The Three C's to a Mature Awareness Program

A common problem we see in many awareness programs is that organizations understand WHAT behaviors they need to change but fail in HOW they attempt to change those behaviors. This is not to imply that a technical background makes a bad awareness officer - we need to understand the technology, risks and behaviors involved. However, where many of us fail is the soft skills required to change those behaviors. There are three soft skills that are critical to deliver high impact, effective security awareness training.

Communications

Ultimately awareness is about effective communication. Our goal is to both motivate people and enable them, as per the BJ Fogg Model. As such we have to first engage people and explain WHY they should care about cyber security. We then need to communicate to them in simple terms WHAT we need them to do and be sure people are enabled to exhibit those behaviors. In many ways this is similar to marketing - awareness is a product you are attempting to sell. The reason so many technical people struggle with this is not only do we often have little if any training in communication but we suffer from what is called the Curse of Knowledge. This states the more of an expert you are at something, the worse you are at communicating it. We perceive security as being simple while the rest of the world perceives it as scary and hard. If you want to smash through the Curse of Knowledge and improve your communication skills, start with the book Made to Stick.

Collaboration

Security awareness touches everyone in the organization, from interns and rank and file staff to senior executives around the world. To reach all these different people in different locations requires you to work with people throughout your organization. What you communicate and how you communicate to the IT department is going to be very different from what and how you communicate with the research team or the sales team. In addition, since security awareness programs require so many different skill sets and coordination with other departments, you could be working with groups such as Audit, Help Desk, Human Resources, Communications, Legal, Training, Security, Project Management, LMS team and Branding, among others. Effective awareness programs require an ability to collaborate and work with other groups within your organization. One way to approach this is to create an Advisory Board made up of people from these various departments. Have them help you build, maintain and measure your awareness program from the beginning.

Culture

Culture is going beyond just behaviors. Culture also includes the perceptions, attitudes and beliefs people have towards cyber security. Culture, and the process of incorporating emotion, can be challenging to grasp for technical people. Your existing culture plays a key role in how you communicate and collaborate in your organization. Outgoing cultures such as those found in technology companies prefer content that is humorous which they can watch and consume on their own schedule. Conservative cultures such as in insurance, finance or government tend to prefer more subdued or professional content, materials people can read or instructor led and delivered only during office hours. Quite often organizations will have multiple cultures, especially organizations with very different generations. Ultimately, to create a secure culture you have to first understand and adapt to your existing culture.

Ultimately, to create a mature awareness program your organization will need to leverage both technical skills and soft, human skills. Most security awareness professionals already understand the technical issues. Many awareness programs struggle on the soft side. By addressing the 3 C's of awareness, either by developing your own skills or bringing on others who have those skills, you will go a long way to changing people's behavior and ultimately your organization's culture. 

A Healthy Team

Last year, over 112 million individuals had their personal data records breached via a healthcare industry breach. According to Experian, the financial losses to the healthcare industry were around $5.6 billion in 2016. But it isn’t just about the financial costs of lost data and the fines imposed. This is about patient care and the ethics that the healthcare industry is bound by. Of all industries, healthcare is, by the very nature of the job, a caring industry. Creating a culture of security through education will improve the standing of the industry as well as ultimately protect against financial losses.

But the security landscape is constantly changing. Cybercriminals are always upping their game to find new and innovative ways of exposing our data. Security awareness training is an ongoing exercise; it is about continuously improving the knowledge base of your extended team and giving them an understanding of what they are up against. A healthy security awareness program will create a healthy industry. Security awareness is a team effort. It gives us the tools to create a highly educated workforce where cyber-security threats can be dealt with by all as a team, before they become a breach.

Getting Results and the Analysis

No security awareness program is complete without analysis of the training program and the outcome. Collating metrics and analyzing the results will show you how effective your campaign has been. This will give you the insight into any changes you may need to make to the program to improve the training; for example, changing the modules used. Security awareness tools like PhishSim will provide comprehensive reporting, which can be used for this purpose. Reporting can also provide evidence of return on investment that can be used to justify your use of security awareness training to C-level executives.

