Partnering With HR to Prevent Breaches

To help prevent breaches involving insiders, Health System's IT team works closely with the organization's human resources department and various business managers. Together, they determine who needs access to patient information and other sensitive data based on their precisely defined role.

Partner with human resources department to clearly establish job roles and titles that are consistent across our enterprise.  That helps ensure that, for instance, someone in the job category of "nurse level 1" in one part of the organization has exactly the same job and function as someone in the same category who works in another section of the organization especially if they encompasses several medical centers as well as a variety of specialty care clinics.

Work closely with HR and clearly define those job roles, then it's a much easier proposition to enact role-based access control. So, when someone is hired at a "nurse-1" level, the access they get "is pre-defined, embedded in the business, that is appropriate for a nurse 1".  Any additional access outside of that has to be requested from their manager. That request is then passed on to the identity and access management team, which logs any additional access granted into the organization's systems as an exception.

Taking all these steps helps  avoid situations we've had in the past, where someone's hired and the hiring manager asks for the new hire to have the same level of data access as a more senior or higher level nurse who's been working at the organization for many years. Carefully controlling data access based on pre-determined job roles can help avoid, for example, a new hire gaining access to patient data that's more appropriate for a nurse manager.

Security professionals also must work with various business unit managers to adjust data access privileges based on a workers' changing roles.  In the past that was viewed as an IT activity. We're starting to pivot on that now, and partner with the business and make them understand that they are responsible for the access levels of their employees.

Managers now must, on a periodic basis, conduct data access reviews for each of their employees. If any data access is determined to be inappropriate, the IT provisioning team takes action to make access commensurate with actual job duties.

A Successful Security Awareness Organization Architecture- Identifying Key Behaviors

Identifying Top Three Problems within an Organization

The first step in making a security awareness organization architecture is to identify what the top three user behaviors are that present the most risk and vulnerability to an organization. Think about it, if your car broke down on the side of the road with a flat tire, a broken sunroof, and a missing cup holder are you going to fix the cup holder first? Of course not! Same applies when revamping your security awareness architecture. Start with the biggest problem and then work your way through the list.

The 12 Key Behaviors Analysis

Over the years these seem to be the top problem behaviors are within their organization. While some unique, and sometimes amusing, answers have come up, more often than not they fall within one of the12 following categories.

1- Call help desk more quickly to report a potential problem or possible attack.

2- Properly handle and dispose of PII

3- Stop visiting unapproved / potentially dangerous sites while at work.

4- Stop using email for abuse or inappropriate purposes.

5- More resilient to phishing attacks

6- Create stronger passwords

7- Be aware of abnormal or suspicious behavior in the workplace

8- Be secure when working remotely

9- Be more aware of mobile devices, laptops, and/or tablet security threats

10- Give out less information online and on social networking sites

11- Be more aware of secure settings and computer behavior when browsing the internet

12- Be more aware of shoulder surfing and making sure doors are properly shut behind them.

Each of these categories represents a very real, and very fixable problem within any organization but the key is identifying the top three. Identifying the top three enables you to prioritize and get the most out of your efforts rather than trying to take on the whole world at once. Also, some of the smaller problem behaviors may be a side effect of larger issues and thereby will decrease when the larger issue is resolved.

Who To Evaluate

Now that we know what we need to ask, the next question is who has that answer and how do we make sure we don’t get a biased response/get sent on a wild goose chase? For example, image that Bob had a horrible experience with identity theft and happens to be the head of IT. When you ask him what the top 3 problems are you get the following:

1-    Properly handle and dispose of PII

2-    Give out less information online

3-    More resilient to phishing attacks

Later you find that the real issues are

1-    Create stronger passwords

2-    More resilient to phishing attacks

3-    Call Help Desk

This is a problem with any survey type analysis but the way to resolve it is to ask more than one person. For the purposes of our task we want to ask the stakeholders. The stakeholders give you an idea of what the top 3 overall- not department specific- problem behaviors are within the organization. Furthermore, as a group, the influence of one persons bias/bad experience is minimized for a more complete overall picture.

Now that the top 3 have been narrowed down it’s time to go to the CISO to ask (1) why those problems present a major issue to the company (2) what is the current training environment doing to address them and (3) what measurements are in place to look at the success or failure of them?

Five Healthcare Security Training Expert Tips

The need for wholesale data security training changes in healthcare evident, irrespective of whether it’s educating non-IT clinical staff members on HIPAA basics or further education for IT professionals. Most healthcare pros will agree that the usual methods, such as annual training classes, aren’t well-suited for current technologies and compliance requirements.  There isn’t a proverbial silver bullet to fix the security gaps within healthcare organizations, but there are some success stories that experts have shared. These five lessons learned can be helpful for those looking to just tweak or even revamp their security training procedures.

1. Top-down approach improves user awareness

To ensure that her staff abides by required protocols and procedures regularly educating and updating staff members on the importance of appropriate BYOD practices. And the seriousness of safeguarding sensitive data needs to be conveyed from the top down:

Maybe on a quarterly basis, roll out the program again, remind people what the protocols are that they should be following, and reward people for improving procedures in their departments but making it a visible part of the organization so that everybody knows that the company takes security very seriously so they should, too.

2. Have a training model in place

Having an educated workforce that’s aware of cybersecurity risks is critical to mitigating risk. Since getting that awareness and education out there is incredibly important NH-ISAC is developing a national healthcare and public health cybersecurity education framework that will provide training and education. It’s using the National Institute of Standards and Technology (NIST) cybersecurity framework as a foundation to help define healthcare, role-based cybersecurity education. Regardless of whether you’re an informatics nurse or an X-ray technician, you make the security roles and responsibilities relevant to their jobs instead of a broad approach.

3. Engage the user to help avoid human error

Another aspect in helping staff members in a healthcare organization avoid human error is consistent engagement.  Focus on educating non-IT people such as doctors and nurses as healthcare has it the worst when it comes to securing data.  In healthcare, so many different people have access for so many varying reasons to protected health information (PHI) from various locations.

4. Continual training is necessary

The healthcare industry needs greater awareness among users dealing with protected health information and a different training model because the current “class” model isn’t working.

The problem with security training is many of the techniques are focused on orientation training or an annual refresher or computer-based training (CBT) module. For the most part, one-time or yearly training isn’t very effective in changing workforce behavior on a day-to-day basis.  Users don’t tend to learn in a one-time scenarios and instead incorporate best practices into their habits or workflow when they see the learning points on an ongoing basis or in some continuous way.

HIPAA includes points about periodic training or offering security best practice reminders and that’s why the Office for Civil Rights (OCR) focuses on what kind of training organizations are doing. OCR says that annual training that shows documentation [is good]. But if you really want to make a difference in your organization in terms of the human errors that people make or how people think about security as part of their workflow. And that comes down to providing a constant stream of security awareness and reminders throughout the year so that it becomes second nature.

5. Train the security pros early on

Universities need to focus on is the talent shortage out there and trying to find a good way to train and teach people security basics – not only from an end user perspective, but how to take all these different controls and put them into practice. As cybersecurity education core pieces as they relate to healthcare there are a few different focuses.  Cover healthcare and the regulations, which is part of it, but we also teach how to create the next generation of workforce to ensure these cybersecurity students understand the technology and how it actually works so they can make judgment calls when they use a risk-based approach and are more effectively securing critical infrastructure fall all types of industries such as healthcare. Everyone needs to know what’s going on in the industry.