But some of the biggest organizational challenges don’t originate from technology. They reside within management, through the higher-ups’ tone and attitude and the example they set by not consistently promoting a "security-aware" culture nor ensuring that clear, enforceable policies and effective awareness and training is established.
However, those healthcare leaders who have properly instituted an information security awareness and training program — and integrated it enterprise-wide — have positively influenced their organizational culture in the right direction.
Awareness and training is one of the most effective elements to any information security program because most of the risks that organizations face are caused by user error, misconfiguration of systems or mismanagement. In fact, according to IBM’s 2014 Cyber Security Intelligence Index, 95% of all attacks in 2013 involved some type of human error, the most prevalent being an employee double clicking on an infected attachment or URL.
The goal of an information security awareness and training program is to stop these errors from taking place by educating users on their responsibilities for ensuring the confidentiality, integrity and availability of information as it applies to their roles within the organization.
Think your healthcare organization is security aware? Ask these three questions:
- Would the user know if an action was right or wrong?
- Would the user choose to report a violation?
- Would the user know how to report a violation?
If users answer yes to all three questions, then you are well on your way to a security-aware organization.
On the other hand, if they answer with a lot of no’s, then it’s time to develop a security-aware culture.
The place to start is with an effective information security program, one that begins with establishing clear and enforceable policies.
Policies are essentially the laws of the organization; their purpose is to influence behavior. As such, policies should be:
- Clear, concise, role-based and enforceable
- Developed at a high level with input and consensus from senior management
- Designed to reflect business requirements
Procedures, standards and plans are linked to policies in that they describe the step-by-step direction of how to achieve compliance with the policy in more detail. For security concerns such as acceptable use or remote access, organizations should have one- or two-page policies that are easy to read and understand. Users should then be educated on the information in these documents so that they understand how their responsibilities are a vital part of an overall security strategy. (But keep in mind that employees tend to pay less attention to issues that don't directly affect them.) This will make them more aware and more likely to take action when necessary. You might want to reference the National Institute of Standards and Technology's 800 series as a best-practices guide when establishing policies as well as designing, managing and evaluating information security awareness and training program.
Now, with that program in place, be sure that information security and awareness training is completed by the entire workforce, including employees, physicians, contractors, consultants, part-time personnel and volunteers. Initial and annual awareness and security training must be mandatory and should be followed up with ongoing training that includes new and emerging threats. When it comes to security, one thing is absolute: Change is a constant.
Awareness and security training should focus on the following:
- The acceptable use of information assets such as e-mail and Internet access
- The need to protect passwords
- The right way to handle sensitive information in paper and electronic form
- The need to validate the source of a request for information about the organization, its patients, business partners or other stakeholders
- The legal and regulatory responsibilities and consequences of not complying with information security policies
- The complete list of "safe computing" practices
- The things users need to know to recognize a threat or security incident
- The people users need o to call in the event of a suspected or actual security incident
- The next imperative is to engrain a security culture within an organization. Again, it begins with management.
- The executive who never wears a security badge and shares their passwords with their assistants can't expect others to do differently.
Evans, CISSP, CISM, CISA, CGEIT, Senior Managing Consultant with IBM Security Services, assists healthcare organizations in building regulatory compliant information security programs. With over 20 years of combined experience in healthcare IT management, consulting and information security, Brian previously served in the role of Information Security Officer at the University of Alabama Birmingham Health System, New York Hospital Queens, Fletcher Allen Healthcare, Atlantic Health and the Ohio State University Health System. He also led the Incident Response and Computer Forensic Investigations teams for Nationwide Insurance and was Vice President, IT Risk Management at KeyBank and JPMorgan Chase. Brian held IT management positions at the Ohio Department of Health and started his career as a medic in the U.S. Air Force. He has earned a Master’s in Public Administration from the University of Cincinnati and a B.S. in Business Management from the University of Maryland. He can be reached at firstname.lastname@example.org.