Designing Healthcare Cybersecurity Around Employee Workflows

It's not every day that you see some good news involving healthcare cybersecurity. The medical industry, after all, is known for lagging in vital defense measures. But that doesn't mean it's a lost cause. In fact, one northern California-based hospital has seen major improvements "just by building a system designed for the humans who use it.

According to Healthcare IT News, Marin General saw a 50 percent reduction in system vulnerabilities by incorporating e-learnings into the daily workflow. In other words, employees are tested on their cybersecurity chops throughout the day. Could your organization benefit from this technique? CyberPolicy examines the topic below.

On the Job Cybersecurity Training
Most people tend to think of cybersecurity as a tech problem. And obviously, they aren't wrong. Cybercriminals need a digital infrastructure to exploit. That's why it's called cybercrime. But there is also a human element to cybercrime that needs to be addressed.

For instance, Marin General already had a number of security tools in place, including firewall and antivirus protections. But cybercriminals expect these protections. Instead, crafty hackers prefer to prey on credulous employees through phishing emails and social engineering scams. In fact, the majority of security issues are tied to employee negligence.

To combat this reality, Marina General adopted e-learning and webinar-style orientations during the workday. This would educate workers about HIPAA and data breaches in a fun away. There are even games and rewards involved! As you can imagine, this program saw a huge participation rate (100 percent) over annual training sessions.

The hospital also incorporated a bug bounty program dubbed Security Sleuths. The program rewards workers who find and report phishing emails or other scams to IT.  
"I thought it would be gimmicky, but the gamification really spoke to people in a way I didn't anticipate," says the hospital's CISO Jason Johnson.

The result? Marina General saw less than .5 percent click rate on malicious emails (down from 63 percent the year prior). Your company can adopt a similar strategy by sending test-phishing email to your staff on a semi-regular basis. This will help train employees to beware of suspicious communications.

User Experience
 
Another part of Marin General's successful strategy included understanding user behavior. For instance, it was extremely hard for the organization to enforce encrypted email for employees. "If you impact a customer's workflow with security, they'll find a way around it, says Johnson.  

The solution? Don't change the way people communicate, just find out how they communicate. "Johnson's team surveyed staff to find out who they talk to most often, writes Healthcare IT News. "From that information, Johnson's team came up with the top organizations, then sent Marin engineers to those organizations to build a gateway or encryption tunnel.

"It was a huge resource strain, but, in the end, it made our user base able to send email encrypted, seamlessly, said Johnson. "We decided to make it better for them. It's the customer-centric approach.

So, by evaluating how employees work, Marin General built defensive strategy, taking their security to the next level.

Are you ready to improve your cybersecurity? Visit CyberPolicy for a free quote on cyber insurance!

© 2016-2020 CyberPolicy, Inc. All rights reserved. CyberPolicy®, "Plan. Prevent. Insure."™, and "CyberCheckup"™ are trademarks of CyberPolicy, Inc.
DBA: CyberPolicy Insurance Solutions CA License No. 0L13180
DBA: CoverHound Insurance Solutions CA License No. 0H52375