CISOs weigh in on building security-focused culture
BOSTON – Cybersecurity is of course not just about technology and compliance frameworks. For healthcare systems large and small, it’s a human-scale challenge – where human factors are still, always, the weakest link in any given security program.
At the HIMSS Healthcare Cybersecurity Forum on Thursday, Erik Decker, chief information security officer for Intermountain Health, led a discussion with other infosec leaders on how they are helping to promote greater awareness among the healthcare system’s workforce.
He was joined by Renee Broadbent, Chief Information Officer and Information Security Officer at Connecticut-based SoNE Health, and Christian Dameff, medical director of cybersecurity, UCLA Medical.
They explored how embracing a collective and collaborative approach to cybersecurity at all levels of a healthcare system can be a major challenge, but one with greater rewards. They also provided their perspectives and shared tips on employee training and accountability, getting buy-in from all types of workforces, and building trust in the cyber programs.
The good news is that each of the three IT leaders reports that their employees are more aware of their responsibilities for enterprise-wide security.
From the board and C-suites to now, “we’ve seen people starting to understand it better,” Broadbent said.
Still, Dameff said it’s important not to take anything for granted — neither to assume that all rank-and-file employees are careless and just a stray click away from an accidental insider threat, nor to be complacent that this or that training exercise has put the entire workforce on the path to cyber hygiene.
It is critical to “check our biases at the door,” he said. “Get out of your own bubble. Out of your own silo. Go out and talk to people.”
It’s great to see people reporting a phishing attack. “But that is low-level evidence. That may confirm your preconception that the culture is moving in the right direction – while most people may not know you are rolling out a new restriction,” Dameff said.
Still, Broadbent said she was encouraged to hear that every time a company-wide email was sent out by executives, at least a few employees asked her, “Is this real or is it phishing?”
“We phish everyone once a month, on schedule,” says Decker. “We track click-through rates, but there will always be one click.” More illuminating, he said, is not the click rate, but the number of employees who reported the fake phishing messages.
As for reprimanding employees who fall for phishing scams, “I’m always 100% against that. It will erode the trust of the cyber program,” he said. “I don’t believe damages should be imposed unless they are egregious. It should be an opportunity to educate people.”
“We want them involved in the mission,” Dameff agreed.
But while it has clear value, “phishing simulations are not security culture,” Decker said.
And building more comprehensive cyber awareness requires a more nuanced approach.
Employees, believe it or not, understand the realities of data security. “They’re all broken in 50 ways as of Sunday,” Dameff said. “They’re all doing credit checks because their Netflix accounts were hacked.”
When people over-share what they already know, “they become numb to it,” Dameff said.
The most important thing is that interests are communicated accurately and adequately, and that employees – especially physicians – realize the difference they can make, not only in data security, but also in patient safety.
“For example, if it’s a nurse or a doctor who gets this phishing simulation, I want them to understand that they have the responsibility on the network, and that only their access can make the difference in whether an enterprise becomes widespread attacked. scale,” he said. “That could impact the patients they are caring for that exact day.”
Undoubtedly, communicating that consistently and making it work by rote is easier said than done. And it is even more complex to do this for different stakeholders across the organization, who have different tasks, different priorities and different ways of understanding.
It requires a ‘delicate balance’ and going beyond the ‘mundane’. It means “pruning, active involvement,” Dameff said. “Developing that kind of cultural drive requires attention to detail and mixing messages, different types of media, connecting people where they are and in the languages they speak.
“It’s disheartening and it falls on our shoulders,” he added. “But at the end of the day, it’s so important because right now there isn’t a single box you can buy or a software product that solves this without taking human error into account.”
Mike Miliard is editor-in-chief of Healthcare IT News
Email the writer: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS publication.