By Jeff Wardon, Jr., Assistant Editor

Cybersecurity has become increasingly important in the digital age. Hackers of all stripes are on the prowl for their next victim, and unfortunately healthcare is one of the more vulnerable industries for cybercriminals. Once exposed, healthcare organizations are often too ready to acquiesce to the hacker’s demands. This puts both the organizations and their patients at risk of exploitation. 

Preventing cyberattacks from ever taking root is key to safeguarding patients and their data. However, there are shortcomings in cybersecurity training for healthcare staff, which ultimately falls short of keeping patients protected. Healthcare Facilities Today recently spoke with Phil Englert, vice president medical device security at Health-ISAC, about how cybersecurity training intersects with patient safety and privacy.  

HFT: How do phishing attacks and insider mistakes put both patient data and patient safety at risk?   

Phil Englert: Phishing attacks exploit human trust to gain unauthorized access. A single click on a malicious link can compromise credentials, install malware or open the door to ransomware. These attacks often bypass technical controls by targeting frontline staff, clinicians or vendors. Insider mistakes, whether accidental or negligent, can expose sensitive data or disrupt operations.  

Phishing attacks that become insider mistakes may target users with elevated privileges, resulting in patient records, intellectual property, financial data and operational plans being stolen, leaked or corrupted.  Users in healthcare settings often have access to various applications that, if compromised, may impact clinical workflows, device availability and IT systems, which, when disrupted, may delay care or compromise patient safety.

Related Content: 3 Pillars of Stronger Cybersecurity in Healthcare

HFT: Where do current staff training programs fall short in preparing healthcare workers for these threats? 

Englert: The healthcare setting is complex, with many roles and specialties that make traditional cyber training techniques less effective. Historically, the focus has been on compliance, such as HIPAA refreshers and password complexity requirements. The “watch a video / take a quiz” approach does not cultivate decision-making skills or the ability to spot subtle phishing tactics needed to alert the organization's cybersecurity experts. 

HFT: What would it look like to weave cybersecurity training into clinical education and daily hospital workflows? 

Englert: The first step is redefining cybersecurity expectations for clinicians and workers in a care setting. Understanding their workflows and refining the training content and techniques unique to the threat vectors can create critical relevance. To raise awareness about cybersecurity, training should get clinicians to think about how cyberattacks may impact their ability to provide patient care. This must be role specific.  

Training for a surgeon might focus on cyber hygiene before beginning a procedure, while the training for a radiologist focuses on social engineering or unannounced login changes. Short and frequent training sessions formatted to integrate within clinical settings rather than interrupt daily workflows are more effective at keeping cyber front and center, as well as keeping staff updated on the recently evolved tactics. 

Jeff Wardon, Jr., is the assistant editor of the facilities market.