If 95% of cyber-attacks are due to human error, why have so few clinicians been trained to avoid them?

New study finds a serious lack of urgency among many clinical executives regarding cybersecurity awareness.

Clinical executives must act now. Here’s why:

On March 18, 2021, an unsuspecting employee of the Health Service Executive (HSE), the Republic of Ireland’s national health system, received a seemingly innocuous email with a Microsoft Excel attachment. Upon opening the document, the employee’s workstation was immediately infected with malware, ultimately enabling Conti ransomware to be deployed throughout 80% of HSE’s IT environment two months later.

According to a recent HIPAA Journal article, the attack would eventually knock the entire National Healthcare Network offline, preventing clinicians and support staff from accessing “all HSE IT systems, including clinical care systems, patient records, laboratory systems, payroll, and other clinical and non-clinical systems.”

The hackers, a group called Wizard Spider, then attempted to extort the organization by demanding a $19 million ransom for the server decryption keys. But while they finally provided the keys without payment, the damage had already been done.

As reported by BBC News, Ossian Smyth, minister for public procurement and eGovernment said at the time, “It’s widespread. It is very significant, and possibly the most significant cybercrime attack on the Irish State.” And unfortunately, he was right. It took several months for the HSE to decrypt, restore, and strengthen their systems – all at an estimated cost of $600 million.

It all started with a phishing email

When the dust settled, PricewaterhouseCoopers (PWC) was commissioned by the HSE board to determine and report on the causes of the breach – including the state of technical and operational preparedness leading up to the attack that permitted HSE systems to be infiltrated in the first place.

The HIPPA Journal review of PWC’s conclusions summarized the incident in two simple, but telling sentences: “The attack was possible due to a low level of cybersecurity maturity, weak IT systems and controls, and staffing issues… It started with a phishing email.”

New study reports a serious lack of security training – even as health workers remain targets

A recent survey found that many healthcare employees are alarmingly unaware of the risks of phishing and other social engineering threats. Conducted by Osterman Research for security awareness training provider KnowBe4, the results are both eye-opening and instructive for CISOs and clinical executives.

Key statistics revealed that:

  • Only 16% of health workers reported a clear understanding of phishing – demonstrating the least awareness relative to other industries surveyed.
  • Just 22% of respondents expressed confidence in their ability to describe the negative effects of cybersecurity risks to their organizations.
  • And while 60% of health workers reported receiving cybersecurity training throughout 2020…
  • 24% of healthcare employees said they received no training at all in the same period.

While HIPAA (the U.S. Health Insurance Portability and Accountability Act) requires regulated entities such as healthcare delivery organizations (HDOs) to provide employee cybersecurity awareness training, the report found that it’s still sorely lacking in many organizations. The GDPR (the EU’s General Data Protection Regulation) and associated patient privacy protocols govern similar compliance requirements in Ireland, several of which appear to have been overlooked by the HSE.

Why isn’t cybersecurity awareness a top priority for clinical executives?

Recent years have clearly shown how severely the healthcare industry has been affected by the global pandemic – not the least of which has been increased exposure to cyber-attacks. And with towering statistics including a 470% increase in attacks between 2019 and 2020, HDOs must do more to protect organizational and patient security – and that of their highly sensitive protected health information (PHI).

According to global cyber education company Cybint, “95% of cybersecurity breaches are due to human error,” much stemming from inconsistent cyber hygiene practices, poor password management, and a lack of continuous cybersecurity awareness training. Technology can help. For example, robust endpoint security and tools like single sign-on (SSO), multifactor authentication (MFA), privileged access management (PAM), and password managers can streamline and secure clinical workflows.

But the fragilities and inconsistencies of the “human factor” don’t end there. The solution lies with a renewed sense of urgency to promote continuous cybersecurity training programs at the executive level – specifically from nursing and physician executives and their counterparts responsible for managing critical support staff.

Doctors and nurses are surely stressed – but security training must become an imperative

Clearly, healthcare workers are understaffed, overworked, and stretched to the limit by the continued pressures from a range of pandemic-era stressors. But the fact remains that cybersecurity in healthcare has become far more than potential financial, business, and operational concerns. As the health professionals at Ireland’s HSE can surely attest, it has also become a critical patient safety issue – just as the development and execution of robust security training programs must become a mission-critical initiative for more HDOs.

In the article, Cybersecurity Training Is Essential in Healthcare, Dr. Jessica Sapp notes, “A physician’s and nurse’s primary role is patient care. They have unique factors that affect their availability for training.” The associate professor of the School of Health Sciences at American Public University continues, “Physicians and nurses have limited time away from their duties with patient care, and they have medical-related training and continuing education demands. However, their cybersecurity training is necessary in every organization’s cybersecurity plan.”

Boost defenses with continuous training and a strong cybersecurity culture

In a bit of good news, the KnowBe4 study found that by participating in monthly security training sessions, employees reported being 34% more aware of the dangers of suspicious email links and attachments. “Employees don’t need to become security and privacy experts, but their responsibilities with privacy and/or legal matters need to be made clear,” the study concluded.

But reducing risks associated with human error requires more than training alone. Security education experts agree that the most effective cybersecurity defense strategies rely on creating a security-focused culture to most significantly minimize opportunity for human error. According to human risk management solution provider usecure, “In a security culture, security is taken into consideration with every decision and action, and end-users will actively look out for and discuss security issues as they encounter them.”

How to create a cybersecurity culture in your healthcare organization

The trick for clinical executives and other senior management is to foster an environment that empowers employees to support – and champion – a security-centric culture. The experts at MetaCompliance, a cybersecurity, compliance, and training firm offer some useful tips for establishing a security culture in healthcare settings:

  • To promote positive behavior change, your cybersecurity awareness program must highlight the critical role your staff plays in securing sensitive patient information.
  • Clearly identify your most valuable data assets – and review all access privileges – to help define your program and shape supporting messaging.
  • Avoid ad-hoc approaches. Carefully plan and execute a formal security awareness campaign to elevate its importance and enable a more comprehensive roll-out.
  • Encourage CEO and other senior executive endorsement to boost program credibility, value, and urgency.
  • Revisit and promote organizational policies to help staff more clearly understand processes and procedures – and their roles in complying with them.
  • Review staff readiness to quickly address performance and noncompliance issues and improve your training programs.

In the face of increasing threat levels, HDO’s can no longer rely on technology and annual or semi-annual training sessions alone. Now’s the time to invest in more robust security awareness and preparedness for front-line healthcare workers – which is only possible through an enterprise-wide security culture supported by a continuous training regimen.