Hospitals can invest in the latest and greatest software security and have the most stringent policies in place for preventing a cybersecurity attack. But if employees lack an understanding of the importance of data security and privacy or the training needed to safeguard it, those defenses can easily be sidestepped.
That’s because a growing number of data breaches (59%) are caused by insider attacks within healthcare organizations, according to a 2019 Data Breach Investigations report from Verizon. Though some of these breaches are deliberate, most of them stem from accidental or negligent activity by employees who unknowingly expose patient data to hackers intent on stealing valuable medical information to sell on the black market.
This can happen when sensitive data is mishandled or employees are duped into providing their login credentials to a phony site, or when they click on an email link or attachment that infects their computer system with malware. Nearly a third of successful data breaches (29%) used stolen credentials from employees to gain access to critical information systems, the Verizon report found.
With phishing scams and malware and ransomware attacks on the rise, employees are often the weakest link in cyberdefenses. In fact, up to 75% of employees pose a moderate or severe risk to their organization due to their lack of data privacy and security preparedness, according to a 2018 State of Privacy and Security Awareness report conducted by MediaPro. Improved employee training in these areas is vital for hospitals to keep pace against evolving cybersecurity threats.
What steps can your hospital take to continuously educate employees about data security and patient privacy protection? Here are a few.
Keep them in the loop. Make sure all employees are up to speed on HIPAA security and privacy rules, as well as state rules regarding patient information, so they understand the regulations—and consequences of violating them. Provide monthly reminders via email alerts, newsletters, webinars or lunch-and-learns about new viruses, phishing ploys and other potential threats, along with clear guidelines on how to handle these scenarios. Incorporate cyberthreat awareness modules into annual training and employee onboarding programs that teach them how to choose strong passwords, properly log on and off systems, and use mobile devices securely.
Make training relevant. Communicate cybersecurity policies and procedures in clear, concise language that everyone in your workforce can understand. Provide real-world examples that illustrate what a cyberattack looks like, what employees should do if they encounter one and how to report security concerns. Include low-tech risks as well, such as the possibility of someone sneaking into an office behind an employee using a badge to gain entry. Train staff to ask for credentials when they don’t recognize someone and never leave electronic devices or paper records unattended. Deliver training in a variety of ways, from posters and written materials to virtual training and small group discussions, to keep precautions top of mind.
Test their knowledge. Evaluate the impact of your cybertraining efforts by quizzing employees on what they need to know. Include tests with training content to quiz them on the basics of data security, protocols for protecting patient data, and acceptable practices for email, mobile device and social media use. Occasionally send out mock phishing emails to see who falls for them. Track the results of these tests to identify where the gaps in knowledge are and which departments or employees need further training. If you are educating your staff properly, you should see a decline in security incidents. If not, you may need to update your training materials or tweak your approach to delivering them.
To learn how Parallon safeguards patient data for its revenue cycle clients, reach out to one of our experts today.