Building A Security-Aware Culture
Healthcare leaders who have properly instituted an information security awareness and training program and integrated it enterprise-wide have positively influenced their organizational culture in the right direction, writes blogger Brian Evans.
Healthcare organizations must protect their users against threats such as viruses, phishing attacks and hackings by implementing appropriate security controls in addition to intrusion detection systems, access management and a variety of other technology solutions.
But some of the biggest organizational challenges dont originate from technology. They reside within management, through the higher-ups tone and attitude and the example they set by not consistently promoting a "security-aware" culture nor ensuring that clear, enforceable policies and effective awareness and training is established.
However, those healthcare leaders who have properly instituted an information security awareness and training program and integrated it enterprise-wide have positively influenced their organizational culture in the right direction.
Awareness and training is one of the most effective elements to any information security program because most of the risks that organizations face are caused by user error, misconfiguration of systems or mismanagement. In fact, according to IBMs 2014 Cyber Security Intelligence Index, 95% of all attacks in 2013 involved some type of human error, the most prevalent being an employee double clicking on an infected attachment or URL.
The goal of an information security awareness and training program is to stop these errors from taking place by educating users on their responsibilities for ensuring the confidentiality, integrity and availability of information as it applies to their roles within the organization.
Think your healthcare organization is security aware? Ask these three questions:
On the other hand, if they answer with a lot of nos, then its time to develop a security-aware culture.
The place to start is with an effective information security program, one that begins with establishing clear and enforceable policies.
Policies are essentially the laws of the organization; their purpose is to influence behavior. As such, policies should be:
Now, with that program in place, be sure that information security and awareness training is completed by the entire workforce, including employees, physicians, contractors, consultants, part-time personnel and volunteers. Initial and annual awareness and security training must be mandatory and should be followed up with ongoing training that includes new and emerging threats. When it comes to security, one thing is absolute: Change is a constant.
Awareness and security training should focus on the following:
But some of the biggest organizational challenges dont originate from technology. They reside within management, through the higher-ups tone and attitude and the example they set by not consistently promoting a "security-aware" culture nor ensuring that clear, enforceable policies and effective awareness and training is established.
However, those healthcare leaders who have properly instituted an information security awareness and training program and integrated it enterprise-wide have positively influenced their organizational culture in the right direction.
Awareness and training is one of the most effective elements to any information security program because most of the risks that organizations face are caused by user error, misconfiguration of systems or mismanagement. In fact, according to IBMs 2014 Cyber Security Intelligence Index, 95% of all attacks in 2013 involved some type of human error, the most prevalent being an employee double clicking on an infected attachment or URL.
The goal of an information security awareness and training program is to stop these errors from taking place by educating users on their responsibilities for ensuring the confidentiality, integrity and availability of information as it applies to their roles within the organization.
Think your healthcare organization is security aware? Ask these three questions:
- Would the user know if an action was right or wrong?
- Would the user choose to report a violation?
- Would the user know how to report a violation?
On the other hand, if they answer with a lot of nos, then its time to develop a security-aware culture.
The place to start is with an effective information security program, one that begins with establishing clear and enforceable policies.
Policies are essentially the laws of the organization; their purpose is to influence behavior. As such, policies should be:
- Clear, concise, role-based and enforceable
- Developed at a high level with input and consensus from senior management
- Designed to reflect business requirements
Now, with that program in place, be sure that information security and awareness training is completed by the entire workforce, including employees, physicians, contractors, consultants, part-time personnel and volunteers. Initial and annual awareness and security training must be mandatory and should be followed up with ongoing training that includes new and emerging threats. When it comes to security, one thing is absolute: Change is a constant.
Awareness and security training should focus on the following:
- The acceptable use of information assets such as e-mail and Internet access
- The need to protect passwords
- The right way to handle sensitive information in paper and electronic form
- The need to validate the source of a request for information about the organization, its patients, business partners or other stakeholders
- The legal and regulatory responsibilities and consequences of not complying with information security policies
- The complete list of "safe computing" practices
- The things users need to know to recognize a threat or security incident
- The people users need o to call in the event of a suspected or actual security incident
- The next imperative is to engrain a security culture within an organization. Again, it begins with management.
- The executive who never wears a security badge and shares their passwords with their assistants can't expect others to do differently.
More for you
Loading data for hdm_tax_topic #better-outcomes...