Healthcare Cybersecurity Training

Healthcare cybersecurity training - hipaaguide.net

One of the primary objectives of healthcare cybersecurity training should be to condition members of the workforce to be more careful when performing day-to-day duties in order to reduce the number of security incidents involving a human element. To achieve this objective, workforce members need to understand the real consequences of healthcare data breaches.

A common issue with healthcare cybersecurity training is that it is too โ€œgenericโ€. Often cyber security training for healthcare is based on topics that could apply in any industry โ€“ for example, reducing susceptibility to phishing, password management, how to report security incidents, etc. Encryption might also be included if an encryption process requires user interaction.

While it is important these topics are included in healthcare cybersecurity training, it is equally important not to ignore the reasons why cybercriminals target healthcare data and the real consequences of healthcare data breaches, as these two topics are more likely to resonate with trainees than phishing exercises and prompt them to be more careful with healthcare data.

Why Cybercriminals Target Healthcare Data

Cybercriminals target healthcare data because it can be used to commit medical identity theft, obtain medical treatment and prescription drugs, and submit fraudulent claims to insurance providers. It is also harder to detect healthcare fraud than it is to detect financial fraud, so healthcare data can be misused for longer than (for example) stolen credit card data.

Depending on a cybercriminalโ€™s motives for acquiring healthcare data, it can be used to obtain medical treatment for themselves or for family members, obtain prescription drugs for personal use or to sell on the black market, or submit fraudulent claims to insurance providers, file fraudulent returns with the IRS, and obtain credit in the victimโ€™s name that will never be repaid.

However, in most cases, healthcare data is sold on the dark web to organized crime groups who use it to carry out the above activities at scale. Depending on the completeness of the data, a single full medical record can sell for hundreds of dollars. This means that even a relatively small data breach of several thousand records can net a cybercriminal a million-dollar payday.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

Cybersecurity โ€œSolutionsโ€ Help, But Not That Much

The ongoing targeting of healthcare data by cybercriminals has resulted in a growing market for cybersecurity โ€œsolutionsโ€ designed to prevent healthcare data breaches. However, data extracted from the most recent HHS Report to Congress (2022) show the number of breach notifications received by HHSโ€™ Office for Civil Rights each year has increased rather than declined.

It is not necessarily the case that the โ€œsolutionsโ€ are ineffective. Sometimes it may be the case they are not suitable for all health applications. For example, multi factor authentication delays access to healthcare data in emergency situations, while data loss prevention software can create communication issues when healthcare data is sent to non-whitelisted recipients.

More often, it is a lack of user care in how solutions are used, configured, or circumnavigated that results in healthcare data breaches. As discussed in the next section, the โ€œhuman elementโ€ is a contributary factor in the majority of data breaches โ€“ potentially because generic healthcare cybersecurity training neglects the real consequences of healthcare data breaches.

The Human Element in Healthcare Data Breaches

According to Verizonโ€™s 2024 Data Breach Investigations Report (DBIR), 68% of all data breaches ย analyzed for the report (n = 10,069) involved a human element. While this may appear to be an alarmingly high percentage, it includes data breaches in which a member of the workforce interacted with a phishing email and disclosed login credentials to an attacker.

The percentage of data breaches that involved a human element was slightly higher in Verizonโ€™s analysis of healthcare data breaches (70%). This was primarily due to events such as misdeliveries of sensitive data (by mail and email), losses of devices, the misplacement of paper records, and impermissible oral disclosures of PHI counting as data breaches.

When software misconfigurations and the actions of malicious insiders were included in Verizonโ€™s calculations, the revised percentage of healthcare data breaches that involve a human element increased to 83% – a figure that more closely aligns with the percentage of healthcare data breaches that involve a human element in HHSโ€™ Breach Report Archive.

When reviewing HHSโ€™ Breach Report Archive, it is important to be aware the Archive only includes data breaches affecting 500 or more individuals. According to HHSโ€™ most recent Report to Congress, HHSโ€™ Office for Civil Rights receives more than 60,000 breach notifications affecting fewer than 500 individuals each year โ€“ many of which also involve a human element.

The Real Consequences of Healthcare Data Breaches

Many sources discussing the consequences of healthcare data breaches focus on regulatory fines and sanctions. However, the likelihood of an organization being fined for a data breach is extremely low. For example, in 2022, HHSโ€™ Office for Civil Rights received 64,592 notifications of HIPAA data breaches, but only settled four compliance investigations with financial penalties.

For an organization, the most likely outcome of a compliance investigation is a corrective action plan that includes additional healthcare cybersecurity training. In 2022, HHSโ€™ Office for Civil Rights imposed 674 corrective action plans, while ~40% of descriptions in HHSโ€™ Breach Report Archive mention the provision of additional healthcare cybersecurity training.

However, these consequences are relatively minor compared to the operational and personal consequences of healthcare data breaches, and the impact that recovering from a data breach can have on the delivery of health care. These consequences need to be highlighted in healthcare cybersecurity training to prompt trainees to be more careful with healthcare data.

Operational Consequences

In May 2024, an employee of Ascension Health โ€œaccidentally downloaded a malicious fileโ€. The subsequent cyberattack resulted in EMRs, patient portals, phone systems, and systems used to order tests, procedures, and medications being taken offline. Emergency admissions were diverted to nearby hospitals and many elective procedures were postponed indefinitely.

A report into the cyberattack published by CNN claimed patientsโ€™ lives were being put in danger due to computerized safety guardrails being out of order. Healthcare professionals were unable to quickly access lab results to make critical decisions about patient care, and nurses were overwhelmed by the volume of paperwork โ€“ further compromising patient safety.

