This Is Why Healthcare Cyber Security Training Is So Vital
Corey Bleich
🍿 4 min. read
When you visit your doctor, you expect your information to be protected and private. In reality, attacks on personal data through healthcare providers is on the rise, which is why healthcare cyber security training is so vital. Here's what we know, and how you can deliver the types of training your employees need.
What do we mean by healthcare cyber security training?
Healthcare cyber security training can mean different things for different companies (and the people within them).
From receiving the HCISPP (Healthcare Information Security and Privacy Practitioner) certification to simply understanding how to safely and securely utilize company email, healthcare cyber security training needs are different for every company and every team of employees.
Why is healthcare cyber security training so important?
Proper cyber security training is required to stay HIPAA-compliant, of course, but even with that prevention, a lack of cyber security affects healthcare patients.
In 2018, breaches in data security through healthcare plans skyrocketed by 1,000%. If that number does not make you sit upright and rethink your program for healthcare cyber security training, consider these stats:
- The 1,000% increase in compromised security affected 884,360 individuals in 24 separate breaches in health plans alone
- Healthcare providers make up 75% of the companies with hacked data
- Small businesses weren’t safe either, with 12 breaches affecting 100,602 customers in the first five months of 2018
Overall, before the first half of 2018 was completed, nearly three million people were affected by a security breach.
Another scary statistic? A survey by Accenture found that 18% of healthcare employees would sell customer data for as little as $500. Between breaches from the outside and leaks from the inside, there has never been a better time to upgrade your healthcare cyber security training.
And, even healthcare leaders admit there is room for improvement. In a survey by KPGM, over half of the 154 healthcare leaders surveyed said that their organizations either did not have written operating procedures for security breaches, or, if they did, the leaders did not know what those procedures were. Most of these leaders pointed out that most changes in healthcare cyber security training occurred after a breach, with changes in leadership (17%), upgraded technology (15%), and improved training (14%) being the most common responses.
A final study by Accenture and the American Medical Association found that doctors themselves were not immune, with over half of respondents reporting a healthcare phishing attack (usually via email).
Where can I get started?
There is good news. In the Accenture survey, fully 99% of employees surveyed said they felt responsible for a customer’s data and information. Healthcare cyber security training builds on that sense of responsibility with appropriate cyber security awareness training.
If an employee touches a computer, they need to be trained. This seems fairly straightforward, but protecting your customers with a solid cyber security training may not be so simple. Here’s how to get started.
Complete a training needs analysis
A training needs analysis is the place to start for every type of employee training. This provides you with a good understanding of what employees already know as well as areas for improvement.
Diving in without this means employees may be hearing what they already know (and tuning out everything else). Additionally, this can triage the most important aspect of your healthcare cyber security training to start with your most vulnerable areas.
Bring along the top brass
Whomever authorizes trainings (and pays for them!) needs to be on board from the very start. If not, they may drag their feet when it comes to scheduling employee time for training or budgeting for more effective tools, such as a mobile learning course.
If your leadership team isn't convinced of the importance of cyber security, show them the statistics on how much data breaches cost. With a price tag reaching well into the millions, this bite out of the bottom line should help convince even the most reluctant executive.
But let’s face it. Although preserving the bottom line is important, customers and their data are precious and worth protecting on their own.
Dive right in
After your training needs analysis and a ringing endorsement from the C-suite, it’s time to start training. Use microlearning or other digital learning methods to deliver manageable bites of information that can be accessed on any digital platform. Because 91% of cyber attacks start with an email, discussing proper protocols for email may be the best place to start for your company.
Other important parts of a healthcare cyber security training program should also cover five crucial aspects, including:
- Password protocols
- Experiential opportunities
- Ongoing training
- Written procedures for references
- Where to go for help
Password protocols
Decide on a system for passwords and implement that system company-wide.
Consider two-factor authentication for the highest level of security, and require employees to change their passwords frequently.
Experiential opportunities
Engage employees in simulations to practice how to handle a data breach. This can include what to say to customers in the event of a hack, or you can test their knowledge with simulated phishing attacks.
Ongoing training
Just as you routinely update the software on your laptop, regularly update your personnel when it comes to cyber security.
Hackers are innovative, persistent, and sneaky. Offer regular mLearning opportunities to keep your employees up-to-date.
Written procedures
Write down your crucial procedures. Does this mean creating a text wall about how to set your passwords and what to do if you get hacked? It doesn’t have to.
Offering a manual online or mobile-ready resources with links to crucial information can give employees just-in-time access to what they need.
Where to go for help
If employees have a question or a concern, do they know who to turn to?
If your company does not have a designated (and available!) cyber security or IT department, it’s time to change that. Take the time to provide support and make it easy for employees to ask for help.
If your healthcare cyber security training is not what it needs to be, get in touch with EdgePoint Learning to talk about your training needs. We have a dedicated team who is up-to-date on the latest cyber security developments and training methods.