How training and continuing education are crucial for healthcare cybersecurity leaders and staff
Photo: John M Lund Photography Inc./Getty Images
Training is one of the main components of protecting against cyberattacks. And this goes not just for healthcare provider organization employees but also the security managers and staff – especially those looking to get ahead.
This is the topic of "In-house Career Development: Hiring from Within," an educational session at the HIMSS Healthcare Cybersecurity Forum, December 5-6 in Boston.
The session is a fresh look at cybersecurity training within healthcare organizations and how security leaders and staff also can improve their knowledge, skills and abilities. Cybersecurity training of clinicians is different from that of administrators. Effective, meaningful training is essential not only for the wellbeing of the organization, but also for the employees within.
Notwithstanding this, cybersecurity professionals within organizations also need continuing education. A roadmap will be provided in the session to outline training and educational resources for individuals, organizations, contractors and others.
Melissa Elza, cofounder of GRC for Intelligent Ecosystems, a training and education organization where she serves as the chief people officer and head of the NextCISO Academy, is one of three panelists speaking during the session. She sat down with Healthcare IT News to offer a preview of the Healthcare Cybersecurity Forum session.
Q. How is cybersecurity training for administrators different from training for doctors and nurses?
A. Administrators are the gatekeepers of our private health information. Yes, all staff have to know about HIPAA and the precautions needed to keep that data safe. But the administrators are the ones transmitting our sensitive health data and other PII to the insurance companies, to other doctors, etc.
Administrators especially need role-based training to make sure they understand the types of attackers and what tactics they might use to come after this data. I recently read a statistic that something like 95% of cybersecurity breaches are caused by human error. That's a staggering number.
"We could have prevented most breaches through training. It's incredibly important."
Melissa Elza, GRC for Intelligent Ecosystems
That means we could have prevented most breaches through training. It's incredibly important.
Q. Cybersecurity training that works obviously is good for a healthcare organization. How is it also good for employees, including cybersecurity professionals?
A. The healthcare sector has suffered more than 337 breaches already this year, according to Fortified Health Security's midyear report. This was reported in September, so that number is absolutely higher now.
More than 19 million records were compromised in those breaches. Healthcare is already a stressful job, especially after the start of the pandemic. If patients are worried about their personal health information getting exposed, that only adds to the pressure of an already tough job.
Figuring out how to reduce these breaches and keep attackers out of our systems benefits everyone. Spending time training people can hopefully also lessen the burden on the triage and forensics teams in those organizations.
Q. What kinds of continuing education do healthcare cybersecurity professionals really need?
A. In cybersecurity, you're always learning. You have to be. Attackers are figuring out new ways to get into our systems every day, and we have to understand those new threats.
IBM releases a report every year called the "Cost of a Data Breach." This year's report said the average cost of a healthcare data breach is now $10.1 million per incident, which was a 9.4% increase from its 2021 report. That number will only keep increasing.
Education never really stops for us. It can't.
Q. What is an example or two of educational resources for cybersecurity professionals, and where can they find them?
A. At GRCIE, we strongly believe that community is what gets our students across the finish line. I don't think that changes once they get into the industry.
There are many excellent community organizations that have tremendous reach, like Cloud Security Alliance (CSA), ISACA, ISC2 and Information Systems Security Association (ISSA), which have local chapters in a lot of cities.
If you're a woman in cyber looking for other women, WiCyS is another wonderful organization supporting other like-minded women. Cyversity is yet another fantastic organization that supports women, minorities and underrepresented individuals.
All of these organizations offer continuing education to their communities. These community organizations bring professionals together so they learn how to protect us from these new threats together. If you're looking for ongoing learning opportunities, please check these organizations out.
The HIMSS 2022 Healthcare Cybersecurity Forum takes place December 5 and 6 at the Renaissance Boston Waterfront Hotel.Twitter: @SiwickiHealthIT
Email the writer: bsiwicki@himss.org
Healthcare IT News is a HIMSS Media publication.