Why the most valuable security assets are human, not technical
You already know that the biggest threat to healthcare IT security is the human element. But if human beings are the greatest vulnerability, that also makes them the strongest asset. Here’s why.
According to the 2016 HIMSS Cybersecurity Survey, the two primary healthcare IT security concerns among provider organizations (hospitals and physician practices) are phishing attacks (most pressing concern for 77 percent of respondents) and viruses/malware (67 percent). Both events require a responsive actor on the organization side of the transaction for hackers to access patient data.
It may seem like this is a rather straightforward problem to resolve—just make sure clinicians and staff have the requisite knowledge and are savvy enough to not get duped, and all is good. In reality, especially among larger organizations with hundreds of potential points of entry, turning human beings into alert sentries is a constant human behavioral challenge.
So what strategies can even a large healthcare organization employ to ensure that the people who use IT systems are firmly engaged in system defense?
Train, train and then train some more. A study by Wombat Security Technologies and the Aberdeen Group suggests that upgrading employee awareness can reduce security risk by anywhere from 45 to 70 percent. Among the highlights of the report are these bits of crucial and related information:
- There is no such thing as a 100 percent secure IT system if it is used by people. It makes little sense to invest heavily in technology if you fail to effectively train system users.
- An organization with $200 million in annual revenue can expect to lose $2.5 million per year from infections borne of employee behavior, with an 80 percent chance the loss could jump to $8 million annually. (Note that this is across organizations and not specific to healthcare.)
- Don’t assume that any bit of information about system security—maintaining strong passwords, keeping mobile devices secure, navigating the internet safely and so on—is common knowledge to employees and staff. Someone may not know something that will cause your organization harm.
Your goal in training is to inculcate a culture of security that becomes second nature to every user beyond just IT staff. Indeed, you are working to expand the awareness of the IT team outward to all staff and employees.
According to the results of another recent survey conducted across industries by Experian Data Breach Resolution and the Ponemon Institute, there is room for much improvement when it comes to preparing employees.
Only 46 percent of companies require employee training on data security; only 60 percent require re-training after a data breach.
Half of survey participants think their current training programs actually reduce noncompliant behavior, and 43 percent said their organization provides only one broad training course that doesn’t include some of the finer points of system security.
Beware the disgruntled employee. Internal staff members, motivated to do harm, are a particularly troubling challenge. Could there be a Snowden or Manning in your organization? It’s less likely where ideological issues are not a factor, but it’s also impossible to gauge exactly what might set people off. Prepare for the disgruntled just in case.
- Make sure that all active privileged accounts are connected to a current team member.
- Audit the system regularly and immediately after any kind of security breach. (Privileged accounts used in a breach that are not connected to a current member will lower the value of the audit significantly.)
- Closely monitor and manage privileged accounts, and create alerts to enable rapid reaction when things go awry.
- Make sure departing members of the team return laptops and other mobile technology immediately before departing the organization.
- Ensure only the minimum necessary access to certain information for each member of the team.
- Apply sanctions for violating known policy consistently, quickly and even-handedly.
- Consider having managers and directors, especially those working with clinical staff, identify the people they have concerns about and share that information.
Elevate the importance of strong security among organizational and leadership priorities. According to the Experian Data Breach Resolution and the Ponemon Institute study, only 35 percent of respondents said they think senior executives feel it is important for team members to understand the potential organizational risks from data breaches. That correlates with the 60 percent of companies that feel their employees are not sufficiently aware of potential security breaches.
On a related note, only 33 percent said their organization rewards employees for being security proactive, and 32 percent said there is no penalty at their organization when an employee causes a breach. Perhaps executives should take a look at incentives as well.
Will you be able to eliminate data breaches by following these strategies diligently? It’s not likely. Make reduction and mitigation your goal, and if elimination happens, throw a huge party before getting back to work.
Healthcare data breaches are more expensive than those in any other industry, climbing to an average of $4 million in 2016, according to the Ponemon Institute. Can you afford to lose $4 million regularly, only occasionally or once in a blue moon? Let your answer to that question drive the energy with which you put your organization’s comprehensive security plan in place.