Personal Consequences

In addition to the immediate threats to patient safety, the misuse of breached healthcare data can continue to compromise patient safety for many, many years. It is often only when a patient requests access to their medical records or reviews their Explanation of Benefits that misuses of breached healthcare data are identified and removed from the patientโ€™s medical record.

A survey of medical identity theft victims conducted by Ponemon found that 15% of respondents had suffered the misdiagnosis of an illness due to somebody else using their identity to obtain health care, while 13% of respondents had received the wrong treatment for an illness due to somebody elseโ€™s medical history corrupting their medical record.

The Recovery Impact

A third consequence of a cybersecurity attack is a deterioration in the quality of care when hospitals adopt breach remediation measures to enhance data security. A 2019 PMC study found that hospital timeโ€toโ€ECG increased as much as 2.7ย minutes and 30โ€day AMI mortality increased as much as 0.36 percentage points during the 3โ€year window following a breach.

In addition, many patients who have been victims of medical identity theft lose trust in their healthcare providers (56% according to the Ponemon survey). When patients do not trust private information will remain private, they tend to disclose less about themselves – making it harder for providers to make accurate diagnoses and prescribe effective courses of treatment.

The HIPAA Cyber Security Training Standard

Not all organizations in the healthcare industry are required to comply with the HIPAA cyber security training standard (ยง164.308(a)(5)). For those who are it is important to be aware that the security awareness and training program required by the HIPAA Security Rule must be implemented โ€œin accordance with ยง164.306โ€ (the HIPAA Security Ruleโ€™s General Requirements).

The requirement to tailor the security awareness and training program to ยง164.306 means that generic healthcare cybersecurity training does not fulfil the requirement. This is because the HIPAA Security Ruleโ€™s General Requirements require covered entities and business associates to:

(1) Ensure the confidentiality, integrity, and availability of all electronic Protected Health Information [PHI] created, received, maintained, or transmitted.

(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted under subpart E [the HIPAA Privacy Rule].

(4) Ensure compliance with this subpart [the HIPAA Security Rule] by its workforce.

Item #3 on the list is particularly relevant because it implies all members of the workforce undertaking HIPAA cyber security training must have an understanding of what is considered PHI under HIPAA and what uses and disclosures of PHI are permitted. Without this knowledge, it is impossible for members of the workforce to comply with item #4 on the list.

In the context of cyber security training for healthcare, an explanation of what is considered PHI should also include the reasons why it is targeted by cybercriminals. This provides an opportunity to explain the real consequences of healthcare data breaches and why workforce members with no access to PHI still have to participate in HIPAA cyber security training.

It should also be acknowledged during HIPAA cyber security training that no amount of cybersecurity solutions can completely eliminate healthcare data breaches. Therefore, healthcare organizations should implement cybersecurity solutions where appropriate and train members of the workforce how to use them in compliance with HIPAA, but focus more on eliminating the human element in healthcare data breaches.

Tips for a Healthcare Security Awareness Training Program

Two worthwhile tips for a healthcare security awareness training program are to a) disconnect from a โ€œsanctions for HIPAA violationsโ€ approach, and b) make the training more personal. Based on the increasing number of breach notifications received by HHSโ€™ Office for Civil Rights, the threat of sanctions has little impact on security awareness or preventing carelessness.

However, workforce awareness can be improved by making healthcare security awareness training more personal. Most workforce members will have friends or family members whose healthcare data is maintained by the organization, and it can be beneficial to include emotional questions in healthcare security awareness training such as:

  • How would you feel if you โ€œaccidently downloaded a malicious fileโ€ that resulted in the life of a family member being put in danger?
  • How would you feel if you shared the health condition of a friend on social media, and the information was subsequently misused to commit medical identity theft?
  • How would you feel if you lost an unencrypted USB drive containing PHI and subsequent remediation measures resulted in a parent dying due to a delay in treatment?
  • How would you feel if you shared your password with a colleague and they misused your credentials to facilitate a healthcare data breach which resulted in any of the above?

These questions are not guaranteed to be effective, but the approach of making healthcare security awareness training personal โ€“ and repeating the approach throughout a healthcare security awareness training program – will resonate with trainees more than if the perceived consequences of a data breach are a corporate fine and an extra training session.

The ABC of Healthcare Cybersecurity Training

In addition to the above tips for a healthcare security awareness training program, it can be beneficial to introduce training mantras which – no matter how corny – are memorable and relevant to other elements of healthcare cybersecurity training. For example, the ABC of healthcare cybersecurity training could be โ€œAlways Be Carefulโ€ or โ€œAssess Before Continuingโ€.

While these mantras could be perceived as elementary school learning to address serious and sophisticated threats, it is often necessary for healthcare organizations to adopt the lowest common denominator approach to healthcare cybersecurity training until such time as it is no longer possible to identity weaknesses in the workforceโ€™s cybersecurity knowledge.

Making Cyber Security Training for Healthcare Accessible for All

The final element of effective healthcare cybersecurity training is to make cyber security training for healthcare accessible for all members of the workforce. What is meant by this is that, if all members of the workforce are required to participate in HIPAA cyber security training, there will be some who may be unable to participate fully due to a lack of HIPAA knowledge.

Those who have a lack of HIPAA knowledge may not understand what is PHI or why it has to be protected, and โ€“ due to a lack of understanding โ€“ might continue to use unsanctioned โ€œshadowโ€ apps and services to get the job done, or might not understand why it is important to protect devices with no access to PHI with physical, administrative, and technical safeguards.

Healthcare organizations with workforce members in this position can take advantage of online HIPAA awareness training courses to raise their HIPAA knowledge to the required level. While training courses of this nature do not fulfil the requirement for policy and procedure training (ยง164.530), they can help support healthcare cybersecurity training to better safeguard PHI and reduce the number of security incidents involving a human element.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/