In recent years, the healthcare sector has witnessed an alarming surge in cyberattacks. In fact, more than 540 organisations reported healthcare data breaches to HHS Office for Civil Rights (OCR) for in 2023, impacting upwards of 112M individuals. The healthcare industry, like any other industry that holds sensitive and valuable data has become an increasingly attractive target for malicious threat actors. In the event of an attack, pilfered patient data may be sold on the dark web at a premium price or used in double extortion attempts.
Evidently, there is a pressing need for robust preventative security measures across the healthcare industry, however this can be costly and time consuming to implement for already thinly stretched organisations. Yet, some healthcare institutions may direct their efforts toward determining who the responsible party is in the aftermath of a breach. This is epitomised by the most recent 23andME breach, where customers became the point of blame for poor password practices, which had resulted in a successful credential stuffing attack after the incident had occurred. But in playing the blame game after a breach occurs, the sector risks losing sight of the bigger picture. Instead, healthcare institutions must adopt a more proactive approach to cybersecurity, moving beyond who’s responsible and working towards collaborative efforts to enhance cyber resiliency and security posture. But how?
The Challenges of Safeguarding Healthcare Staff
Over the last few years, the healthcare industry has been faced with an array of unprecedented challenges that have resulted in a strain on resources, consequently hindering the implementation of robust cybersecurity measures. The healthcare sector's primary focus is on delivering quality patient care, leaving little room to adequately address the evolving landscape of cyber threats. Additionally, the recent NHS England strikes combined with the ongoing healthcare staffing crisis, which as of 2023 surpassed the 100,000 mark, has diverted the attention and resources away from critical cybersecurity initiatives. Yet, when critical patient data remains vulnerable to adversaries with potential life-threatening outcomes, healthcare providers must prioritise working towards building a robust cybersecurity strategy. Thus, a change in mindset is required to tackle the issue at hand and healthcare institutions are urged to think differently about their approach to cybersecurity in relation to keeping employees safe and secure.
The Importance of Addressing The Human Factor
Healthcare professionals are highly mission focused people who care for their patients and are always on call in the event of an emergency. Yet, these admirable traits are often played on by opportunistic cybercriminals in the event of elaborate social engineering scams, from phishing to ransomware attacks. Threat actors use a wide range of tactics to trick the user into falling for an attack through using various psychological principles. For instance, classic social engineering attacks can often include a sense of urgency or persuasion, in efforts to disguise the legitimacy of the request. This makes the task of detecting these threats challenging, especially for compassionate and hard-working healthcare employees.
In 2023, it was reported that 74% of data breaches involved a ‘human element’. For decades, organisations have perceived employees to be one of the biggest threat vectors to security. However, it is imperative for organisations to understand that employees can be one of their strongest defences and knowledge is power when it comes to making informed, cyber secure decisions. One of the most effective ways that healthcare professionals can be armed with the knowledge and skills to avoid being targeted by hackers is through adequate security awareness training. Yet, while in theory this appears to be a straightforward solution, it can be a particularly challenging task for healthcare providers. Further to this, conventional approaches to cybersecurity training have consistently shown their limitations. Although they may offer a foundational understanding of security awareness, traditional methods often fail to provide employees with the relevant skills needed to deal with sophisticated real-life cyber threats. Once a year mandatory training, regardless of quality, is unlikely to have any lasting impact. Instead, organisations could look towards using psychology and behavioural science and try to understand why users are more likely to engage in risky behaviour online. By understanding the cognitive and psychological aspects of human behaviour, security training programs can be tailored to address specific challenges faced within organisations but also to actively try and change those behaviours. One way organisations can integrate cybersecurity awareness into everyday activities is by using the nudge method, a non-invasive and integrated approach to training. Where it has been recognised above that staff, particularly in healthcare, do not have the time to engage in lengthy and often ineffective training, behavioural approaches can utilise contextual nudges at points of risk as well as snippets of drip-fed content. Both timely reminders that take minimal if any time, build awareness, embed secure habits and offer organisations both visibility of risk and measurable improvements in their risk profile. This approach recognises that employees are simply not the weakest link in
security, as many people wrongly accuse end-users of being, but rather a critical asset in the defence against cyber threats. Therefore, healthcare institutions must keep open minded about approaches to security awareness training and focus on what they are really trying to achieve: better security. If the focus is, as it should be, on risk reduction, then a more behaviour change focused approach is highly likely to be required to produce better outcomes.
Proactive Steps Towards a Secure Future
The increasing proliferation of human factor related cyberattacks on the healthcare sector highlights the need for employees to be equipped with the tools and knowledge needed to tackle imminent threats. Traditional methods of security awareness training have often proven to be ineffective in the long term, which urges organisations to think differently about their approach. The key to efficient and effective security training may lie in behavioural science. There is recognition by the National Cyber Security Centre (NCSC) and a growing body of research which suggests that the use of behavioural science in cybersecurity awareness training offers lasting defences against cyber threats.
Ideally, healthcare institutions should look towards adopting a solution that applies behavioural and learning science to deliver ongoing security awareness alerts, to empower and encourage employees to make secure decisions. Reducing human risk through applying psychological principles to change human behaviour should be considered a step in the right direction towards helping keep employees safe and secure from imminent threats.