osorioartist - Fotolia


Build a security awareness campaign to educate healthcare employees

Healthcare organizations can complement their existing security tools and strategies by providing security awareness training to employees to further protect against attacks.

With the increasing volume of threats facing healthcare today, healthcare CISOs are constantly reviewing the latest and greatest security technology available to help them protect their environments. But some security experts recommend that organizations look internally to prevent infections or breaches. Implementing a security awareness campaign allows hospitals to educate users on how to avoid emails and websites that could hide ransomware, a virus or a phishing attempt.

In 2016, healthcare was targeted by cybercriminals with several ransomware variants. While no major hospital data breaches have been reported so far in 2017, there have been numerous reports on the damage resulting from crypto-ransomware. Unfortunately, most of these attacks are not the result of sophisticated social engineering or network hacks. They are the result of employees opening email attachments or clicking on links to websites containing malicious code.

Ransomware has been ranked as one of the top security concerns for hospitals due to the damage it can cause. New variants of a virus can not only encrypt the local documents and application files on the user's computer, but are now able to extend to network shares and backups as well. For hospitals, losing the files on a network share that is used by the administration or clinical team could have a serious impact on their day to day operations and patient care.

Since many of these attacks originate from emails and different websites, security administrators are finding it difficult to block all of them effectively despite the advancements in email and web filtering security tools. For that reason, security experts are encouraging IT to also focus on educating the end users. By offering frequent security training and awareness campaigns, end users will have a better understanding of cyberthreats and become better prepared to differentiate a valid email from a fake one. This approach is not a replacement for security tools, but an additional layer that can protect against an attack.

Lance Spitzner, a security expert and director at SANS Institute, highlighted during one of his HIMSS17 security sessions that organizations should put a significant emphasis on adjusting their security culture. He described how critical it is to take specific actions toward educating end users in order to reduce the risk of an attack. The activities that should be performed by IT as part of their security awareness plan are:

  • Frequent training sessions;
  • On demand security videos for end users;
  • Newsletters with training materials and information on security tips;
  • Webinars with insights on the latest security threats and education about how to protect work and personal devices;
  • Quarterly internal audits where phishing attempts are evaluated;
  • Visual cues in the form of posters within the facility to spread the message; and
  • Yearly training and assessments for employees.

The purpose of a security awareness campaign is to deliver the content surrounding some of the new cyberthreats and help end users recognize a possible phishing attempt. With the constant change in attack methods used by cybercriminals, continuous education will help prevent infections that security tools currently do not detect or block.

To measure the success of the security awareness campaign, IT can review the overall score in several areas. Below are a few of the potential key performance indicators that IT can review over time as part of their ongoing campaign:

  • Number of detected spear phishing attacks that pass to the users and are self-reported;
  • Number of trained employees;
  • Number of newsletters, training sessions, posters and other collateral material used in the education;
  • Response time to an attack on a device or endpoint; and
  • Infected data size when an attack is detected and blocked.

With healthcare being one of the top targets of ransomware in previous years, the addition of a security awareness campaign will improve the overall security and protections of the organization. These protections can go beyond the walls of the facilities and prepare end users to face these same threats coming in to their personal email. However, one hurdle that IT can face is getting the support of the leadership. IT must explain that security tools on their own are not enough, and that with proper education, every employee can help prevent an attack that could yield a legal and compliance nightmare.

Next Steps

Healthcare organizations increase cybersecurity spending in 2017

Six steps to prevent a hospital ransomware attack

How to recognize and prevent cyberattacks

Dig Deeper on Electronic medical records security and data loss prevention