Day three (and the last day) of the Hacking Healthcare workshop. Finally, we left the bad guys behind…well, sort of. Instead, cyber-security guru John Gomez, president of Sensato, focused on the greatest threat to your cyber-security: your employees.
“They are your weakest point, but also your greatest strength,” he said.
Consider the Anthem breach earlier this year in which 80 million patient records were stolen. The breach might have gone undiscovered if it weren’t for a single employee who tried to sign in to the system and noticed he was already signed in.
“If your employees are ‘security aware’ it could be a huge win for you,” Gomez said.
The challenge is that those of us who aren’t techies view discussions about IT as about as interesting as watching water boil; we don’t really like the IT department (they’re the ones who keep making us change our passwords and nagging us to log out when we go to the bathroom); and, quite frankly, we don’t see cyber-security as our problem.
Your first job, then, is to overcome those barriers. Here’s what Gomez suggests:
- Engage, engage, engage. This is absolutely critical to success, says Gomez. Basically, your employees need to view cyber-security as their Use the word “our” so they gain ownership. “Our” security; “our” data; “our” reputation. Tell them how much it will cost if there’s an attack and how it will affect every person’s job.
- Train, train, train. But make it fun. Tell stories (like some of the stories shared in the previous two blogs and in this white paper on hacking healthcare); use gamification; create competitions and publically recognize the most security-aware employee each month; hold lunch-and-learns with pizza on-the-house.Oh, and spend the money needed for this. After all, how much do you spend on firewalls and security testing? If you’re not focusing on your employees, you’re wasting your money.
- Establish a culture of offense. Train your employees to engage people they don’t know (particularly in a hospital where visitors and even patients may wander at will). Ask if the person is lost; if they can help. Gomez takes this advice from retail, where studies show that if your staff speaks to a customer it dramatically reduces the risk of shoplifting because the person now feels like they’re being watched. Why? Because that wandering stranger is not there to shoplift a necklace; but to shoplift your data.
- Identify executive champions. You need the C-suite involved. The CEO must address cyber-security in company-wide communications and show that cyber-security affects him/her as well (i.e., “I hate having to change my password 15 times, too.”).
So that’s the good side of your employees and cyber-security. In my next blog, I’ll tell you the bad news about your employees.