by John R. Fischer
, Senior Reporter | March 01, 2022
From the March 2022 issue of HealthCare Business News magazine
The key to effectively training employees on cybersecurity in healthcare, or any industry for that matter, is to make it engaging in a way that motivates staff to seek out more information on the subject.
That was a central message from Matthew McMahon, a senior manager of cybersecurity and Medical IoT at Booz Allen and an adjunct professor in healthcare administration and management at Salve Regina University, who hosted an educational session at the 2021 AAMI Exchange titled “How to Create Engaging and Effective Cybersecurity Employee Trainings.”
Here are five key points from his presentation:
Know your audience
When you’re trying to get healthcare providers to take cybersecurity seriously, focus on what a breach could mean for their patients. If you operate in a sales context, frame security in the context of the client facility. Knowing what country or region trainees are from can make a big difference too, as well as using timely examples that specifically resonate with them. For instance, you could discuss a cyberattack that a similar company or healthcare organization recently faced.
“If you can make your cybersecurity training role specific that makes it really relevant and really helps raise that awareness level,” said McMahon. “You’re really diving into what that individual does at a job level and making cybersecurity relevant at that job level.”
While labor intensive, gamifying training can increase focus and interest on cybersecurity. It can also be used afterward to ensure the techniques learned are applied. For instance, a hospital can create incentives for employees to get proactive about reporting suspicious activities or possible attacks. “It may be something as simple as the employee who reports the most phish each quarter or each year gets a $25 gift card,” said McMahon. Little strategies like this can inspire a kind of competition that has the fortunate side effect of making the workplace safer.
Even without a reward program, managers should follow up with employees who report suspicious activities to thank them and acknowledge what they did for the safety of their organization. This can be done with a simple email or in-person conversation and motivates the employee to continue to report any suspicious findings.
The goal of cyber training is to take an organization’s security team and expand it into a cyber awareness community, says McMahon. One way of doing this is through one-off training where the cybersecurity team reaches out to other departments and organizations to engage with individuals and help them identify possible security issues, while developing relationships. Setting up part-time cyber communities that include individuals outside of the core security team can also help foster training opportunities, as can cyber defender programs and cybersecurity mentorship programs.