The healthcare sector is the top target for cyberattacks, and its employees are the first line of defense. A single frontline worker clicking – or knowing to avoid – a malicious email link could be the difference between experiencing a ransomware attack or not.

Despite being one of the industries most likely to self-assess as having mature security preparedness, healthcare is still too often unprepared for security risks – and cyber vigilance across healthcare workforces is critical to meeting the challenges of emerging threats.

Meanwhile, artificial intelligence is transforming the risk profile for health systems large and small, with new attack techniques emerging by the day.

"Trying to understand what's coming next is always harder than fighting the last battle," said Dr. Eric Liederman, chief executive officer CyberSolutionsMD.

Liederman will moderate a panel on empowering workforces by fostering a security mindset at the upcoming HIMSS 2024 Healthcare Cybersecurity Forum, scheduled for October 31-November 1 in Washington, D.C.

"The problem most organizations face is that they take a top-down approach to the how," Liederman said. While organizations use a variety of approaches to help train workforces to recognize threats like phishing emails, "there's no science behind it," he said.

"It's about education, but it's also about helping them to connect," said Anahi Santiago, chief information security officer at ChristianaCare, who will join Liederman and David Fine of the FBI for the conversation. 

Santiago described three keys to cybersecurity training:

• Know your audiences.
• Learn how to engage your audiences.
• Leave the door open to "report, report, report."

From a security perspective, what's relevant to a clinician is probably going to be different than what's relevant to somebody in finance, she said. 

"It's not treating everybody the same and assuming that everybody's going to process the information in the same way … and tailoring the message so that it's relevant to what they're doing."

Being approachable is intentional across ChristianaCare, Santiago said, and IT's message is "It's OK if it's not a reportable concern – report it anyway." 

While the door is always open for anyone to report any security concerns that they may have at her organization, "One of the things that we also do, which I think has been really helpful, is this concept of a security roadshow." 

IT teams meet with departments to express, "We're not just these cybersecurity professionals that work on what you think are really scary things, and you don't know what we do," she explained.

"We're all known as the 'don't click on that link people,' and a lot of people think that's the only thing that they need to worry about," she said.

But there's so much more that healthcare workforce needs to be cognizant about.

"Emergent threats are always an area where we need to sort of shift and think about – what are the risks that are coming down the pike?"

Without scaring caregivers, cybersecurity professionals must think of novel ways to prepare them, she said.

Deep fakes are a great example of what's next.

Business email compromise has "been really turbocharged this year," Liederman noted. While IT teams have told workforces to avoid links in email and "don't open any attachments from anything that you weren't expecting," he said, and their next play doesn't always hold up anymore. 

It used to be, "If you have any doubts at all, contact the person who sent it. Well, now if you do that, how do you know you're talking to the real person?"

Santiago agreed that the level of sophistication of voice and video in deep fakes vastly increases the security risks healthcare organizations face.

Today, criminals will go so far as to schedule Teams calls using their impersonations – "and they're on video, and they look exactly like the person that you would normally engage with on video," she said.

To illustrate the level of threat deep fakes present to ChristianaCare's board, she asked her team to create a video of her talking about the emergent cyber threats of generative artificial intelligence, which she said incurred a cost of about $.09.

After playing the two-and-a-half-minute fake video, "I said to them, 'I had absolutely nothing to do with that video,' and the board looked bewildered." 

The panel session, "Workforce Vigilance: Fostering a Security Mindset," is scheduled for 11:30 a.m. on Thursday, October 31, at the HIMSS Healthcare Cybersecurity Forum in Washington, D.C.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.