GUEST BLOG: Our guest blog post  this week is written by Chris Apgar, CEO of Apgar and Associates, LLC. Chris is a recognized expert in Information Security and Compliance. We are delighted to have him contribute to the Ostendio Blog.

Why training people remains the best defense against security threats.

The high value of medical records on the black market has placed the healthcare industry squarely in the sights of cybercriminals. Whether it’s to perpetrate Medicare fraud, to ransom private and essential data or to gain access to trade secrets, expect cybercrime news to make headlines for the foreseeable future.

The healthcare industry has been called out as being slow to adopt cybersecurity protection measures and to implement sound information security programs. Recognizing that, there are ways healthcare organizations and their technology business partners can prevent and quickly mitigate risk when it comes to cybercrime combat. Cybercrime risk mitigation is not only a matter of complying with HIPAA and other privacy and security laws, but also about protecting your business and your customers, whether they be patients, covered entities or upstream business associates.

Mitigate the “people risk” to data with training.

The number one risk to any organization when it comes to cybercrime remains people – employees, contractors and anyone who has access to your network and IT assets. That’s why one of the best places to start is training, (and not one-time training, either).

My recommendations:

  • Move beyond basic privacy and security training. Add emphasis to topics such as mobile device management, social media “dos and don’ts” and definitely, phishing.
  • Train several times per year. Training needs to be folded into the fabric of day to day operations.
  • Make it personal so it hits home. A good approach is to spend some time focusing on what cybercrime can do to your workforce when they aren’t at work. Discuss what phishing and identity theft can do to their personal bank accounts and medical records, then refocus the attention on the implications for your organization and the people you serve.
  • Conduct “hands-on” exercises. They stick better than the usual PowerPoint.

One of my favorite training exercises is the mock phishing test. That way you can target additional training to those who clicked on that mock malicious link without a real risk to your technical infrastructure. Now, will this completely stop the clicking on malicious links? No, someone will always click. But the mock phishing exercise will meet its purpose, which is to greatly reduce the number of people who click on malicious links.

In addition to training, you can take steps to strengthen against cyberattacks by conducting a risk analysis, network perimeter monitoring, strong network walls, ongoing risk monitoring and mitigation, asset protection. Just keep in mind that that while people are your most significant risk, they can also be prepared and trained so that they’re a great defense, too.

Chris Apgar, CISSP is the CEO of Apgar & Associates, LLC, which provides privacy expertise for secure information. He is a frequent educator and panelist for medical practice management associations, HCCA and other industry-leading organizations. Chris is also available as an expert witness and columnist. He can be reached at: 503-384-2538 or capgar@apgarandassoc.com.