By Dr. Mauricio Angée, CISO, University of Miami Health System
Healthcare organizations have been experiencing an uptick in the number of security breaches since the start of the COVID-19 pandemic. While pre-pandemic cybersecurity was mainly focused on fortifying the network perimeter defenses, the pandemic required Information Technology (IT) and cybersecurity teams to quickly adapt to the new normal, the remote workforce. Healthcare workers are also required to adapt, driving the need for them to rely more on technology, such as telehealth, to provide patient care aiming to offer the same level of service. There is no doubt that the velocity in which healthcare organizations needed to provide solutions to the remote workforce was unprecedented. IT teams were at the front and center as business enablers in providing remote workers access to corporate networks expeditiously, while ensuring the security and availability to patient support systems was done in accordance with security policies.
The healthcare industry continues its transformation and innovation journey to provide high-quality patient-focused care and also to provide more efficient, faster and cost-effective healthcare services. However, new technologies cannot be deployed without considering the potential unknown cyber risks introduced to an organization. Some of the most recent security breaches in healthcare have been the result of targeted phishing emails campaigns, which resulted in breach of security exposing millions of patient records, and even opening the door for successful ransomware attacks. In 2017, HHS entered into a resolution agreement with a covered entity due to a violation of policy for the proper destruction of protected health information (PHI) records. In 2019, OCR launched an investigation against a GA ambulance company, after being notified about the loss of an unencrypted laptop computer that contained the PHI of 500 patients. OCR discovered a lack of a failure to implement HIPAA Security Rule policies and procedures, and a lack of providing security awareness training programs. Under the HIPAA Security Rule, Sanction Policy 164.308(a)(1)(ii)(C), it requires covered entities to apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.
Many healthcare workers don’t know or don’t understand the organization’s security policies, or they feel that cybersecurity policies may hinder their ability to provide patient care.
Employees’ action are often viewed as being a greater security risk in an organization. Recent security industry threat reports have concluded that one factor which has contributed to cybercriminals being able to penetrate corporate networks, which resulted in security breaches, was employees not following corporate security policies. Although the implementation of a security policy may improve the overall security posture of an organization, policies may not be effective if employees fail to comply. While I can agree with the fact that behavior adjustment is an essential part of any cybersecurity program, many technologies using AI are being developed to identify users’ misbehavior and take action to detect, protect and prevent security incidents. Security misbehavior can be broadly defined as the set of users who violate security policies, which leads to unauthorized access, security data breaches, or ransomware attacks. For over a decade, practitioners and researchers alike have emphasized the need to evaluate computer users’ security behaviors to develop and implement more secure information systems to mitigate risks. This problem has been looked at from many angles, including user awareness of security policies, security education, training, and awareness programs, computer monitoring, behavior intentions, users’ accountability, felt-responsibility, attitudes towards compliance with security policies, etc.; however, the problem still exists. A recent report found that healthcare workers are lacking cybersecurity training. Many healthcare workers don’t know or don’t understand the organization’s security policies, or they feel that cybersecurity policies may hinder their ability to provide patient care. A problem that poses a great risk to organizations, patient care, and patient safety. Some organizations have invested in cybersecurity awareness solutions based on Phishing simulation campaigns, that help employees recognize dangerous phishing emails, aiming to educate and change users’ behaviors. The question is: are these solutions really working? Are we overloading our healthcare workers with training requirements that may not represent the real world?
Security is a delicate balance between the risks and the security controls. If the controls are too lax, the risk is high. On the other hand, if the controls are too stringent, the risk is low, but this may lead users circumvent security controls and put organizations at high risk. There will always be tension between security controls and computer users (“users”). While security is important to ensure the protection of information and maintain a patient safety environment, users often perceive security controls to be an impediment, which often leads to violation of the organization’s security policies, putting the organization at risk of potential security breached. Some security researchers and IT professionals argue that cybersecurity is purely a technology issue. Others argue that cybersecurity management is a multifaceted domain that should be approached from many different directions, including technology strategy and human behavior.
The HIPAA Security Rule (Section 164.308 (a)(5)(i)) requires a covered entity or business associate to implement a security awareness and training program for all members of its workforce (including management). One size doesn’t fit all! Thus, cybersecurity awareness programs must be carefully planned, understanding the audience, and developing role-appropriate security awareness programs where individuals are cognizant of the consequences of their actions and how easily one click on an inappropriate link can compromise an entire network, which may, ultimately lead to the compromise of patient records, or even worse, open their organizations to ransomware attacks. In addition, healthcare organizations must develop and implement targeted/tailored security awareness training programs that promote responsibility and accountability that will help employees adjust their attitudes towards cybersecurity policy compliance. After all, “security is everyone’s responsibility.”