Cyber security training should be engaging and motivate individuals to learn more on their own
Five tips for better cybersecurity training in healthcare
March 01, 2022
by John R. Fischer
, Senior Reporter
The key to effectively training employees on cybersecurity in healthcare, or any industry for that matter, is to make it engaging in a way that motivates staff to seek out more information on the subject.
That was a central message from Matthew McMahon, a senior manager of cybersecurity and Medical IoT at Booz Allen and an adjunct professor in healthcare administration and management at Salve Regina University, who hosted an educational session at the 2021 AAMI Exchange titled “How to Create Engaging and Effective Cybersecurity Employee Trainings.”
Here are five key points from his presentation:
Know your audience
When you’re trying to get healthcare providers to take cybersecurity seriously, focus on what a breach could mean for their patients. If you operate in a sales context, frame security in the context of the client facility. Knowing what country or region trainees are from can make a big difference too, as well as using timely examples that specifically resonate with them. For instance, you could discuss a cyberattack that a similar company or healthcare organization recently faced.
“If you can make your cybersecurity training role specific that makes it really relevant and really helps raise that awareness level,” said McMahon. “You’re really diving into what that individual does at a job level and making cybersecurity relevant at that job level.”
While labor intensive, gamifying training can increase focus and interest on cybersecurity. It can also be used afterward to ensure the techniques learned are applied. For instance, a hospital can create incentives for employees to get proactive about reporting suspicious activities or possible attacks. “It may be something as simple as the employee who reports the most phish each quarter or each year gets a $25 gift card,” said McMahon. Little strategies like this can inspire a kind of competition that has the fortunate side effect of making the workplace safer.
Even without a reward program, managers should follow up with employees who report suspicious activities to thank them and acknowledge what they did for the safety of their organization. This can be done with a simple email or in-person conversation and motivates the employee to continue to report any suspicious findings.
The goal of cyber training is to take an organization’s security team and expand it into a cyber awareness community, says McMahon. One way of doing this is through one-off training where the cybersecurity team reaches out to other departments and organizations to engage with individuals and help them identify possible security issues, while developing relationships. Setting up part-time cyber communities that include individuals outside of the core security team can also help foster training opportunities, as can cyber defender programs and cybersecurity mentorship programs.
Additional tactics include annual cybersecurity conferences for continuing education and networking opportunities, as well as setting up internal hacking communities which consist of individuals not in cybersecurity but with backgrounds or certifications relevant to it, who can share their knowledge. A central repository to share information also helps by allowing individuals to upload and share information and resources with each other.
Cybersecurity experts for hospitals and other healthcare-related organizations can spread awareness by reaching out and offering their services directly. This could include, for instance, attending conferences with a sales team for an ISO to explain security measures to customers. This enables them to build networks of cyber awareness and establish relationships. Even speaking at an internal meeting for clinical teams in hospitals can make a difference.
Measure and learn from success
The success of training initiatives should be evaluated. Through qualifying testing, cybersecurity experts can gauge employees following training to see what they retained, and look at the incident numbers before and after to see if there is any improvement. Quantitative evaluation looks at involvement and interest in cybersecurity matters among trainees afterward, and can help experts determine if their program needs to be adjusted to be more engaging or relevant.
McMahon says the key is to get employees genuinely interested in improving their knowledge and skills in cybersecurity by illustrating to them that medical equipment and patients can remain safe. This requires encouraging them and showing them where to research these matters on their own.
“You’re training your employees not just to know a little more about cybersecurity, but actually changing their behavior so that they act in a way that is more cyber aware,” said McMahon. “That’s really what we’re trying to get.”