- The healthcare industry has unique data sets that are accessed by a wide range of individuals with a host of government regulations hanging over it. So it stands to reason that there would be some new ideas and different approaches needed for user training. As HealthITSecurity.com chatted with Mac McMillan about earlier this week, part of security training is changing non-technical user culture and instilling best practices on a day-to-day basis. Another aspect in helping staff members in a healthcare organization avoid human error is consistent engagement, according to Lance Spitzner, Training Director of the SANS Securing the Human Program.
SANS is a 200-person organization that teaches security professionals how to be better security professionals, but Spitzner’s Securing the Human team consists of about 20 individuals and focuses on educating non-IT people such as doctors and nurses. “We work with a lot of healthcare organizations and in many ways, healthcare has it the worst when it comes to securing data,” said Spitzner. “In healthcare, so many different people have access for so many varying reasons to protected health information (PHI) from various locations.”
Many organizations only approach training once per year and do just enough to maintain compliance. Reid Stephan, Director of IT Security at St. Luke’s Health System in Boise, Idaho, which includes 100 clinics and seven hospitals, said that his organization at one time fit under that category but decided to change how it approached training. After some internal research, Stephan and internal decision-makers concluded that building an internal program from the ground-up would have been too time-consuming. After learning of the Securing the Human program through the NH ISAC, St. Luke’s started offering the SANS training modules back in the spring.
You can choose a basic awareness program where you check the boxes to ensure compliance. We had been doing that [to a degree] for years, but we felt like we had an opportunity to improve the quality of education for our employees. We decided on the SANS program because, in addition to price, it covers a wide range of topics and does so in a way that’s modular and consumable. SANS offers videos that are between 3-5 minutes in length versus a class that’s burdensome for users. These videos use good information and graphics while going at a solid pace without getting too technical.
As part of Stephan’s training budget at St. Luke’s, the organization purchased a bundle of SANS on-demand training packages. The on-demand videos are valuable because they allow staff members to get training without incurring the expense of travel to distant conferences where there are instructor-led classes.
Core training values and needs
One employee issue that Stephan sees, which isn’t unique to healthcare, is getting employees trained on good email hygiene. Employees need to be cognizant that there are people out there who will send spear phishing attacks and want them to click on a link or open an attachment. Stephan said St. Luke’s has had some good success with the email modules.
Some video modules are optional and about half a dozen are mandatory that they need to view annually. If an employee has fallen prey to a phishing attack, they’ll have to go through that training course again. We’ll follow up to make sure they know what the risks and responsibilities are.
It depends on who you’re reaching out to, according to Spitzner. For example, he said doctors end up being some of the hardest people to train, especially the ones that have been around for a while and may be set in their ways technology-wise. The younger ones are a little easier to reach out to because they better understand the implications and uses of the technology. Part of education is squashing security myths, Spitzner said. “We were working with a healthcare organization that wanted to teach users about insider threats. The thing is, insider threats aren’t a big risk in healthcare. It’s too hard to try to figure out who among users may be upset or depressed,” he said. “In the defense industry, however, they’re a huge thing.”
When pressed about the definition of internal threats and how many security professionals keep a close eye on internal threats, he said it’s a matter of clarifying how people define the terms.
The problem here is there’s confusion as to what an internal threat means. The true definition of an internal threat is an individual on the inside causing harm with malicious intent. Alternatively, accidental is one of the No. 1 causes, but I would not consider that an internal threat. These are people trying to do the right thing, just making mistakes.