Subnet Calculators: What Are They Good For?July 18, 2017
This Week in Getting Hacked: Robots Falling into Fountains EditionJuly 21, 2017
It’s not exactly a secret that the healthcare industry struggles with cybersecurity.
You know it. I know it. Hackers all over the world know it.
By design, the average healthcare organization is (to put it charitably) a soft target.
But if you’re involved with healthcare cybersecurity, you know that improving your security profile is a seriously uphill battle.
Healthcare organizations are highly complex environments, and even worse, they have some of the lowest security budgets of any major industry. Creating positive change under these circumstances can seem functionally impossible.
But here’s the thing. It doesn’t have to be as complicated as you might think. To start with, you just have to accept one simple truth.
You Can’t Do It All
Have you ever been to a cybersecurity conference? If you have, it probably didn’t do much to soothe your fears of digital attack.
In fact, if I had to guess, I’d say you left feeling more worried than ever.
Yes, there are literally thousands of ways for a hacker to compromise your network. Yes, the latest headline-making malware attack is scary and could damage your organization. And yes, attending a security conference is a great way to find out about all the different attack vectors that should be keeping you up at night.
And knowing all this, you may beg for budget and implement the latest threat intelligence platforms, next generation firewalls, and state-of-the-art endpoint security products; which are all good but…
It fails to address one very real problem. No network is perfectly secure.
No matter what you do, it will always be possible for a skilled, motivated hacker to breach your defenses.
So where does that leave us? Simple. Rather than trying to construct a digital Fort Knox around your organization, you need to prioritize.
Patient’s healthcare records are extremely valuable, for a whole variety of reasons. Not only that, healthcare organizations are a prime target for ransomware, because they simply cannot afford a major interruption to normal service.
In short, the healthcare industry is highly attacked for one reason, and one reason only: Profit.
Understanding this simple truth is essential. In the vast majority of cases, the only people who will choose to attack a hospital are those with a financial incentive, and a serious lack of morals. This includes individual cyber criminals, as well as organized cyber criminal groups.
But what about all those hacktivists, state-sponsored hackers, and spies you’ve been reading about? They just aren’t that interested in attacking a hospital. They have their eyes set elsewhere.
So now you know why you’re being targeted, and who is doing the targeting, you’re in a far better position to make proactive decisions. Since you only need to worry about financially motivated criminals, you can start to analyze past attacks for clues as to how and when you’re likely to be attacked.
Here’s a hint. Almost all attacks on healthcare organizations utilize a single tactic to gain an initial foothold in a target network: Phishing.
In fact, according to Verizon, almost all data breaches start with a phishing campaign.
How to Defend against Phishing Attacks
Since phishing is an email-based form of attack, you might think defending against it is simply a case of installing the right spam filter.
Sadly, it isn’t that simple.
While advanced spam filters, black and whitelists, and content filtering techniques can be extremely valuable, there is simply no way to prevent at least some proportion of incoming malicious email from finding its way into users’ inboxes.
So where does that leave us?
Well, if there’s no way to block all phishing emails, and as a result, your users will be confronted by them, that only leaves one option: prepare them.
But naturally, this leaves us with a second problem: most security awareness training programs are subpar. And that’s being generous.
Not only does the majority of security awareness training fail to improve users’ understanding of security issues, it actually makes them less inclined to take an interest in cybersecurity.
Typical (usually self-managed) programs are infrequent, dated, and unreflective of real-world threats.
And you know what? None of this is surprising.
Just like most in highly regulated industries, healthcare organizations are obsessed with compliance. But unfortunately, while complying with HIPAA regulations is essential, it does nothing to ensure a high standard of security awareness training.
So long as training is provided to new hires, and whenever there’s a major change in policy, you’re good to go.
But does that sound conducive to high-quality training? Afraid not.
Get Buy-In from Above
The healthcare industry is attacked more than any other industry. So if healthcare security is part of your job description, it’s reasonable to assume you’ll have experienced the massive rise in attacks over the past few years first-hand.
Now it might seem odd, but in one sense there is a silver lining to all this. Ultimately, healthcare executives are being forced to take security seriously. As a result, if you make a strong business case, you should be able to secure the additional funding you’ve been waiting for.
But with a new threat hitting the headlines each week, obtaining funding for a specific program (in this case: security awareness training) could still be challenging. As with any new initiative, a powerful business case is the key.
Here’s a starting point for you.
According to the Ponemon Institute, 89 percent of healthcare organizations have been suffered at least one breach in the last two years. And of those breaches, you know what they found? Over 77 percent were caused by a single factor: Human error.
You know the deal. Leaving laptops on trains, failing to shred sensitive documents, and sending emails to the wrong recipient all made an appearance. And naturally, phishing also consistently reared its ugly head.
And what does this mean for healthcare organizations? Simple. If it isn’t already, security awareness training should be a top priority in the fight against cybercrime.
The No. 1 Ingredient in Powerful Security Awareness Training
Once you’ve secured the funding you need, the real work starts. And naturally, when it comes to security awareness training, content is king.
Now, as we’ve already explained, human error is comfortably the most common cause of healthcare data breaches. But to really understand what’s going on, further analysis is required.
As it turns out, the vast majority of healthcare data breaches fall into three categories:
- Physical loss/theft of devices
- Admin errors (e.g. sending emails to the wrong recipient)
- Malicious email
I can’t emphasize enough how important it is to start with this information in mind. If your program covered nothing but these three scenarios, it would still have a huge impact on the number of security events your organization suffers.
But naturally, putting together strong content for your security awareness training program is far easier said than done. Cybersecurity is a constantly evolving world, so not only will producing content be time-consuming, your program will also need to be amended and updated on a regular basis.
Now, ideally your program should include real life examples and stress the importance of maintaining a level of security consciousness at all times. It should force your users to think about how they could be more security conscious in the course of a normal work day.
But above all else, your training materials must be interesting. If you fail on this count, it won’t matter how thoroughly you cover each subject, because nobody will remember any of it.
As a starting point, utilizing multimedia formats, such as text, audio, and video will help to keep users engaged. Similarly, it’s time to drop the “one and done” annual approach to training – ensuring your training message is continually reinforced on an ongoing basis will also have a tremendous positive impact on users’ ability to retain their learning.
Ultimately, no matter how you choose to deliver your training, the bottom line is this: If your program is boring, infrequent, or generic, it will achieve next to nothing.
Awareness Isn’t the Goal
Although we talk about security awareness training, awareness isn’t really the goal. After all, what good does awareness do if there isn’t a corresponding change in behaviors?
If you’re attempting to reduce the impact of human error on your healthcare organization, what you really need to know is whether your training program is making a difference to users’ security behaviors.
Are they clicking on malicious links? Are they shredding sensitive paperwork, or just throwing it in the trash? Are they allowing unauthorized personnel access to restricted areas?
Naturally, there’s only one way to answer these questions: Test your users regularly, and track the level of improvement over time.
Genuinely powerful security awareness training programs will make a significant and sustained positive difference to security behaviors. Not only that, they will include embedded metrics that can be used to evidence these improvements to board members, budget holders, and compliance authorities.
Now Is the Time
It would be great if a powerful security awareness training program could fix all your problems overnight.
Sadly, though, that’s just not going to happen. These types of initiatives require time, energy, and resources to achieve the desired result.
If you’re serious about improving the security of your healthcare organization, you need to make a start on your business case immediately.