How to Set Up a Security Awareness Program in a Healthcare Environment

Now you have the buy-in from your extended team, you need to think about the co-ordination and setting up of your training program. Security awareness programs don’t have to be complicated to arrange. Automation is the key to success in managing these types of operations. Security awareness is a program that has to cater for a wide demographic. To ensure the effectiveness of security awareness training it needs to be palatable – with usability and accessibility of the training modules being key. It also has to have to have a high degree of reinforcement through continued and regular training sessions that closely mimic real-life security scenarios. Security awareness programs like AwareED have been specifically designed to help you make the process of on-boarding and engagement in your awareness training as easy as possible. AwareED allows you to create tailored packages of modules that suit a specific team of stakeholders or a security scenario—for example, phishing. Enrollment and customization are key features of an effective program.

Being able to enroll your users and start security awareness training from a centralized cloud management interface makes it easy to set up a training program. It also gives you effective administration for continued training. Automation then kicks in and starts the training, serving the training modules to your user base in a way that is easily digestible and that engages, even the least technical of your team. To summarize, the prerequisites for setting up an effective security awareness training program are:

• Easy enrollment
• Good choice of modules to create tailored training packages for staff
• Automation of training packages to user base
• Continuation and repetition of the tailored packages
• Reporting and analysis to continually improve education

How to Sell Security Awareness to Your Stakeholders

We all know members of staff who grumble at anything outside of their immediate job remit. But because of legislation and the increasingly threatening nature of modern cyber-security, being security-aware is part of the role of a healthcare worker. All of us have the duty of caring for patient data. So how do we engage staff in the process of security awareness?

Security awareness training packages, if done well, will be configured to engage staff—engagement results in better understanding. Security can be a dry area, difficult to drum up interest in. However, well-designed security awareness training packages like AwareEd can be configured to work within the context of your organization to create tailored training campaigns—specific to your needs.

One of the ways that you can make sure that your team is benefiting from the sessions is to make the training interactive and unobtrusive. People can get irritated when their workday is interrupted, so offering ‘security over lunch’ or “brown-bag training”, which is an informal and less intrusive way of learning about security, can be highly effective. Another area that helps to focus training and make it highly relevant is to tailor the training campaigns to a person’s role in the organization.

Keeping security relevant and making it part of the normal program of workplace on boarding and training in your organization, will make it an easier all-round sell to your extended team.

Ultimately, security threats need to be accepted as a serious issue across healthcare. This means engagement across your organization: from your top-level management, across all major departments, and ultimately by the people who will be trained – your workers. Bringing them onboard with the message that, understanding how cyber security is a threat, how that threat works, and how to mitigate that threat as an individual, will benefit both themselves and the organization as a whole, is a fundamental message.

Who Are the Stakeholders Involved in the Training?

Security is about people. The human touch point is often the weak link in the chain. Cyber-threats take advantage of this by utilizing social engineering, as seen in the rise of phishing as a vector for attack. Security awareness is your tool in the fight against social engineering. But security awareness is also much more than this. It creates a level playing ground for your entire workforce and beyond, creating a ‘culture of security’.

With the addition of HITECH Section 13407, the number of stakeholders that need to be incorporated into a security-aware environment has been extended to cover all business associates that may have an interaction with personal data and PHI. This creates a highly diverse group, or eco-system, of stakeholders who are required to have a good understanding of the healthcare security landscape. This knowledgebase then allows adherence to the tenets of HIPPA and HITECH security rules. The end result of a security awareness program that encompasses all the possible players is an umbrella of security and privacy respect that will have positive outcomes across the entire eco-system.

