Even with the myriad of system vulnerabilities that can open the door for cyberattacks, the biggest vulnerability in any organization is the people. One mistake among employees can lead to the compromise of entire systems, and even individuals well versed in technology are not immune to error.
In the healthcare industry, closing up these gaps is more important than in most places. In addition to financial information, a cyberattack can compromise confidential medical records and erode trust in an organization. Establishing a strong cybersecurity foundation is but one step toward achieving compliance for a care provider, and is not just about setting up basic countermeasures.
Because the human element is impossible to fully remove from any system, it comes down to organizations to both educate employees on the finer points of cybersecurity and create systems that account for human error. Additionally, any security measures implemented should minimally impact the ability of other employees to do their jobs.
Enter Human-Centered Design (HCD). A concept which underlies any product or service, HCD refers to anything created with common human behavior in mind. For cybersecurity, HCD means designing in such a way that it accounts for mistakes that anyone may make.
Inevitably, the first step to promoting good security practices is education. Staff members are far more vulnerable to making errors if they don’t know what to look for. Standard employee training programs should account for these practices, especially in conjunction with training on certain computer systems. Give them some perspective on how these attacks spread; knowing the extent to which opening a suspect email can cause problems can help employees proceed with caution.
Education should ideally go beyond a simple presentation and strive to engage employees. These sessions should allow for individual input and explain the costs of a breach. Beyond prevention, they should also be aware of steps they should take if they believe that they have been targeted or that a system has been compromised. This can involve outreach to IT departments and easy ways to contact them and make them aware of a potential problem as soon as possible.
Marin General Hospital even included a system for reporting attacks, rewarding any employee that reports a threat to IT.
As an IT professional, it can be easy to get slotted into a specific way of thinking. Tools and techniques that seem commonplace may be utterly alien to some employees. As a result, be aware of the ways that each employee interacts with a given system and strive to seamlessly integrate a solution into their daily work. For instance, setting up the infrastructure to encrypt emails can be difficult, but doing so on a limited basis based on the people that each employee interacts with the most frequently can seriously cut down on potential vulnerabilities.
Programs to bolster cybersecurity are created not only to fix technical issues, but to hedge against internal mistakes from employees. Even with hackers creating more and more advanced malware, the simplest phishing scheme can still cost an organization thousands of dollars. By designing a cybersecurity program to conform to the needs of employees, IT professionals can prevent the possibility of attacks before they can even happen.