One of the CIO’s biggest security is lack of staff education, says our SnapSurvey.
It seems every week brings another news story of a data breach or ransomware attack on a hospital. But perhaps even scarier than the headlines is the fact that the ones who are most vulnerable to incidents are the ones who are least equipped to handle them. According to the April healthsystemCIO.com SnapSurvey, 39 percent of CIOs feel their staff is not sufficiently educated on how, when, and to whom they should report any suspicious activity or a data breach.
And this, says CIOs, is a big problem.
“We have provided frequent, repeated education, but there are some folks who just don’t get it,” noted one respondent. Another indicated “there are gaps in awareness and a degree of denial that they could be targets or the vector facilitating an attack.”
So what are organizations doing to combat the problem? Most (94 percent) are leveraging newsletters and other written reminders to spread awareness, along with regular training sessions (72 percent). More than half (61 percent) send fake phishing emails and other similar tools, and a small portion (11 percent) have resorted to bringing in law enforcement to educate the staff.
A number of organizations (56 percent) are approaching the issue from the top with a CISO or other senior-level executive who oversees security, and another 22 percent are looking into it, but many believe this is only part of the solution. As one CIO stated, “We have made great strides in this area with leadership,” whereas at the staff level, there’s a need for more information.
One health system has taken a unique approach by creating security super users, similar to the approach used when implementing EHRs, and another hired an outside firm to do an extensive risk analysis across the campus.
The common theme across the board, it seems, is that security is now on the front burner. According to the survey, 83 percent of CIOs said testing backup and recovery systems has become a bigger priority, and many are even forming a plan of how to respond to a ransomware threat. Interestingly, 28 percent said they believe the organization would pay up, and a third said it was possible.
One respondent pointed out that keeping the brand in tact is crucial in today’s competitive environment, and another reasoned that paying ransomware “costs a lot less than having your systems unavailable,” adding that no organization can afford to impact patient care.
(SnapSurveys are answered by the healthsystemCIO.com CIO Advisory Panel. To go directly to a full-size version of any individual chart, click on that chart.)
1. Has your organization (or an organization you’ve been part of) ever experienced a data breach or a ransomware attack?
Yes, a data breach that didn’t involve ransomware
- It was an employee snooping event.
- Faxing patient information to the wrong provider.
- We have had ransomware attacks also, but they were limited to certain PCs and servers, which we were able to isolate and recover without a data breach.
We’ve experienced both
- We were able to quickly identify it and prevent major impact.
- Ransomware on 3 devices controlled — not an enterprise issue. Had a breach with an employee using appropriate access to view inappropriate info.
No
- Not to our knowledge.
Other
- We had Ransomware without a breach.
- Ransomware on a single server. We restored immediately from backup. No breach, and inconvenience was minimal.
2. Does your organization have a CISO or other senior-level executive responsible for overseeing security and enforcing policies?
Yes
- Reports to the CIO.
No, but we’re looking into it
- ISO is now a role/responsibility in the CIO role.
No
- Security reports directly to the VP of IS.
- I am the CIO and also the designated Security Officer.
3. Which of the following methods is your organization using to keep the staff educated on the dangers of malware attacks?
Regular training sessions
Bringing in law enforcement to educate staff
Sending fake phishing emails
- An internal phishing tool used to individually educate.
- Have just installed the sending fake phishing emails so work is internal to IS while a plan is being developed.
Newsletters/reminders about dangers of clicking on links
- Occasional emails warning about the latest threats.
- Posters placed in the usual and unusual places.
Other
- We’re creating security super users. Similar approach as to what you see when implementing an EHR.
- We are very weak in this area currently, but are planning to start doing all of the above soon.
4. When faced with a ransomware attack, Hollywood Presbyterian Medical Center opted to pay the requested amount to obtain the decryption key. Do you believe your organization would pay ransomware?
Yes, if we felt it was the best option
- Paying costs a lot less than having your systems unavailable. You can’t impact patient care.
- Keeping the brand name pure is very important to us.
No, we wouldn’t do that
I’m not sure
- This is a business decision that we would situationally understand.
- We probably would not, but it would depend upon what information was compromised and what is at stake by reverting to the previous night’s backup.
- Researching this with leadership now, but I think the particular event would be reviewed before a decision was made.
5. Has testing of backup/recovery systems become a greater priority at your organization given the recent ransomware attacks?
Yes
- It’s important to have offline backups with active malware protection running.
- We have hired a firm to do an extensive risk analysis across all areas of the campus. We view this as an institutional imperative, not an IT idea.
- We need to kick this into high gear.
No
- We acknowledge it’s important, but we’re just not this finely tuned yet with our security.
- This has always been a priority; there are many other reason to stay on top of this.
6. Do you believe your staff is sufficiently educated on how, when, and to whom they should report any suspicious activity or data breach?
Yes
- We’ve had a robust education program on data security.
- Yes, but we will continue to educate.
No
- It only takes one person to make a mistake.
- We have provided frequent, repeated education, but there are some folks who just don’t get it. Often, the desire to be helpful overrides their training. A perfect social engineering opportunity.
- We could do better.
- Even with regular training and messaging, there are gaps in awareness and a degree of denial that they could be targets or the vector facilitating an attack.
Not sure
- We have made great strides in this area with leadership. Need further info to understand at the staff level.
7. In what other ways have recent events prompted you to revisit/revise your organization’s security strategy?
- Increased our awareness, education.
- Created a Ransomware swat team.
- Dual-path protection from vendor partners.
- Revised our cyber event response plan.
- Need to increase budget and tools.
- It is more top-of-mind now than ever.
- The recent events just made it more a priority.
- Marketing consulted to get advice on promotions.
- We are reviewing other potential threat vectors.
- Additional access to our board, to educate them.
- This is a top priority of the Board.
- Scorecard developed to measure protection.
Share Your Thoughts
You must be logged in to post a comment.