Identifying who your key stakeholders are is the first part of the exercise in security awareness training. As mentioned previously, this has become a highly extended eco-system of players, brought into place by changes in the legislation governing information security in healthcare. Setting out your store in terms of who is a player will help guide your training exercise. However, the following list gives you an overview of the types of people involved in training:

• Front desk workers
• Administrators
• IT and tech staff
• Medics, including nurses, consultants and related roles such as social workers
• Transcriptionists
• Healthcare call center workers and managers
• Medical claims handlers
• Laboratory technicians
• Researchers

Don’t forget: There needs to be a specific plan for bringing new employees on board, rather than waiting for the next security awareness training exercise. This will get them quickly up to speed and create a mind-set of security and privacy as they enter their post.

Why Do You Need Security Awareness Training in Healthcare?

Security and privacy cut across a number of legal frameworks within the USA. There is a good deal of general legislation and guidelines that cover data protection and privacy and some that are more focused on healthcare. The USA has a mosaic approach to data protection with no overarching federal law to cover the security issues surrounding personal information. There are two main areas of healthcare legislation that cover the protection of personal data or protected health information (PHI): the Health Insurance Portability and Accountability Act (HIPPA), and Health Information Technology for Economic and Clinical Health (HITECH). The two acts work in unison to cover the security expectations of the whole healthcare eco-system, extending outwards to healthcare providers business associates. Together, the acts set requirements to disclose data breaches, which are:

HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414: The rule requires that any breach of PHI must be disclosed to both patients and the government (breach meaning unauthorized data being used or disclosed). There are some nuances around the formal classification of a breach, but with the introduction of the HIPPA “omnibus rule,” which requires a risk assessment to set a breach as “low probability” for exposure, the chances are you have to declare the breach.

HITECH, Section 13407 is enforced by the Federal Trade Commission (FTC). The act allows the data protection rules to be extended to all entities not specifically covered by HIPPA: for example, extended business associates of healthcare providers, business associates being anyone, such as contractors and sub-contractors who are involved in any health-related data handling. One of the stipulations of the ruling is that for a breach involving more than 500 users you also must inform the media.

Security awareness in healthcare cuts across many layers. As well as the legislative drivers that demand security awareness, a healthcare team approach to security is driven by:

Ethics: Healthcare has by definition a layer of ethics attached to the practice. Healthcare data and in particular PHI are part of the ethical layer that all of us expect to be respected. We all, at some point, share health information with medical practitioners, so there is a personal element to the ethics of data protection as well as an organizational benefit.

Risky behavior is very common: A study by Cisco found that risky security behavior was almost the norm in an organization, with many respondents admitting to putting data at risk at work. Improvement of behavior towards security as an issue is a key selling point, especially to C-level executives who need to oversee a company-wide security strategy.

Benefits of security awareness: The whole organization and individuals benefit from being security-aware. Individuals workers can “do their bit” by thwarting cyber-attacks. As cyber-threats against healthcare become more prevalent, the inclusion of all into the security equation is ever more important.

The climate of increasing threats against healthcare coupled with the need for legislative compliance makes healthcare a key industry for security awareness training. Creating an educated workforce that understands the implications of cyber-security on them and the industry is part of the overall healthcare security strategy. This is only compounded by the human element present in the most successful security threats, which are based on social engineering, e.g., phishing.

What Is Healthcare Security Awareness Training

The healthcare industry is arguably one of the most information-intensive. Personal health data is part of a critical pathway that impacts our everyday lives and health. The integrity and confidentiality of these data is paramount, not only for individual well-being but for continued innovation within the industry.

Being part of the big data revolution, at a time when the landscape of cybercrime has never been so threatening, has meant that the healthcare industry is a prime target for cyber-attack. In 2014 the FBI gave out a warning that the healthcare industry was neglectful in its attitude to cyber-security threats when compared to other industry sectors. The result of this is borne out in evidence found by IBM X-Force Research, which shows that the healthcare industry was the most frequently attacked industry in 2015. This is likely due to the unique position that the healthcare industry finds itself in: Healthcare faces a gap between handling the massive data generated by the wider industry, and understanding and mitigating the threats posed by cybercrime.

