10 ways to improve employee cyber awareness and compliance
A healthcare organization’s employees are the first line of defense against a cyberattack, but they also can be the weakest link in protection. Lazarus Alliance Proactive Cyber Security Services, an advisory firm, offers these 10 suggestions for improving security among employees.
Provider security training should be mandatory and continuous
The cyber threat environment constantly changes, so security training cannot be viewed as a “one and done” exercise. It is a continuous process that should begin during the onboarding process and continue through an employee’s entire term of employment.
Employee cyber training involves more than compliance
Many healthcare organizations make the mistake of focusing employee cyber training exclusively on HIPAA compliance. While compliance is important, it does not automatically equate to cyber security.
Keep cybersecurity rules and procedures simple
Employee cyber security manuals often are written by the IT department or security personnel, who may fill them with so much “tech-speak” that it's often difficult for employees to understand. Rules and procedures should be written in plain language that non-IT employees can easily understand.
Everyone needs to be trained
Cybersecurity is everyone’s responsibility. This includes all levels of employees up to the C-suite, as well as part-time employees, seasonable workers, temps and interns. Everyone in the organization with access to a computer must be trained on best practices.
Implement clear cyber threat reporting procedures
If an employee receives a suspicious email or finds a flash drive on the floor, they need to be certain about who they should report the incident to and the procedures for doing so.
Tie workplace cyber security to personal cyber security
Illustrating why cybersecurity hygiene is important both in and outside the office is a smart way to reinforce training lessons and improve user buy-in. Organizations should use real-world examples to which everyone can relate, such as phishing scams that seek to steal account credentials.
Employ behavior analytics and continuous monitoring
Pairing user behavior analytics with continuous monitoring of network activity protects a provider organization in two ways. First, it enables identification of employees who are snooping around in areas of the system to which they don’t need access. Second, the pairing of analytics and monitoring enables the organization to identify stolen credentials by flagging log-ins at odd hours or from unusual locations. Security execs at healthcare organizations should set up the system to temporarily suspend access until there is a determination of what’s going on.
Regularly review employee system access
The best way to ensure employees do not misuse credentials is to prevent them from doing so in the first place. Give employees only the minimum amount of system access to perform their jobs—and no more. Then, regularly review access levels for appropriateness.
Don’t berate employees for making mistakes
Even the best employees will make a mistake. If they fear being fired for inadvertently clicking on a phishing link, they may not report the incident or try to cover it up, which would make the situation worse. Encourage reporting of missteps as soon as possible and assure the employee that they will not be disciplined for doing so.
Reward employees for good cyber behavior
In addition to not beating employees with sticks, offers some carrots. Recognize employees who flag phishing attempts and other attempted cyberattacks.