Why healthcare CISOs need to revamp cybersecurity training
Some may say healthcare chief security information officers have the cards stacked against them. No other industry has the combined data trove, ongoing IT transformation and complicated delivery system to navigate that healthcare organizations do.
The race to innovate and digitize patient care has introduced mobile, cloud and Internet of Things (IoT) technology, exponentially expanding the attack surface, while sprawling (and often outdated) legacy systems further complicate enterprise security efforts.
Cyber criminals are taking advantage of these challenges, primarily through ransomware-based attacks. The 2017 Verizon Data Breach Report claimed that 72 percent of healthcare attacks during 2016 were ransomware, ranking it as the second-most targeted industry behind only financial services.
There are many new tools available to aid security teams in their efforts to protect organizations, but healthcare technology environments are complex enough. Throwing another “box” into the mix isn’t always the best answer.
Analyst firms such as Gartner advocate moving toward “people-centric security,” which lessens organizations’ reliance on a massive stack of tools and a compliance checkbox mentality in favor of a more powerful human element in fending off attacks and reducing security errors. Relying on people as the first and best line of defense requires well-trained professionals, but research shows that cybersecurity training is an area in which organizations across all industries often fall short.
A recent study by ESG and the Information Systems Security Association shows only 38 percent of security professionals believe that their organization is providing an appropriate level of training for them to keep up with business and IT risks. It also claims that most—perhaps as many as 96 percent of respondents—believe this puts them at a significant disadvantage against cyber adversaries.
To be successful, cybersecurity training must become more than a compliance function within information security. It is time to transform and modernize the approach in order to best prepare teams for the ongoing cyberwar. This often doesn’t mean an additional investment, but instead a shift to a team-based approach.
It is important for healthcare security teams to train together to defend against the top threats like ransomware. Teams that consistently practice their skills—particularly threat identification and incident response tactics—as an integrated team are more confident, quick and effective in their response to cyberattacks.
Just as a basketball coach crafts plays and practice drills to build skills and efficiency among members of his team, cybersecurity team leaders must follow the same methodology. One cannot merely fill cybersecurity roles with individuals watching data and intelligence feeds without business context and expect success any more than a coach can send five individuals onto the court and just say “win.”
The team approach to cybersecurity requires well understood team roles, tactics, techniques and procedures, as well as consistent training in order to execute. Training as a team also gives cyber team leaders a more thorough understanding of cyber readiness, including any skills gaps, which helps to guide future training efforts. This holistic view of readiness can help to identify areas of vulnerability as well as help guide strategic workforce development and technology purchases.
Healthcare security leaders should also change the way they engage their teams. Traditional training methods, such as online courses or conference-style seminars, offer point-in-time information and are focused on individual learning. Recent studies suggest that individuals retain only about 10 percent of information just one week after leaving a traditional training course.
The next generation of cybersecurity training is immersive, persistent and team-based—all factors that lead to higher retention and a better prepared workforce. Healthcare cyber teams should train in team-based “war gaming” in virtual environments that replicate the unique systems and complexities of healthcare organizations—this will enable them to better understand the adversary and risk in the context of their own businesses. Training with persistence—honing skills in similar scenarios repeatedly—is key to maximizing knowledge retention.
As we look ahead, security leaders have the opportunity to realign their focus to include more effective cybersecurity training. When healthcare security organizations leverage the team-based approach and next-generation learning strategies, the result will be a better prepared, more resilient cyber workforce.