A recent study conducted by HIMSS Analytics and reported in the HIPAA Journal indicated that more than 78% of the IT executives, managers, and staff surveyed identified employees’ lack of security awareness as a primary concern – despite 85% of the same survey respondents claiming to have an educational program in place designed to create awareness! Clearly a one-time – or even annual – training program isn’t enough.So how can healthcare executives improve information security awareness without significant cost and time investments? Here are ideas gleaned through working with our top clients.
- Use existing channels.
The fastest way to get the word out about anything is through existing channels. Don’t just think of the organization newsletter. Think about the channels you would use if you needed everyone to know that the cafeteria is serving free pizza. What would get your staff’s attention best – a weekly email from the CEO? a reminder from the unit manager in the morning huddle? a global text message with a tip for the day? Organizations differ – use what you’ve got and what works for you.
- Make it fun.
Steal a page (or two) out of the marketers’ playbook. Use rhymes, wordplay, and cartoons. For instance, the U.S. military adopted the theme of “cyberfitness” and leveraged their existing physical fitness programs and resources to encourage good cybersecurity practices. You might find ways to tie information security (or “information safety”) into existing initiatives to prevent infections or promote handwashing. Consider contests – units can both learn and earn points toward a party by scoring well on secret audits or weekly “cybersecurity trivia” quizzes.
- Keep it short.
The research is clear – classroom lecture is the least effective way to educate human beings. Attention wanes long before the lecture comes to a close and most studies put retention of lecture material at ~10%! The initial HIPAA training course is probably necessary to make sure everyone receives the same basic information, especially employees new to healthcare or fresh out of school, but even this can be broken into digestible segments using self-paced training modules. Then supplement that training with quick reminders of critical practices – logging off workstations; using only the secure texting application; securing mobile devices with cables or inside locked cabinets.
- Make it relevant.
Hearing that another “50,000 records were lost” means little to the average staff member. Hearing that “a nurse clicked on a link to what looked like an online shopping site, causing the practice to close for two days and to dismiss the nurse,” on the other hand, feels directly relevant. Every staff member can imagine him or herself making the same mistake and can learn from the example.
- Mix it up.
Humans also get bored easily. Information in the same format arriving at the same time over and over again eventually becomes background noise. To keep it fresh, try a variety of approaches – verbal reminders at the beginning and end of staff meetings; a story in the newsletter; screen savers with a new reminder each week; monthly peer audits using a standardized checklist; and open review of security threats in town hall meetings. Be audacious – ask the staff members you want to reach what they would find helpful and interesting.
- Be redundant.
This is another trick out of the marketer’s handbook. Rather than bombard staff with everything they need to be doing all the time, begin with the comprehensive training course. Then based on observations and audit findings, use awareness initiatives to encourage one specific behavior. For instance, in the month of May, you may run a campaign about how to recognize and respond to a phishing attack. In this case, any newsletter content, email alerts, screen savers, and peer audits for that month should all address phishing attacks.
These tactics won’t guarantee perfect compliance, but they will increase threat awareness, and awareness is the first step!
info@ThirdRock.com | 512.310.0020