May 9, 2018
|
5 minutes

Healthcare Cybersecurity Best Practice: Make Every Employee a Human Firewall

Ideally, every employee in a healthcare organization should be a human firewall.

This best practice is actually called “staff training” or “incident response training,” but “human firewall” really embodies how seriously healthcare organizations should take the thorough and recurring training of all staff, especially those on the front lines: The IT help desk.

At the very least, the IT help desk staff should be well-trained and informed in all aspects of cyberattack strategies, tactics, and your healthcare organization’s protocols for response.

A healthcare-specific cybersecurity solution protects you from hackers and your own security shortcomings.  Learn more about MD-COP.

Here are a few statistics to illustrate why it’s so important to train employees in cybersecurity awareness:

  • 95 percent of all attacks on enterprise networks were the result of successful phishing emails, according to the SANS Institute
  • 97 percent of people are not able to identify a sophisticated phishing email, according to Intel

“We see a lot of companies putting a tremendous amount of energy into protecting themselves from external attacks, but insiders are really the bigger threat,” says Sensato CEO John Gomez.

Most employees now have company email and internet access through computers, laptops, tablets, and phones. Yet, few organizations actively train all employees in the most basic internet, email, and text hygiene practices.

The Most Vulnerable Attack Vector: People

 “We spend so much time chasing the latest technology and promising new shiny solutions, while neglecting our most vulnerable attack vector – people,” noted Gartner Vice President and Distinguished Security Analyst Avivah Litan in her December 2016 blog post.

It’s not that employees are necessarily looking for ways to compromise your cybersecurity for their own nefarious purposes (though some may be—we’ll address that later). Rather, they are more likely to fall prey to common attack ploys like Trojans, phishing, and smishing.

Careless and untrained employees can endanger your entire organization by:

  • Opening infected emails and clicking on malicious attachments or links
  • Disclosing sensitive information on social media channels and within their social/family circles
  • Inappropriately disposing of/destroying sensitive material
  • Losing their laptop, table, or phone

The Dell End-User Security Survey 2017 found that “72% of employees are willing to share sensitive, confidential or regulated information.” Why? They were just “trying to do their jobs as efficiently and effectively as possible.”

Then there’s the other type of employee, the smaller but just as dangerous portion who actively steal data for monetary gain or access to your systems simply to destroy them.

“We’re all very well trained to look at the external threats, but what we actually see in the field is that most people stealing information data from an organization are insiders,” warns Gomez. “Insiders are especially dangerous precisely because we trust them. You may see an employee accessing drives or data they don’t normally access for their job, but ignore that because you know they work here and they’re properly logged in, etc. But if you saw that same activity being performed from outside of your company, all kinds of alarm bells and whistles would go off and you would not ignore it.”

Training Doesn’t Come from Books, Lectures

Training could mean the difference between a minor inconvenience and complete destruction, or, worse, the endangering of your patients’ health and lives.

Now, let’s be clear about what we mean by “training.” We’re not talking about sitting all employees down in endless, droning seminars and putting them to sleep. The only type of training that truly “sticks” is active, engaged, continual, and cultural.

That involves having cybersecurity experts train and drill IT staff and other employees in data security. The best learning tool is experience, and you don’t want your staff’s first experience of a cyberattack to be during a real attack.

Sensato recommends cybersecurity tactical simulations, run much like disaster drills used by hospitals, first responders, law enforcement, and the military. This gives your entire staff a chance to enact your incident response plan, discover any gaps in the plan, and build the type of “muscle memory” that’s critical to successfully surviving an actual attack.

Read about one company’s real experience with the speed and violence of a cyberattack.

If incident response drills for the entire staff are not possible, every person who has access to your networks should at least have an understanding of phishing, smishing, and other tools attackers use to infiltrate systems.

For example, do your employees, and especially your IT help desk, know that there is an entire class of attacks that require you to reboot your computer, so they deliberately do things to slow it down and create error messages that prompt you to do a reboot?

“What’s the first thing you do when your computer is bogging down, the first thing most help lines tell you to do? Reboot. This is true even of medical devices,” says Gomez. “Attackers know that, so you can bet that, yes, it’ll be working fine after you reboot and you’ll have no idea that you’ve just been compromised. This is why we should really be more invested in training our first line of defense – employees and help desk.”

It Does Make a Difference

If employees are trained to call the IT team, and the IT help desk is trained to take those calls seriously and look for patterns, many attack attempts can be thwarted. According to PhishMe, when employees are well trained and phishing tests are routinely administered, an organization’s susceptibility to a phishing attack is as low as 5 percent.

“We know that planning and training for cybersecurity can seem like a huge and impossible task, so we encourage every healthcare organization to simply start with the basics, but definitely start,” says Gomez. “Your employees are your first and best line of defense, and the logical place to start.”

MD-COP will secure your data, devices, and network from targeted and “side effect” attacks.  Act quickly.
SOC Myths & Fallacies: Why Do Most Security Operations Centers Fail?
Over the course of a year long investigation, we interviewed CIO, CISO, managers, security analysts, security engineers and compliance officers. Find out what we learned.
Self-Defense & Cyberwar
As someone who may be responsible for protecting a network, facilities or people, the evolution of cyberweapons and your rights to defend yourself will become a rather critical aspect of your strategies in the coming years.