Hospitals and other healthcare organizations are increasingly the targets of cyber security attacks.
In the first quarter of 2018, the sector has been hit with 77 breaches, affecting the records of more than one million patients.
The most recent of these attacks comes from a group of hackers called Orangeworm, who are responsible for targeting healthcare computer systems on around 30 instances.
But security threats are not just the responsibility of the hospital IT team – all staff have a duty to exhibit safe behavior online.
To assist in the fight, we present the 1-2-3 of halting the hackers – Awareness, Prevention and Learning.
1. Awareness
Cyber terrorism may be something employees are aware of, but do they really understand what it means beyond the headline?
Staff are the best line of defense against an attack, but also the weakest link. They need to know the tell-tale signs of a phishing email, the importance of updating their passwords regularly, and other risk-minimizing behavior.
Improving staff awareness is essential, but internal communication managers are already battling to get their attention. Email is a failing, overloaded channel. Staff simply don’t read or react to emails as much as they used to.
Organizations need to employ more cutting-edge solutions to combat this cutting-edge threat.
Use desktop alerts to immediately grab staff attention for important security announcements. Design custom desktop screensavers or wallpapers to reinforce behavioral change every time staff log on to their computer.
A free cyber security screensaver, is available to be downloaded and used by any organization.
It’s also worthwhile running off some printed versions to display on noticeboards in the staff rooms or common areas, for those employees who spend most of their day on wards and aren’t often at a computer.
Tools like these help build staff awareness over time, and can be particularly effective in supporting new content on your corporate intranet or campaigns like Security Awareness Week. Just as importantly, they’re silent delivery channels, meaning there’s no risk of patients being disturbed.
2. Prevention
After tackling the “what” of Awareness, it’s time to consider the “how” of Prevention.
Many recent cyber-attacks target organizations through a phishing email. Staff are invited to click a link or open a file. Once the link is clicked or the file is opened, their computer is infected – and so too is the organization’s network.
But forewarned is forearmed. Smart organizations are introducing internal training programs to educate staff about best practice online. While this may feel like ‘preaching to the converted’, if it helps prevent a single cyber security breach, it will be worth its weight in gold.
Remember also that new staff are joining the organization every day, who therefore won’t be aware of any previous attacks or the process for preventing them. Managers can’t treat security training as a ‘one and done’ exercise.
Consider testing staff knowledge by occasionally sending around a dummy phishing email. Track the numbers of staff who open the email or click on any of the links. This will provide a perfect snapshot of the scale of your potential security risk – as well as the necessity for further (perhaps immediate!) training.
Make sure to let staff know how the organization performed overall. A scrolling ticker is a great way to update everyone on the results – and keep cyber security top of mind.
3. Learning
When a security breach is averted or blocked, unfortunately it’s no time to sigh in relief and consider it ‘job done’. It’s important to record the details of what took place, how the attack originated, whether it involved emails, the corporate website or any other online channel, and ultimately to learn from the event.
IT managers will need to install the latest software patches, especially for core hospital systems. Information Security managers will want to review and update processes, particularly if the attack was successful.
However, all staff can benefit from the learnings gained. Circulating a security quiz can be a non-threatening way for staff to test their knowledge, and managers to gauge where those critical gaps in knowledge are. Viewing their scores at the end could provide staff an unwelcome surprise and encourage them to upskill themselves.
Beating cyber security breaches is an ongoing battle for organizations worldwide. Effective internal IT communication can help hospitals and other healthcare organizations stay ahead of the game.
About the author: Michael Hartland works in marketing at SnapComms, a leading provider of digital internal communication solutions.