts at the top.
Raising awareness is different than security education in that it is a continuous process that requires multiple touchpoints throughout the year to be really effective. This can be accomplished in a number of ways, but some of the most innovative programs around the country have begun to employ new methods such as role playing and gaming platforms, cybersecurity awareness events, realistic exercises and external speakers.
In role play or gaming situations, users have an opportunity to interact directly in a scenario in a low stress environment, where mistakes can be forgiven and decisions remade to facilitate learning. Cybersecurity awareness events can combine fun, learning, sharing and discovery in a single experience to raise awareness. People in the hospital who don’t deal with medical devices routinely or at all can learn about their importance, their security issues, and what they should be alert to. Exercises, like cyber incident or disaster recovery exercises, not only support the training of special teams charged with responding, but they offer the opportunity to engage many others within the facility, and to raise awareness. Special emphasis on cybersecurity events – like Cybersecurity Day or Month – or cybersecurity discussions at the daily rounding meeting to bring relevant cyber information to operators just before their shift begins, can further raise awareness.
In all of these activities, and as industry/subject matter experts, organizations can employ guest speakers from other healthcare organizations who have experienced an event, from industry experts who provide cybersecurity services to healthcare and can share multiple real world stories and lessons learned, to government experts from both federal and local agencies. Both the FBI and the DHS will provide expert speakers, facilitate workshops, and provide resources and information. These organizations, along with the National Health Information Sharing & Analysis Center (NH-ISAC), CHIME, Association of Executives in Healthcare Information Security (AEHIS), and Healthcare Information Management System Society’s (HIMSS) Privacy & Security Committee will provide resources and information to help keep your cybersecurity program fresh and relevant to the workforce. The trick is getting support from the top and harnessing these resources.