Security awareness involves everyone in your company—from clerical and administrative staff to doctors, nurses, IT staff, and even your patients. Everyone plays an important role. Unfortunately, this often leaves organizational and IT leaders wondering, “What should security awareness training include?”
Security Awareness Training in the Healthcare Sector
Healthcare companies are directly on the frontlines of IT and network security. Between common email scams, malware, viruses, and social networking dangers, there are a lot of potential threats lurking online.
Every healthcare entity, business associate, and adjacent organization must learn how to identify, diagnose, and resolve these threats properly. Arming your entire staff with the knowledge needed to secure your network from intruders remains a crucial aspect of achieving (and more rapidly facilitating) cybersecurity maturity for HIPAA compliance and beyond.
Providing cybersecurity education relies upon:
- Finding out which staff members need training and how much they need
- Learning what basic security awareness training should include
- Discovering advanced security awareness tactics for your top-level IT staff
Does Your Staff Need Security Awareness Training?
If your company is a part of the healthcare industry or regularly works with electronic health records, your entire staff must have or receive some degree of security awareness training.
Your organization’s HIPAA compliance depends on personnel’s adherence to cybersecurity policies, practices, and set configurations. Given that HIPAA defines data breaches as the improper use or disclosure of personal health information (PHI), every user must be trained.
Healthcare Cybersecurity Training By Personnel Role
The exact level of training varies according to personnel role.
Your technical staff members require the highest level of training. They need to complement their cybersecurity knowledge with up-to-date threat intelligence on specific vulnerabilities, recent trends, and emerging threats.
Doctors and nurses, for example, need to handle patient records securely and privately. Likewise, administrative staff and office personnel need to input and maintain data with the utmost confidentiality. As a result, these staff members require a high level of security awareness on a day-to-day basis.
Even janitors, groundskeepers, and maintenance workers can unintentionally find or view PHI. However, note that your HIPAA risk management requires sufficient physical and direct access security, which would prevent these staff members from committing violations. Their training may merely require informing them of protocols in physical proximity to workstations or a server room.
With newly emerging threats everyday, and with hackers and malware becoming increasingly sophisticated, security awareness training must be viewed as an ongoing, essential activity.
What Should Security Awareness Training Include for All Healthcare Workers?
Generally speaking, anyone working in the healthcare field should be familiar with the basics of IT security. This protects patients, individual employees, and the healthcare organization as a whole.
Viruses, Malware, and Ransomware
Viruses, malware, and ransomware are three distinct threats that are often lumped together. As a result, they often confuse staff members and novice computer users. Your security awareness training should provide clear definitions for these (and other threats that fall under “malware”):
- Viruses – These are self-replicating programs that embed themselves into the coding of other, legitimate programs on a network or system. While viruses don’t always result in a breach of data, they can result in network shutdowns, service delays, and other issues.
- Malware – An umbrella term for any type of malicious software, malware often involves a malicious program that is disguised as legitimate or genuine software. Once installed on a system, malware can be used to install other files, grant unauthorized access to a system, and more. Malware may be used to deliver viruses and ransomware.
- Ransomware – One of the newest tools in a hacker’s toolbox, ransomware is malicious software that seizes control of an entire system. A ransom is then placed on the system, which companies often pay to restore access as quickly as possible. Unfortunately, many cases never see the affected systems restored—even after paying the ransom.
Phishing and Social Engineering
Unlike viruses and malicious software, phishing and social engineering attacks don’t require the use of a third-party program. Instead, the hackers attempt to exploit human psychology. These attacks generally focus on convincing an employee to divulge account credentials (or other sensitive information), which are then used to gain unauthorized entry into a system or network.
- Phishing – These attacks generally originate via email or social media. During a phishing attempt, hackers try to coax you into revealing your login credentials. If they already have part of these credentials, such as the account name, their job is even easier. While phishing is a type of social engineering attack, its prevalence and attack subtypes deserve dedicated training.
- Social Engineering – Modern hackers also use various social engineering tricks and impersonation techniques in emails and on social media. A hacker might assume the disguise of a friend, family member, co-worker, or even a member of the IT staff at your workplace. Social engineering training should extend beyond network activity to phone calls, texting, and other communication methods.
Email and social media dangers are fairly common, so it’s crucial to educate your staff members and remind them never to share their login credentials outside. The sole exception would be with relevant IT support personnel. Even then, a social engineering attack may involve their impersonation, so any credential sharing must follow strict adherence to identity verification processes.
Password Education and Training
Although access management is usually left up to the IT department, individual staff members still need to understand the importance of using a strong password. If they maintain any sort of account with your organization, or if they need to enter login credentials to access your network, it’s vital that they observe a few tips and tricks when creating their passwords:
- Use a combination of capital and lowercase letters, numbers, and special characters when creating your password.
- Alternatively, utilize passphrases.
- Create passwords that are at least eight characters long
- Never share your password or other login credentials with others, including co-workers
- Change your password frequently
- Make every password unique and never reuse passwords account multiple accounts
- Enforce multifactor authentication when possible.
IT security personnel should configure authentication systems to enforce expiries and require a minimum password complexity threshold for the given system to accept any resets.
