For nearly two years, the healthcare sector has been in the crosshairs of cybercriminals, thriving on outdated systems and banking on humans to open the door. In fact, in 2015, 60 percent of breaches were caused by insiders, according to the IBM 2016 Cyber Security Intelligence Index.
It's an issue well-known to healthcare's security leaders. However, it creates a major issue: How can an IT team build a well-secured system, while making sure it doesn't interrupt clinicians' ability to care for their patients?
Consumer-centric security
For Marin General, a standalone community hospital, just north of San Francisco, it was easy: Focus on people.
Marin didn't need to start from the ground up during its security upgrade in Jan. 2016, as it has the obvious tools in place like firewalls, antivirus and the like, according to Marin's CISO Jason Johnson. But the systems were disparate and needed to be brought under a unified umbrella.
Typically, when security managers begin a project like this, they look at the current technology and focus on filling in the gaps, explained Johnson.
"But we took a different approach to focus on the person and people because we knew that would the hardest needle to move and the most difficult to change," said Johnson. "We started to focus on the people in parallel to the tools in the stack."
His team started an e-learning, webinar-style orientation during the workday, for which his staff was compensated. Johnson explained training didn't just include PowerPoint slides and lectures on HIPAA. Rather, there were games and rewards, coupled with education about the real cost of a breach. Security awareness training is required annually for Marin, and it's integrated within new employee orientation.
His team also partnered with marketing, which created ads for a bug bounty program called Security Sleuths. The program rewards its staff members who report phishing emails or concerns to the IT team.
"I thought it would be gimmicky, but the gamification really spoke to people in a way I didn't anticipate," said Johnson.
Johnson's team also makes sure to have a visible presence and face. So that when staff has a pressing question, they know it's easy to reach out to is team for an answer before they make a mistake and, for example, click on a malicious link.
[...]
Source: Healthcare IT News (View full article)
Posted by Dan Corcoran on November 14, 2017 07:00 AM
Post a comment