This November marks 20 years since I performed my first HIPAA Security Awareness Training (SAT). I remember it vividly, because it was exactly one month after the Proposed HIPAA Security Rule was published in October ’98. It wasn’t long before I had a calendar full of SATs booked for organizations across the country that needed to comply with the new requirements.
Fast forward to today and every week the news is filled with stories like those below (these two are pulled from recent editions of our IT Security News Blast) that demonstrate that two decades of SAT is not providing healthcare organizations with the cybersecurity they need.
Articles like these prompted me to take a look back through the 20 years of SAT presentations that we’ve used to train providers, payers, and clearinghouses – organizations with unique IT environments that operate in an industry that is among the most frequently targeted by “cyber” criminals.
As I scrolled through the decks, I wondered why, even after decades of instruction regarding IT security best practices, users are still so susceptible to the most basic tactics of cyber criminals?
Looking back at our trainings from the past two decades made one thing clear: until a few years ago, the content really didn’t change very much. Legacy Security Awareness Trainings consistently covered the same four categories:
Even though the curriculum was solid, it failed to address the evolution of how users in a healthcare environment interact with technology and data. It lacked the round-the-clock perspective that today’s mobile-first society now clearly demands. In the last ~10 years, we’ve seen the following trends:
These trends are what led us to change our approach in the early 2010’s. Since then we’ve gotten vastly better feedback on the effectiveness of our SAT materials.
The change we made was to shift our SAT message from “Here’s why this is important to the company,” to “Here’s why it’s important to you.” We focus on training people on a life skill – not just a work skill – one that centers around protecting themselves and using technology and information securely in all areas of their life.
Instead of presenting case studies of how breaches on healthcare organizations occur, we emphasize how every one of us is under attack 24/7/365. We have found that when people visualize security within their personal life and consider personal impacts and costs, information security and data protection become real in a new way.
To bring cybersecurity “closer to home,” we use real-world examples of how cybercriminals have caused harm to individuals and organizations alike. Once users understand the risk they face personally and what they can do to protect themselves, they are much more likely to buy into an organization’s cybersecurity program. For example, users on the lookout for phishing attempts, be they personal or professional in nature, can raise the red flag on a suspicious email that may have slipped past a technical defense.
Users who learn to protect personal pictures, bank accounts, and data, at home, at work, and in public, are critical to healthcare organizations’ cyber defenses. Cybersecurity is no longer just an inconvenient part of the job, it’s now an essential part of daily life and effective Security Awareness Trainings must address IT security beyond the office.