The healthcare industry likely runs neck-to-neck with the financial services industry when it comes to consumer sensitivities around the privacy of their data—it might even outpace it. I mean, let’s face it, it doesn’t get more sensitive than personal health data. The diseases we have and the treatments we receive are sensitive from a personal point-of-view (e.g., mental health services) and from a cost consideration standpoint (e.g., suffering from a major illness or needing expensive medications that could impact the cost of, or even access to, affordable healthcare insurance).
This certainly comes as no surprise to members of the industry. Due to the sensitivities of personally identifiable information (PII) as well as legal requirements such as the Health Insurance Portability and Accountability Act (HIPAA) of 1996, the healthcare and pharmaceutical sectors have a broad awareness of the need for a strong security culture.
The pandemic heightened this awareness as it has fueled an increase in the adoption of telehealth and remote patient monitoring—both subject to their own data privacy risks.
The Healthcare Industry is a Top Target for Cybercriminals
Healthcare organizations have long been a favored target for cybercriminals. Whether a small clinic, a standalone hospital, or a large integrated healthcare delivery system, all providers are at risk. Healthcare organizations hold a lot of consumer information that cybercriminals are itching to get their hands on—and have a lot of technology and data at risk of being hacked.
Those risks can be significant.
The recent ransomware attack on Colonial Pipeline garnered national headlines. What may not have been so widely known in the U.S., was another ransomware attack that took place in Ireland—"a human-operated ransomware variant known as ‘Conti’,” as reported by ZDNet also in May. Ireland’s healthcare system was attacked by what was thought to be an international cyber-crime gang. Their goal: extorting money just as the pipeline hackers were able to do—to the tune of a reported $90 million in bitcoin ransom, eighteen times more coin than Colonial’s.
How are they doing it? Through a variety of means that don’t always (as is popularly believed) rely solely on technology risks but also on the risks of employees taking, or not taking, steps to adequately protect their organizations’ data.
Yet despite concerted efforts and high levels of commitment to protect patient data, there’s still room for improvement.
Opportunities for Security Improvement in Healthcare
KnowBe4 recently released their 2021 Security Culture Report. The report methodology provides industry specific insights into the state of culture across seven dimensions. What we found was that healthcare organizations do a relatively good job in terms of ensuring employees’ ongoing awareness of their security roles, being able to securely share information to employees as needed and having good industry-specific policies relative to data security and privacy. They fall short along a few dimensions though.
One area is related to “unwritten rules and acceptable behaviors” and how those are reflected in the actions and values of employees. Effective risk management relies on both employee familiarity with ways their actions, behaviors and inactions may impact risk (both negatively and positively) and an effective training program.
Perhaps because of all of the unexpected situations and uncertainties that have plagued the healthcare industry during the pandemic, even more than other industries, it is especially important that employees are closely tuned into security issues and that they instinctively understand what to do so they do not fall victim to phishing attempts or hackers, or put patient information at risk.
What’s required in healthcare and other industries is a transformational security awareness program, one that goes beyond an “event” or series of policies and proclamations that work in concert, rather than against, human nature. One that creates an ongoing, intentional focus on what we refer to as the knowledge-intention-behavior gap, which considers the idiosyncrasies of human behavior, thought and reasoning, social dynamics and the power of emotion.
Successful security awareness and, most importantly, successful security actions requires a culture of security owned not by the IT department but by the entire organization.
When we think about data security, too often we think first about technology. In truth, though, humans are the most important element of a successful cybersecurity program. It really doesn’t matter how much money you spend on tools. What matters most is your planning around the human factors that impact data security—because people impact security at every stage of the game, every day.
Where does the human element come into play in your data security risk management efforts?
About the Author
Perry Carpenter is author of Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors (Wiley, 2019). He is Chief Evangelist and Security Officer for KnowBe4, the world's largest security awareness training and simulated phishing platform. He holds a MS in Information Assurance (MSIA) from Norwich University and is a Certified Chief Information Security Officer (C|CISO).