Safe Internet Habits
Nearly all healthcare workers can strengthen their personal IT security by observing common habits when browsing the network. These safe internet habits are applicable both at the workplace and in a personal, at-home environment, so they’re a critical part of any security awareness training program:
- Never open attachments from unknown or suspicious email addresses.
- Avoid clicking on unknown or suspicious links.
- Ignore social media friend requests from unknown or suspicious accounts.
- Don’t disclose personal details, such as your place of employment, on the internet.
- Only share your email with trusted friends, family members, and colleagues.
The physical security of computers, digital records, and digital devices is just as important as network security. Although most hackers and malicious actors target online networks specifically, there have been numerous incidents of data and network breaches resulting from a user with physical access to the system in question.
Employees in remote or work-from-home environments require additional security awareness training in this area. Since they retain complete physical and direct access control of their devices, they must know how to secure their systems from external threats.
All healthcare and adjacent organizations within the United States must abide by HIPAA standards, including those transferring, processing, or storing electronic health records. Failure to comply with these policies could result in hefty monetary fines, so all of your employees must be HIPAA knowledgeable.
There are numerous rules and regulations within HIPAA, but most employees only need to be familiar with the basics surrounding the disclosure of protected health information, or PHI. According to HIPAA, healthcare employees can disclose data in four different scenarios.
- As needed for current medical treatment or care
- To allow for timely payment of services
- For operational or educational needs, including internal review
- Upon direct request by the individual patient
If the PHI usage falls outside of these four categories, patient permission is always required, except for certain judicial and law enforcement needs.
Basic IT Security Controls
Security infrastructure management will be conducted internally or via outsourcing to a managed security services provider (MSSP). If managed internally, your team must know how to implement, manage, and maintain these measures to ensure network security:
- Antivirus and anti-malware software – Automatically scan incoming files and newly installed programs for viruses, ransomware, and other types of malicious software.
- Firewall and email server protection – Protect your network from live threats, including email scams.
- Data backup and restoration planning – If an incident does occur, it’s crucial to have data backups and response plans ready.
- Policies and procedures development – Establish an exhaustive list of policies and procedures and, most importantly, make sure they’re enforced on a day-to-day basis.
- Mobile device management and anti-theft devices – Secure all physical devices with encryption, remote wiping, and other capabilities.
- Compliance – HIPAA does not explicitly specify the technical implementations your organization must have in place. If your organization adheres to the HITRUST CSF, an understanding of its specifications is required. Maintaining compliance with all applicable rules, regulations, laws, and standards is essential when working with sensitive patient data.
Advanced Concepts of IT Security Awareness in the Healthcare Sector
While healthcare workers are susceptible to common threats like email scams, malware, and social networking dangers, there are also some advanced concepts, strategies, and security architecture implementations that are commonly used in the industry.
Most of your staff doesn’t require up-to-date knowledge and training in these advanced areas, but your IT department does.
Identity and Access Management
Network administrators and other senior-level IT staff must implement robust identity and access management policies and processes to protect their networks properly. IAM consists primarily of authentication (i.e., identity verification) and authorization (i.e., the access permissions a given, verified identity has) controls.
Proper IAM involves an intricate balance between easy access for authorized users, strict permissions management, and stricter protections against intruders. Network administrators and IT leaders can utilize IAM to establish policies and procedures regarding user password usage, access levels or restrictions, and more.
A relatively recent trend in IT security, multifactor authentication (MFA) requires more than one authentication method when a user signs into their account. MFA usually requires users to enter their username, password, and a unique, randomly generated code. The code is often sent to the user’s primary email address or smartphone—via SMS or a dedicated app.
This is a highly secure process as it requires an intruder to have the original user’s credentials and access to the additional factor(s).
Cloud Infrastructure and Integrations
Recordkeeping isn’t a new phenomenon, especially in the healthcare industry. The availability of such vast troves of digital data, however, as well as the newfound reliance on digital recordkeeping and sharing, is relatively new.
In particular, the increased adoption of cloud services and storage poses significant data breach risks if conscientious planning and evaluation don’t occur.
Cybersecurity Implementations and Processes to Complement Training
Healthcare entities should implement or conduct the following to augment organization-wide security awareness training:
- Multifactor authentication – Require multiple forms of user authentication to gain access to your organization’s network and on all systems, applications, and other IT resources that support it. This alone will significantly mitigate the possibility of unauthorized logins.
- End-to-end data encryption – Utilize end-to-end data encryption to protect data during transmission. If a hacker does manage to capture your data, they won’t be able to decipher it without the associated cryptographic key.
- Routine penetration testing – Pen testing is a great way to gain actionable insight into the current state of your network security. For best results, perform penetration tests on a regular, consistent basis and—if possible—perform penetration tests on multiple areas of your network, such as:
- Network firewalls and security frameworks
- Cloud computing networks
- Web applications
- Network-attached hardware
- Mobile devices
Enhance Your Company’s Security Awareness Training Today
By now, you already have an answer to the question: “What should security awareness training include?”
If you’re still left with questions, or if you require additional support for your current security awareness training efforts or overall cybersecurty program, contact RSI Security today for more information.