HEALTHCARE SECURITY FORUM: A HIMSS EVENT
Boston, MA, Oct. 15-16, 2018
By Barry Herrin, FHIMSS
Founder, Herrin Health Law
If you are worried about insider threats, you should be. The Ponemon Institute reported this year that insider threats now account for 87 percent of all cyber incidents: 64 percent from privileged user negligence and 23 percent perpetrated by malicious insiders.
In other words, education at many organizations has failed – as have perimeter defenses, rendered ineffective against increasing sophisticated attacks.
Given that, perhaps healthcare organizations should consider their employees threat vectors and not innocent victims in cybercrime. A number of recent studies have demonstrated that such an approach can help improve cyber hygiene – without purchasing new technology or an increase in internal security personnel hiring.
With that in mind, when comes to thwarting insider threats, consider the following changes (if you haven’t already) to your policies and procedures:
Change training focus from “threat prevention” to “patient safety”
Align internal cybersecurity training with patient safety initiatives – and away from the “business” of the health information technology department. Studies have shown that such training can be effective, provided it demonstrates to employees that it protect patients from injury.
Empower employee surveillance
Train employees to recognize suspicious patterns of behavior or wrongful conduct, and provide incentives for reporting that conduct. This is critical to promoting compliance in the workplace and decreasing complacency.
Treat information technology access as a privilege and not a right
Define and limit access to information technology by role, and include this role-based access in job descriptions for each position within the enterprise.
Cut the cord to social networking sites and personal email accounts
Eliminate employee access to all social media and commercial email sites on enterprise technology assets. Instead, require employees to use their personal devices to access these platforms. This will help minimize social engineering risks and inappropriate access to enterprise data systems.
Incorporate IT issues into the termination process
Physical and cyber access to critical systems and spaces should be terminated at the time the decision to terminate is affirmed - not during or after the exit interview.
Decide when to shift from education to punishment
Studies indicate that employees who routinely violated known enterprise IT policies cause more than half of insider threat incidents. The decision is not whether to punish continued negligence, but when to make that shift.
Barry Herrin, founder of Herrin Health Law, P.C., will be speaking more about this topic at the Healthcare Security Forum, Oct. 15-16, in Boston. His session “Clamping Down On Your Weakest Link” will held 2:20 p.m.-3 p.m. Oct. 15.