Cybersecurity Training for Tight Budgets
May 22, 2019
Most practices provide cybersecurity and HIPAA training when an employee is first hired, and annually after that. While certainly, this method will check the box for “security training” off the new employee orientation list, it is highly ineffective for maintaining good cybersecurity habits.
That’s because cybersecurity training is not a “once you learn it, you know how to do it” type of training, like how to register a patient or use the fax machine. In fact, it’s just the opposite. For staff to maintain the awareness required to spot phishing emails and other cybersecurity scams that could result in a breach, they must be continually reminded that there’s a threat.
The most effective cybersecurity training is delivered in shorter sessions, frequently, with ongoing reminders.
Here are six ways your practice can do this on the cheap.
1. Send periodic emails with cybersecurity reminders and tips.
Mark your calendar every six weeks with a reminder to send these out. In the morning is the most effective. Pull tips directly from your security policies and procedures.
2. Email a 3-question quiz just prior to a staff meeting.
Present and discuss the answers in the staff meeting. Have everyone who got all three questions correct put their names in a hat and draw one for a gift certificate.
3. Print posters and flyers.
One practice I worked with created colorful “Watch Out for Phishing” posters, and hung them on bathroom stall doors, break rooms and bulletin boards.
4. Put reminders in Company Communications.
If your practice sends a monthly newsletter to employees, include a story about security in several issues a year.
5. Monitor employee password strength twice a year.
Knowbe4 has a free tool for this: Weak Password Test (WPT). WPT checks your Active Directory for several different types of weak password related threats, providing insight to the effectiveness of your password policies and any fails so that you can take action.
6. Administer a verbal “cyber awareness quiz” at several staff meetings each year.
This can be informal. Simply ask a few questions during the meeting (don’t put this on the agenda), and ask the team for verbal answers. For example:
a. “Name two common human error reasons that cyber-attacks or breaches occur in healthcare?”
b. “What are two clues that an email may be a phishing email?”
c. “What is ransomware and how does it work?”
Choosing even two or three of these ideas will improve staff retention of important security concepts. The key is keeping employees on alert for potential security threats all year long – and think twice about clicking.
Want to stay on top of compliance issues like this one? Download Mike’s complimentary 2019 Compliance Calendar.
Author - Michael Sacopulos, JD
Mike is the CEO of Medical Risk Institute (MRI), a firm that provides proactive counsel to the healthcare community in order to identify where liability risks originate, and reduce or remove these risks. Mike’s unlawyerlike pragmatism and clever wit make him a sought after speaker by national specialty societies MGMA national and state chapters, and trade associations.