CISOs weigh in on building security-focused culture

Cybersecurity leaders from Intermountain, UCLA Medical and SoNE Health discuss the "delicate balance" of educating hospital staff – not just to avoid phishing tricks, but to gain understanding and appreciation for day-to-day cyber hygiene.
By Mike Miliard
03:45 PM

Photo: HIMSS Media

BOSTON – Cybersecurity is not just about technology and compliance frameworks, of course. At health systems large and small, it's a human-scale challenge – with human factors still, always, the weakest link in a given security program.

At the HIMSS Healthcare Cybersecurity Forum on Thursday, Erik Decker, chief information security officer for Intermountain Health, led a discussion with other infosec leaders about how they're helping to foster a greater awareness among the health system employees.

He was joined by Renee Broadbent, chief information officer and information security officer at Connecticut-based SoNE Health, and Christian Dameff, medical director of cybersecurity, UCLA Medical.

They explored how embracing a collective and collaborative approach to cybersecurity across all levels of a health system can be a big challenge – but one with bigger rewards. They also offered their perspectives and shared tips on employee education and accountability, gaining buy-in from all types of staff, and building trust in the cyber programs.

The good news is that each of the three IT leaders report greater awareness from their employees about their responsibilities toward enterprise-wide security.

From the board and C-suite leadership on down, "we've seen that people are starting to understand it better," said Broadbent.

Still, Dameff said it's important not to take anything for granted – neither to assume that all rank-and-file employees are careless and simply a stray click away from an inadvertent insider threat, nor to be self-satisfied that this or that training exercise has put the entire workforces on the path toward cyber hygiene.

It's crucial to "check our biases at the door," he said. "Get out of your own bubble. Out of your own silo. Get out and talk to people."

It's great to see people report phishing attack. "But that's low-level evidence. That can confirm your bias that culture is moving in the right direction – when most people may not know you're rolling out a new mitigation," said Dameff.

Still, Broadbent said she was heartened to hear, every time a company-wide email was sent out from executive leadership, at least a few employees ask her: "Is this real or is it phishing?"

"We phish everyone once a month, on schedule," said Decker. "We do track and trend click rates, but there's always going to be one click." More illuminating, he said, is not the click rate but how many staffers reported the faux phish.

As for reprimanding employees who do fall for phishing tests, "I'm always 100% against that. It will degrade the trust of the cyber program," he said. "I don't believe there should be punitive damages unless it's egregious. It should be an opportunity to educate people."

"We want them to be vested in the mission," Dameff agreed. 

But while it has definite value, "phishing simulations is not a security culture," said Decker.

And building more comprehensive cyber awareness takes a more nuanced approach.

Employees, believe it or not, understand the realities of data security. "They've all been breached 50 ways from Sunday," said Dameff. "They're all doing credit monitoring because their Netflix account was hacked."

Too much telling people what they already know means "they become numb to it," said Dameff.

What's key is to accurately and adequately communicate the stakes, and help employees – clinicians, especially – recognize the difference they can make, not just to data security but to patient safety.

"If it's a nurse or a doctor, for instance, that's getting this phishing simulation, I want them to understand that they hold responsibility on the network, and their access alone could be the difference in whether or not an enterprise is attacked at a large scale," he said. "That could impact the patients that they are taking care of that exact day."

No doubt, communicating that consistently, and helping it become rote, is easier said than done. And doing it for different stakeholders across the organization, who have different jobs, different priorities, different ways of understanding, is even more complex.

It requires a "delicate balance," and going beyond the "mundane." It means "pruning, active engagement," said Dameff. "Developing that type of cultural drive requires attention to detail and mixing messages, different types of medium, connecting people where they're at and in the languages that they speak.

"It's daunting, and it falls on our shoulders," he added. "But at the end of the day, it's so important – because as of now, there isn't some box you can buy or some software product that solves this without taking into consideration human error."

Mike Miliard is executive editor of Healthcare IT News
Email the writer: mike.miliard@himssmedia.com

Healthcare IT News is a HIMSS publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.