The healthcare industry is the top target for cyber attacks, and its employees are the first line of defense. A single frontline employee who clicks on a malicious email link (or manages to avoid it) can make the difference between experiencing a ransomware attack or not.
Despite being one of the industries most likely to view itself as having mature security preparedness, healthcare is still too often unprepared for security risks – and cyber vigilance among the healthcare workforce is critical to meeting the challenges of emerging threats. to cope.
Meanwhile, artificial intelligence is transforming the risk profile for healthcare systems large and small, with new attack techniques emerging every day.
“Trying to understand what’s going to happen is always harder than fighting the final battle,” said Dr. Eric Liederman, CEO of CyberSolutionsMD.
Liederman will moderate a panel in the near future on empowering employees by promoting a safety mindset HIMSS 2024 Healthcare Cybersecurity Forumscheduled for October 31 – November 1 in Washington, DC
“The problem most organizations face is that they take a top-down approach to the how,” says Liederman. While organizations use various approaches to train their staff to recognize threats such as phishing emails, “there’s no science behind it,” he said.
“It’s about education, but it’s also about helping them connect,” said Anahi Santiago, chief information security officer at ChristianaCare, who will join the FBI’s Liederman and David Fine on the call.
Santiago described three keys to cybersecurity training:
- Know your audience.
- Learn how to engage your audience.
- Leave the door open for ‘report, report, report’.
From a security perspective, what’s relevant to a doctor will likely be different than what’s relevant to someone in finance, she said.
“It’s not about treating everyone the same and assuming that everyone is going to process the information the same way… and tailoring the message so that it’s relevant to what they’re doing.”
Being approachable is a conscious choice within ChristianaCare, Santiago says, and the message from IT is: “It’s OK if it’s not a reporting problem – report it anyway.”
While the door is always open for anyone to report any security issues within its organization, “one of the things we’re also doing, which I think has been really helpful, is this concept of a security roadshow.”
IT teams are meeting with departments to explain: “We’re not just cybersecurity professionals working on things that you think are really scary, and you don’t know what we’re doing,” she explained.
“We’re all known as the ‘don’t click that link people,’ and a lot of people think that’s all they have to worry about,” she said.
But there is so much more that healthcare workers need to be aware of.
“Emerging threats are always an area where we need to change and think: what are the risks that are lurking?”
Without scaring healthcare providers, cybersecurity professionals must think of new ways to prepare them, she said.
Deep fakes are a good example of what the future holds.
Business email compromise has “really picked up steam this year,” Liederman noted. While IT teams have instructed staff to avoid links in email and “don’t open attachments of something you didn’t expect,” he said, their next play doesn’t always hold up anymore.
It used to be, “If you have any doubts, contact the person who sent it. If you do, how do you know you’re talking to the real person?”
Santiago agreed that the level of sophistication of voice and video in deep fakes greatly increases the security risks healthcare organizations face.
These days, criminals are even going so far as to schedule Teams calls using their impersonations — “and they’re on video, and they look exactly like the person you would normally interact with on video,” said them.
To illustrate the level of threat posed by deep fakes to ChristianaCare’s board, she asked her team to create a video talking about the emerging cyber threats of generative artificial intelligence, which she estimated cost about $0.09.
After playing the fake two-and-a-half-minute video, “I told them, ‘I had absolutely nothing to do with that video,’ and the board looked stunned.”
The panel session, “Workforce Vigilance: Promoting a Safety Mindset,” is scheduled for Thursday, October 31 at 11:30 a.m. at HIMSS Healthcare Cybersecurity Forum in Washington, DC
Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.