Cybersecurity Q&A

1. What is the best way to begin training my employees on cybersecurity?

One thing we know for sure is that the need for employee training is not decreasing. In fact, the need is ever expanding. There are always new threats, attack vectors and clever schemes. Security training, however, is not something that most employees wake up and go to work for every day. In fact, if you’ve ever delivered cybersecurity training, or worse—had to attend it—you know that it is a big turnoff for most employees. I’ve experienced good and bad security trainings, both as part of the security team delivering it and as one of the “employees” who had to “receive” it. I’ve found all effective security trainings have these details in common: They are all personalized and entertaining.

I had the pleasure of rolling out HIPAA Security Training well in advance of the compliance date of April 21, 2005. When HIPAA Security Training started, not everyone had a computer at home—nor were most people carrying computers around with them (as smartphones or tablets). At that time, the biggest security concerns were around passwords and lockouts, as well as turning off computers. Today, there is a whole universe of security concerns that employees must be aware of. The good news is cybersecurity training not only teaches employees how to protect their data at work—but it also teaches them how to protect their personal data (and that of their families) at home. Instead of telling employees what to do, designing personalized trainings that explains the importance of certain practices will be more effective. Make training about your employees and explain why they have to do things, not just that they have to do it because the security officer convinced the CEO that an 8-character password with numbers, letters, and characters (upper and lower case) is more secure than your dog’s name. It’s also helpful to remind employees that we are all patients somewhere, too.

Which brings us to entertaining. I started out in security-as-a-systems auditor—I don’t believe an auditor has ever guest-hosted Saturday Night Live, and for good reason. But when we started rolling out security training two years after the HIPAA privacy training, we felt it was important to help people understand how patient privacy and good security practices are related. At the risk of dating myself, one of the most popular TV shows at that time was Queer Eye for the Straight Guy. We put together a “show” called “Privacy Eye for the Security Guy”—we wanted to leverage the two years of training that had focused on privacy and layer on security in order to help people make the connections and understand how they were related. We put out a “casting call” as people from all over the Integrated Delivery System (IDS) wanted to help in some way or at least get their 15 minutes of fame. We even got permission to use an ambulance for one of the scenes, as everyone wanted their department in it. We not only used the “show” for training, but we posted it on our intranet. It was so popular, I think even more people watched the video than participated in the training itself.

Another key component of effective cybersecurity training is leadership involvement. There was an occasion when I, as the newly minted security officer, caught our CEO in a weak moment, and he asked if there was anything he could do to help with the HIPAA program. I told him he could take the training and be tested. He had that look in his eye and I quickly reassured him it would be a photo op, not actual training and testing. We showed him at the computer going through the training module, taking the test. We put those pictures on our website and on the cover of our newsletter. He told me for weeks that people would stop him in the halls and at meetings to ask if the HIPAA test was hard, what it covered, and what he learned. Finally, he actually did the training and took the test, just so he didn’t have to “dodge and weave” around those questions.

So, make it personal and relatable to the employees and their lives. Make it entertaining, as people retain what they can laugh at. Finally, that buy-in from the top is critical, leading security by example—if it is good enough for the CEO, then it’s good enough for me.

2. My company does not have a scan of our system running 24/7. Is this necessary? Additionally, do updates and patches need to be automatic?

Unfortunately, in today’s threat environment network-connected systems can’t be left unattended. No one would let their 4-year-old out in the front yard without watching—there are cars, loose dogs, other kids, anthills, manholes, and much, much worse. Your computers aren’t designed to identify danger, nor do they come with the skills to avoid and/or deter danger. They learn that skill over time as they grow, which is what security software is designed to do. Your accounting system shouldn’t have to act as a guard, just like your bank’s CEO doesn’t carry a gun, but that CEO is expected to ensure that the bank has security systems, guards, insurance, and other protections to keep your money safe and reduce the risk to your information and money.

Determining the kind of scanning and its frequency is where we get into risk-based approaches to security. That means you have to understand the risk environment: What are you trying to protect? And from what? Where does it reside on your network? Who uses it? How do they use it? How did it come onto your network, and was it created there or imported from somewhere else? Where is it supposed to go from your network? Unless you can identify the risks to your data, your organization and your operations (in terms of data and systems), will never be able to adequately protect those assets. There is a reason that the first core element of NIST’s Cyber Security Framework is “Identify.” This identification includes everything from network gear to servers, and from desktops to laptops, printers, biomedical devices, security cameras, and other IoT device-in addition to the systems like heating, ventilation, and air conditioning systems (HVAC) as well as Point of Sale systems (POS) that are running on your network. In many hospitals we’re starting to see the “smart speakers,” like Alexa, being used to enhance the patient experience. Every time something connects from your network to the internet, you have a new threat vector—a point of attack or data leakage.

In the scanning function, you’ll have a lot going on—from anti-malware, which runs constantly, to vulnerability scans, email gateways, network scanning, and data loss discovery scans. You’ll need to understand the risks and your best defenses. You’ll always be collecting intelligence about your systems, your network, the threats coming at you, and you’ll have to do some synthesis and assimilation of all that data. There is, however, always overhead associated with this scanning—storage, compute cycles, and the humans who analyze and act on the data. Security, like everything else, is about trade-offs, but it starts with knowing what you have to protect, what you’re protecting it from, and how best to protect it.

Updates and patches are even trickier, particularly in healthcare where you have a lot of legacy hardware and software, and some very highly specialized systems. Some updates you’ll just want to allow whenever they are released, like your antivirus/malware, and even then, on some systems you probably want to block automatic updates until you can test the update to make certain you’re not solving one problem and creating another. You’ll want to do operating system patches as soon as you can, since they frequently include security ‘fixes’ — but if you have specialized software or software originally designed to run on older systems of that operating system, you need to test it first. Clinical production systems are not the place to figure out if something is going to work after the patch.
For cloud-based applications and systems, you are likely getting updates and patches without even knowing. They are mostly designed to work that way, where everyone gets the improvements (want them or not) and that is part of their value proposition. It can save IT a lot of time, effort, and headaches -until you get the “enhancement” that you didn’t want.

Automatic updates become a risk-management issue for IT. That risk assessment has to look at it from the user perspective, too. You don’t want to update the financial system in the middle of month-end close. Making changes to clinical systems on Monday morning can be career-limiting, too, so have a user-group to help with planning those changes, particularly if updates or patches require downtime or locking databases. Patches, as a rule, are at a lower level of the architecture and really should be evaluated and/or tested before being applied to production systems.