The situation is also compounded by the speed at which technology is changing. New ways of generating sensitive information are entering the information arena. According to research by PWC, 86% of clinicians believe that mobile apps will be an important part of patient health management in the next few years. And the entry of the internet of things (IoT) into healthcare adds a new layer of data protection previously not experienced.

With all of these variables coming into play, we need to take a pro-active stance and build a program of security awareness. Security awareness uses education and knowledge to tackle the specter of security threats, in all its forms. Security awareness covers the whole gamut of security and builds up a knowledge base across your extended workforce around security issues that they can call upon to help mitigate risks. Security awareness training brings everyone in the organization together under an umbrella of training. It ensures that the playing field of knowledge around cyber security threats is level. Security awareness is about:

• Creating a culture of pro-active security—understanding what is happening in the wider security landscape, such as the significance of phishing
• Creating a respect for individuals’ privacy
• Knowing what protected health information (PHI) actually is and why it needs to be protected
• Understanding that security is part of the whole organization and impacts everyone
• Knowing which security and privacy rules apply to healthcare and what impact they have

Done well, security awareness training can become as integral a part of your overall security strategy as the technology you use to prevent the cyber-attacks.

The Healthcare Sector is Targeted by Cybercriminals More than Ever

The healthcare sector is a desirable target for cyber crooks. Hospital security systems are generally less secure than those of financial organizations, as monetary theft has always been perceived as the greatest threat for organizations, and dangers to other sectors were usually underestimated. Moreover, awareness of cyber-attacks against hospitals and medical centers is much lower than it is to financial cybercrime, and as a result, the employees are less well-trained on how to avoid falling victim to a cyber-attack.

This concept has revealed the potential damage that can be caused by the theft and leakage of patient data. However, the ‘bad guys’ remain one step ahead and we have witnessed a spate of attacks targeting the healthcare industry: ransomware attacks encrypting essential data and demanding payment of a ransom, numerous data leakages revealing confidential patient data, unauthorized access to medical networks and even the hacking of medical devices, such as pumps and X-ray equipment.

Moreover, the healthcare sector is being targeted by hackers not only directly, but also via third-party companies in the supply chain, such as equipment and drug suppliers. These companies usually store some confidential data that originates in the hospitals’ databases and may even have access to the hospital IT systems, but they are far less secure than the hospitals themselves. Thus, they serve as a preferable infiltration point for malicious actors pursuing the theft of medical data and attempting to infiltrate the hospitals’ networks.

The consequences of attacks on the healthcare industry may be extensive, including the impairment of the medical center functioning, which may result in danger to human lives in the worst case scenario. In other cases, personal data will be stolen and sold on underground markets. Cybercriminals will take advantages of these personal details for identity theft or for future cyber-attacks combining social engineering based on the stolen details.

Deep-Web and Darknet sources have shown a growing interest toward the healthcare sector among cyber criminals. Databases of medical institutions are traded on illicit marketplaces and closed forums, along with access to their servers. In the last few months alone, there has been several occurrences indicating extensive trade of medical records and access to servers where this data is stored.

In May 2016, was the sale of RDP access for a large clinic group with several branches in the central U.S., which was offered for sale on a Darknet closed forum. For a payment of $50,000 Bitcoins, the buyer would receive access to the compromised workstation, with access to 3 GB of data stored on four hard disks. Additionally, the workstation allows access to an aggregate electronical system (EHR) for managing medical records, where data regarding patients, suppliers, payments and more can be exploited.

The relatively high price for this offer indicates the high demand for medical information. With RDP access, the potential attackers can perform any action on the compromised workstation: install malware, encrypt the files or erase them, infect other machines in the network and access any data stored in the network. The consequences can be tremendous.

