People Patching – Broken Security Training in Healthcare

“People are the largest security vulnerability in any organization.”  

Now that’s a negative quote! Unfortunately, it’s not entirely false. Study’s show that around 90% of data breaches are caused by human error. Furthermore, a study done by The State of IT Security for 2019 found that 41% of the 319 respondents encountered a security breach in 2019. Meanwhile, 20% still had no idea whether they had been attacked or not. Over 75% of those attacks came in the form of a virus/malware attack or a phishing scheme. Ransomware, identity spoofing and password attacks each respectively tallied up to 40% of reported attacks. If you didn’t know already, each of those attacks are banking on the fact that a human on the target computer will enable the attack to execute via something as simple as a click to a link. While it’s probably true that 100% of people are aware that cyber threats exist, the percentage of people who understand those threats is far below that threshold.  

For instance, all of us are aware heart attacks exist. However, a large majority of the population, myself included, does not manage or monitor their cholesterol intake to the satisfaction of their cardiologist. Many users, just like many patients, are at least vaguely aware of the threats that could impact their systems. The vernacular used to talk about said threats is where the understanding tends to decline. We may be talking about the same topics but if we are not speaking the same language to understand the possible implications, then we are just setting each other up for failure. If employees can’t recognize the threats coming at them, how can they be expected to avoid or alert someone to rectify the impending attack? You simply can’t. But, you can educate them!  

So… since people are the most vulnerable to allowing an impending attack to execute. Yet, at the same time, they are obviously a vital part of any organization’s day to day operations – what can we do? Well first and foremost, re-shifting the narrative is imperative to a more positive outlook. Many of us unfortunately do not find ‘cyber’ anything fascinating. But something as simple as clearing your cookies and using multifactor authentication is just as important and simple as brushing your teeth and taking a shower. On the other hand, it can bring about serious ramifications if left untreated just like if you disregard personal hygiene. Once the narrative has at least been accepted, we can then start to educate and engage each other in order to retain the information we’ve learned.  

As previously stated, education is pretty important. It is a fundamental building block to anything in life. Thanks, Captain Obvious. Seriously though, and I can’t stress this enough. Even basic recurring education can be the difference between ignoring the signs of an impending heart attack and knowing that a pain shooting down your left arm means a call to 911 might be necessary. My own mother, a bright woman in every regard, and a registered nurse (ER) by trade said: “the hospital gives us these tests all the time, and we fail those dammed things all the time.” To laugh at the comedic relief is okay! But it is important to see the unfortunate irony as well. Education is only useful if it can be retained and then put into legitimate practice. So what do you have to offer?! An idea. A novel new way of teaching an old dog new tricks – gamification. 

Gamification takes the pain points of learning new, often uninteresting materials and puts a spin on them to incentivize employees and C-Level executives alike to keep up to date, engaged, and thoughtful in their day to day operations. Employee focused incentives can come in the form of a point system for various prizes (movie tickets, gift cards, lunch, etc). C-level executives can be included in simulations known as ‘wargaming’ designed to prepare them for various scenarios in a competitive manor should they ever take place. Training should be recurring and not just another box on another triage check list. The importance of innovative techniques and utilizing them is just as imperative in cyber security training as it is in the medical industry. Making education relatable and engaging is the important part. Medical schools don’t attract students by advertising their antiquated education techniques. So why does ‘cybercation’ have to be so mundane? It doesn’t, not anymore at least! 

For more information regarding Gamification of CyberSecurity training for your medical practice or any other topic covered here, please reach out! We would love to hear your thoughts and have a conversation!