On March 30, 2022, the U.S. Senate Homeland Security Committee cleared the Healthcare Cybersecurity Act – new legislation that promises to strengthen the cybersecurity posture of the U.S. healthcare and public health sectors. The U.S. healthcare sector has taken a battering in recent years as cybercriminals have stepped up attacks on the sector. Healthcare organizations are an attractive target due to the vast quantities of sensitive data they store. The data can easily be monetized and used for identity theft and medical fraud, and preventing access to that data puts patients at risk, which increases the probability that extortion attempts will be successful. Cyberattacks on the healthcare sector have proven to be lucrative, with healthcare providers often forced into paying huge ransom demands to decrypt their files, prevent the exposure of stolen data, and get critical systems back up and running quickly to improve patient safety.
In 2020, healthcare cyberattacks increased by 55% breaking the record set the previous year. More than 26 million medical records were compromised that year, which increased to over 40 million records in 2021 and 2022. 2023 looks like it will see similar numbers of records compromised. Healthcare is a critical industry and healthcare cybersecurity is a patient safety issue. Action is desperately at the federal level to improve resilience to cyberattacks and the Healthcare Cybersecurity Act is a step in the right direction. The Healthcare Cybersecurity Act calls for the U.S. Cybersecurity and Infrastructure Security Agency and the Department of Health and Human Services to collaborate and come up with a plan for improving the security posture of the sector. Within a year of the legislation being passed, CISA is required to complete a detailed analysis of the risks to healthcare assets and data, identify the information security challenges faced by organizations in the sector and come up with a plan to address the shortage of cybersecurity staff, including making recommendations for cybersecurity training for the workforce and enhancing incident response. The legislation also calls for the creation of a Cyber Security Operations Center specifically for the healthcare sector to share real-time threat intelligence to help defend against and respond to cyberattacks.
In the meantime, the cyberattacks continue. While hospitals and health systems are investing heavily in cybersecurity and are improving their technical defenses, hackers are developing new methods to attack the sector, often by exploiting human weaknesses. The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers, health plans, and other covered entities to develop a security awareness training program for employees, but the legislation was signed into law two decades ago and provides little in the way of detail as to what such a program should include or how often training should be conducted. Follow the letter of the law and you will be compliant but will do little to improve your security posture. What is required is a comprehensive training program that can be easily tailored to all members of the workforce and training them on how to recognize the specific threats they are likely to encounter.
The ultimate goal of security awareness training is to develop a security culture, and that simply isn’t possible with an annual training session. Security awareness training needs to be ongoing, with employees up to date on the latest threats, and training needs to be reinforced. This is an area where TitanHQ can help. TitanHQ offers healthcare organizations an easy-to-use platform for developing healthcare-specific training courses covering a broad range of security topics. The platform includes training content on hundreds of topics, delivered through computer-based training courses, videos, and quizzes. The content is engaging and gamified and has been developed to be easy to fit into busy healthcare workflows, with the training content taking no more than 10 minutes per module.
Administrators can easily develop training courses for individual employees, roles, and departments to ensure it is relevant, and the platform is behavior-driven, with training content automatically generated based on specific employee behaviors such as failed phishing simulations and security errors, such as saving sensitive data in an insecure location. Since the training is generated instantly, it ensures employees receive the training when it is likely to have the maximum impact – immediately after a security mistake is made.
The platform also has enterprise-level reporting, which provides executives with a 360 view of the entire organization and the return on investment, with the data provided in an easily digestible format for management, and detailed reports for the compliance team to demonstrate full compliance with the training requirements of the HIPAA Security Rule.
If you want to improve your organization’s security posture, training the workforce to be more security aware is a great place to start. For more information on SafeTitan, to sign up for a free trial, get in touch with the TitanHQ U.S. team today.