In June 2016, another cyber-accident related to healthcare. This time, three databases allegedly stolen via an RDP access to a medical organization were offered for sale for more than $500,000 on a dedicated Darknet marketplace. In one of his posts, the seller claimed that one of the databases belongs to a large American health insurer.

Before long, more evidence of hacking into a medical-related organization, this time by Russian-speaking hackers. On one of the forums we monitor, a member tried to sell an SSH access to the server of an American company supplying equipment to 130 medical center in the U.S. He uploaded screenshots proving that he accessed the server where personal data of patients is stored.

The conclusions following these findings are concerning. An extensive trade in medical information and compromised workstations and servers is a common sight on underground illegal markets. This business generates hundreds of thousands, if not millions of dollars annually, ensuring its continuation as long as there are such high profits to those involved. Since the ramifications can be grave, the healthcare sector must take all necessary measures to protect their systems and data.

Use Security Education and Awareness Programs to Your Advantage

Most successful attacks target end users in one form or another. Typically, attackers lure a company’s employees into either unknowingly divulging company secrets or passwords or trick them into clicking links or visiting websites that install malware on their computers. Worst case scenario, this happens to a user with domain administrator privileges and your entire network becomes a playground for the attacker.

Another common cause of reported breaches is lost or stolen devices that were not physically secured or properly encrypted. These devices, especially removable media, often have sensitive data that is unprotected with encryption, and then becomes stolen or lost. In my experience, when such incidents occur, employees will often argue that they were not aware of the corporate policy to protect such data or felt ill-equipped to use the technology made available to them.

An important component to prevent such situations from happening is to properly educate company employees. However, most corporate security education and awareness programs are antiquated, stale, boring, and lack tailored content for specific roles within the organization. Company employees often run kicking and screaming when such training is mandated, and executives either request exemptions because of their busy schedules or force their assistants to complete the training for them. After sitting through many such training programs, I really can’t blame them.

Based on my experience, I believe that a robust and effective security education and awareness program must contain the following key elements:

1) For all new employees

      • On day one, all employees are required to complete a short, tailored and position-       relevant security awareness training. Key to this training is that all new employees walk away understanding how to get security help if needed and know when and how to report a security incident.

• New employees are provided with access to online resources such as information security policies and how-to guides for key security technologies and scenarios, e.g. how do I send a secure email, how do I handle PII, etc.

2) For Company Executives

• Companies should develop and deliver a tailored security education program for executives. The training should be custom to the individual executive and should be based on the most likely digital threats to the executive. This type of program should be coordinated with other physical security programs if such exists, as online and physical threats to executives are often linked. I recommend one-on-one training with the executive once per year, as the most effective mechanism for this audience.

3) For Traveling Employees

• For companies with employees traveling overseas, provide specific training based on the countries being visited. Focus on the key tasks they need to perform while traveling, such as accessing email and sending documents, and what to do in case of a suspected breach or an attempted seizure of technology resources. Equally important is to ensure the employee understands any actions they need to take when returning from certain, high risk countries.

4) For IT Employees:

• Provide targeted training to information technology staff. Ensure developers know how to use secure coding best practices and secure and handle source code and other intellectual property. Make sure that all system administrators are well versed in the dangers of using domain administrator accounts to perform high risk functions such as browsing the Internet or reading email. Also, ensure that system administrators are trained on the corporate policy regarding the safe handling of such accounts.

5) For all employees:

• Security teams should consider their end users as one of their most important and valuable detection sensors and work to maintain the health of these sensors just like their IDS/IPS devices and endpoint sensors. This means providing end users with continual training and education, especially related to new threats.
• For existing employees, perform simulating phishing for a percentage of the user base each month until all employees have been tested. Provide training for those failing the test, and rinse and repeat to ensure training effectiveness.
• Finally, gamify your security awareness training and make it mobile friendly. Keep the content fresh and engaging for all generations of your workforce. Also, make the training relevant to both the employee’s work and home life, including being safe on social media. You know you got it right when your employees ask if they can include their family and friends in the training!