How to prevent staff from (accidentally) giving cybercrooks access to patients’ electronic health records
Cybercrime in healthcare has become epidemic. In 2015 alone, cyberattacks cost the US healthcare industry more than $6 billion; making healthcare the industry hit the hardest by the latest wave of cybercrime. Especially electronic healthcare records are precious goods. So precious in fact, that over the next five years, 1 in 13 patients will have their personal data compromised. The most shocking part about all this? In most cases, sensitive patient information is handed over almost voluntarily…
The healthcare industry is so focused on regulatory compliance as it moves to digital record-keeping, cybersecurity has largely been a secondary thought. This translates into a disastrous number of security breaches. Last year, more than 113 million electronic health records were compromised, according to the Office of Civil Rights (OCR) under Health and Human Services. But how do cybercriminals get their hands on electronic health records so effortlessly?
“You can easily point fingers, but the most likely culprit is probably you”, says Steve Osborn, healthcare communication specialist for over 20 years. According to IBM’s Cyber Security Intelligence Index, 95 percent of all security breaches are caused by human error. “When we are talking about human error, we’re not talking about malicious inside attacks; just hospital staffers that click on a link in an email that looks genuine at first glance, but really isn’t”, Osborn explains. “So when it comes to protecting your facility against cybercrime, nowadays the question isn’t: “is my security technology up to par?”- because it should be! – The question is: “are my employees up to par?”, says Osborn.
Education is the key
So how do you prevent staff members from doing things that make your electronic health records end up in the wrong hands? Studies show that up to 70 percent of cyberattacks can be avoided by effective employee training.
“Healthcare facilities need to educate their employees: ‘This is what a phishing attack looks like.’ ‘Here’s how you can spot a spoofed browser.’ ‘Look at this email, what’s odd about it?”, says Osborn. “However, there is a ‘but’”, according to Osborn. “Without review, 90 percent of what we learn is forgotten within 30 days. Even 20 mins later, we already lost 40 percent of what we’re taught.”
“The same goes for cybersecurity training”, explains Osborn. “An initial training to educate people on cybersecurity is great, but seems pointless if the majority of acquired knowledge is lost within one month. But then, how do you make people remember?”
Cybersecurity compliance through repetition
Repetition is proven to be far more effective than just a one-time training. “Unlike a one-time training, repetitively sharing small chunks of information creates permanent knowledge and awareness”, says Osborn. “In this case, reminding your staff members on a regular basis of the cyber threats that are out there, how to recognize them and how to guard your facility against them.”
“Obviously there’s no time to keep dragging staff members into a million and one training sessions, but you can still repetitively reach your staff members without taking them away from their daily activities. This can be done in multiple different ways. Some facilities prefer poster campaigns, other facilities take it up a notch and show compliance information on their screensaver, digital signage screens, COWs … you name it”, according to Osborn.
Repetition has previously worked to improve other compliance issues at numerous healthcare facilities. “The University of Tennessee Medical Center, for example, promotes hygiene by continuously reminding team members to wash their hands and their stethoscopes after each patient contact. They do this by looping compliance messages on every TV screen throughout their facility and a screensaver on 6,000 PCs”, says Osborn. “VCU Health in Richmond (VA) also uses its screensaver to continuously display error prevention messages on 7,000 PCs.”
The same can be done for cybersecurity. “It really doesn’t matter how you do it, it is, however, extremely important thát you do it”, stresses Osborn. “By just putting a little effort into reminding your staff members of what they can and should do to prevent security breaches from happening at your facility, you truly are making cybersecurity the least of all your compliance worries.”
Want to improve cybersecurity at your facility? Contact one of our experts now!