By Dr. Jessica Sapp
Associate Professor, School of Health Sciences
Hospitals have been repeatedly targeted by ransomware hackers, who seize sensitive patient data or hack into hospitals’ IT systems and hold it for ransom. In April 2020, INTERPOL detected a significant increase in cyberattacks against hospitals around the world that are engaged in the COVID-19 response.
The INTERPOL Chief said, “Locking hospitals out of their critical systems will not only delay the swift medical response required during these unprecedented times, it could directly lead to deaths.” With the increased use of technology and electronic medical records, there is a growing need for cybersecurity and cybersecurity training in healthcare.
Healthcare Roles in Cybersecurity
Healthcare organizations have a responsibility to protect their patients’ data and sensitive information. Even though healthcare has evolved to use patient identification numbers, it is still linked to pertinent information in their systems such as Social Security numbers and accounting information. Employees are essential in cybersecurity and serve as the front line of defense for data protection.
Information technology (IT) is submerged in healthcare operations, and there are many responsibilities of the IT department. Not all IT personnel are dedicated to cybersecurity even though there are overlapping accountabilities. Cybersecurity is essential in all IT functions, but there must be dedicated resources to cybersecurity systems.
Building a Cybersecurity Training Program
According to Cybint, “95% of cybersecurity breaches are due to human error.” Cyber criminals and hackers will target employees to infiltrate an organization’s system.
Identifying and Assessing Internet or Network-connected Operations: The first step in building a cybersecurity training program is identifying and assessing internet-connected operations. It is necessary to take an inventory of internet-connected devices. Operations and devices that require the internet or network systems are vulnerable to hacking and cyber intrusion.
Training Needs and Options for Cybersecurity: Once an organization identifies internet- or network-connected operations and devices, they must determine the training needs for employees based on these identified operations. Cybersecurity training can include different delivery methods such as classroom or face-to-face, computer-based training, simulations and more. A blended approach is often the best in training programs, but there are other considerations when developing a program.
All-Hands! Every Employee: Cybersecurity training is needed for all employees, regardless of their position. Every employee utilizes digital programs and devices including email, mobile phones and tablets, and Wi-Fi.
Managers and Supervisors: Managers and supervisors are responsible for their teams, which can include training. In addition, managers and supervisors are imperative in developing a cybersecurity-conscious culture. Incorporating cybersecurity awareness into meetings, huddles, team discussions and working environment will enhance the cybersecurity culture and awareness.
Physicians and Nurses: A physician’s and nurse’s primary role is patient care. They have unique factors that affect their availability for training. Physicians and nurses have limited time away from their duties with patient care, and they have medical-related training and continuing education demands. However, their cybersecurity training is necessary in every organization’s cybersecurity plan.
Accounting and Billing: Accounting and billing are increased targets for hackers, because they include pertinent information such as social security numbers, financial accounts, insurance billing statements, and more. Employees in this area should have an advanced training plan for cybersecurity.
Vendors, Consultants and Subcontractors: Healthcare organizations use vendors, consultants, and subcontractors, but it is the healthcare organizations’ responsibility to ensure these vendors, consultants, and subcontractors comply with their cybersecurity requirements. It is critical to make sure all patients’ information is protected when a third party is utilized
Remote Workers and Business Travel: What happens when employees are working offsite at a remote location or during business travel? It is essential that organizations are secured even if employees access their email or other software program outside of a network firewall. Organizations must consider solutions such as VPN, protocols for accessing open Wi-Fi networks, encryption, data and sensitive information storage, and more.
Training Maintenance and Contingency Plan
Audits and Quality Improvement: Quality improvement and regular audits are required in an effective cybersecurity training program. This includes cybersecurity testing to identify gaps, such as running a phishing test – used by cybersecurity and IT professionals to create mock phishing emails and/or webpages that are then sent to employees.
Contingency Plan for Data Breaches and Hacks: Cybersecurity threats are ramped, and data breaches and hacks occur in many industries. Healthcare organizations must have a contingency plan to respond in case of a data breach or ransomware attack. This should include collaboration with IT, cybersecurity, emergency management and disaster preparedness.
We have seen an increase in remote work since the beginning of the COVID-19 pandemic. With more organizations operating in the digital environment, cybersecurity is a priority – especially in healthcare.