This best practice is actually called “staff training” or “incident response training,” but “human firewall” really embodies how seriously healthcare organizations should take the thorough and recurring training of all staff, especially those on the front lines: The IT help desk.
At the very least, the IT help desk staff should be well-trained and informed in all aspects of cyberattack strategies, tactics, and your healthcare organization’s protocols for response.
Here are a few statistics to illustrate why it’s so important to train employees in cybersecurity awareness:
“We see a lot of companies putting a tremendous amount of energy into protecting themselves from external attacks, but insiders are really the bigger threat,” says Sensato CEO John Gomez.
Most employees now have company email and internet access through computers, laptops, tablets, and phones. Yet, few organizations actively train all employees in the most basic internet, email, and text hygiene practices.
“We spend so much time chasing the latest technology and promising new shiny solutions, while neglecting our most vulnerable attack vector – people,” noted Gartner Vice President and Distinguished Security Analyst Avivah Litan in her December 2016 blog post.
It’s not that employees are necessarily looking for ways to compromise your cybersecurity for their own nefarious purposes (though some may be—we’ll address that later). Rather, they are more likely to fall prey to common attack ploys like Trojans, phishing, and smishing.
Careless and untrained employees can endanger your entire organization by:
The Dell End-User Security Survey 2017 found that “72% of employees are willing to share sensitive, confidential or regulated information.” Why? They were just “trying to do their jobs as efficiently and effectively as possible.”
Then there’s the other type of employee, the smaller but just as dangerous portion who actively steal data for monetary gain or access to your systems simply to destroy them.
“We’re all very well trained to look at the external threats, but what we actually see in the field is that most people stealing information data from an organization are insiders,” warns Gomez. “Insiders are especially dangerous precisely because we trust them. You may see an employee accessing drives or data they don’t normally access for their job, but ignore that because you know they work here and they’re properly logged in, etc. But if you saw that same activity being performed from outside of your company, all kinds of alarm bells and whistles would go off and you would not ignore it.”
Training could mean the difference between a minor inconvenience and complete destruction, or, worse, the endangering of your patients’ health and lives.
Now, let’s be clear about what we mean by “training.” We’re not talking about sitting all employees down in endless, droning seminars and putting them to sleep. The only type of training that truly “sticks” is active, engaged, continual, and cultural.
That involves having cybersecurity experts train and drill IT staff and other employees in data security. The best learning tool is experience, and you don’t want your staff’s first experience of a cyberattack to be during a real attack.
Sensato recommends cybersecurity tactical simulations, run much like disaster drills used by hospitals, first responders, law enforcement, and the military. This gives your entire staff a chance to enact your incident response plan, discover any gaps in the plan, and build the type of “muscle memory” that’s critical to successfully surviving an actual attack.
If incident response drills for the entire staff are not possible, every person who has access to your networks should at least have an understanding of phishing, smishing, and other tools attackers use to infiltrate systems.
For example, do your employees, and especially your IT help desk, know that there is an entire class of attacks that require you to reboot your computer, so they deliberately do things to slow it down and create error messages that prompt you to do a reboot?
“What’s the first thing you do when your computer is bogging down, the first thing most help lines tell you to do? Reboot. This is true even of medical devices,” says Gomez. “Attackers know that, so you can bet that, yes, it’ll be working fine after you reboot and you’ll have no idea that you’ve just been compromised. This is why we should really be more invested in training our first line of defense – employees and help desk.”
If employees are trained to call the IT team, and the IT help desk is trained to take those calls seriously and look for patterns, many attack attempts can be thwarted. According to PhishMe, when employees are well trained and phishing tests are routinely administered, an organization’s susceptibility to a phishing attack is as low as 5 percent.
“We know that planning and training for cybersecurity can seem like a huge and impossible task, so we encourage every healthcare organization to simply start with the basics, but definitely start,” says Gomez. “Your employees are your first and best line of defense, and the logical place to start.”