In a military column it’s called the vanguard. In finance they call it risk analysis. In pathology it’s called the skin. Healthcare cybersecurity is all about the people.
When it to comes to defending against an online breach of your EHR system, your people should be considered your first line of defense-your physicians, nurses, administrative personnel—basically anyone who has access to your network and facility, the two main gateways to accessing private health records. With new vulnerabilities being discovered every day, compounded by vendor risk management, the importance of training people on how to identify and avoid socially engineered or physical threats to security cannot be overstated.
In the event of an EHR breach, more than your hospital’s revenue or operations capabilities are on the line. If a bad actor gets their hands on PHI (protected health information), the safety and livelihood of your patients could be at risk.
Often healthcare IT security professionals manage cybersecurity from a technology or processes approach rather than people approach. A champion of improved healthcare cybersecurity awareness in Michael Archuleta, Chief Information Officer at Mt. San Rafael Hospital, proposes to flip that method.
In the opening of his recent presentation on HIMSS TV, Archuleta suggested a methodology to cybersecurity that begins with people, followed by a review of processes, and then rounds out with a focus on technology. All this for good reason, he explains:
"Cybersecurity can be a matter of life and death, that's the bottom line...It's about people and having them understand cybersecurity."
Most cybersecurity incidents happen by accident, whether perpetrated by a person or a technical error—an 80/20 split. A report on PHI published by Verizon revealed that of 1,368 security incidents reviewed, 58% involved insiders, and of those incidents:
Many of those cases may have been prevented with a little bit of cybersecurity awareness training. However, as it stands, cybersecurity best practices have not been seen as a priority for many healthcare workers.
In a survey testing the cybersecurity awareness of their customers, Wombat Security found that respondents representing various sectors of healthcare answered around a quarter of IT security best practices questions incorrectly.
In this year alone, from April to June, the Protenus Breach Barometer recorded 142 breaches from various healthcare organizations, and 30 percent of them were caused by repeat offenders.
When hospitals demonstrate this level of permeability, hackers and cybercriminals are like moths to the flame. Instead of getting burned by firewalls, they circumvent endpoint protection via people to find their payday in the form of valuable, private patient data.
Most cyber criminals aren’t going after your Nextgen Firewall or other endpoint security. They are going for the easy targets—your people.
Why? It’s a lot easier to socially engineer—deceive or manipulate people into giving up confidential information—than it is to hack your way into a server from scratch.
So how does a hospital begin to develop a more aware workforce? How do healthcare providers get staff actively involved in doing what they can to create a more secure hospital environment?
Our MEDHOST motto is: “You can patch a server, but you can’t patch a human being.”
Building cybersecurity awareness into your business culture starts with training. An initial course at the time of hire is a good practice, but we’ve seen ongoing training—relevant to what is happening in the industry—as most effective.
While MEDHOST does not manage cybersecurity training for our customers, as a HIPAA compliant organization that processes a large volume of PHI, we do hold our employees to a higher standard. We provide regular training and education over the different threats they may encounter online, as well as best practices for securing physical and digital assets.
Our internal training is designed to educate employees as to the different kinds of existing threats and make them more aware of how they may be attacked. Elements of our healthcare cybersecurity training include:
We adhere to a similar philosophy and execution when it comes to training superusers on MEDHOST tools and resources—an approach we apply to our best practices with our customers’ data.
If we are hosting an EHR environment for a hospital, they can count on our knowledgeable team of experts, who have extensive security training, to safeguard and proactively monitor for online threats—all part of the MEDHOST Direct cloud solution. We manage the hardware and software tasked with running and protecting your EHR.
The reverse engineering of the standard healthcare cybersecurity approach is often more work intensive for IT staff. When it comes to defending versus attacking a system, the exact opposite can be true for IT professionals than it is for hackers. Technology can be easy to manage with the right expertise on your side, however, people often require a much more direct approach.
As technology continues to evolve, the need for increased cybersecurity awareness in healthcare will only become more critical to securing business and offering a superior patient experience.
Make it harder on cybercriminals by reinforcing your first line of defense with MEDHOST’s superior, cybersecurity savvy staff. Speak with one of our experts today!