Virtual training

Why Cybersecurity Companies Must Provide Hands-on Training to Hospital Clients

liran

Jul 13, 2021 - 3 min read

It’s not easy running an IT department at a large medical organization these days, and the job is not getting any easier. Hospitals represent a prime target for cyberattacks for a variety of reasons:

1. Medical providers store massive amounts of sensitive data that they cannot afford to lose or have exposed.
2. Hospitals maintain dozens of discrete systems to manage all moving parts, from personnel to equipment. A hacker can work through these, searching for the inevitable weakness.
3. A hospital’s systems can never be airtight, as the staff must communicate actively with insurers, other hospitals, external specialists, and patients themselves.
4. Data accuracy and availability for medical care can be a matter of life and death. A database “held hostage,” even for a few minutes, can have dire implications.
5. Not enough funding is dedicated to cybersecurity. Healthcare organizations only spend between 4% to 7% of their IT budget on cybersecurity versus a 15% average for financial institutions.
6. Large hospitals often have the financial resilience to pay moderate ransomware sums, and some do.

Even without government regulations (and fines for non-compliance), no hospital wants to see itself in the headlines, struggling to free itself of a ransomware attack.

Cybersecurity experts to the rescue

The primary strategy that hospitals deploy is hiring an outside cybersecurity firm. These healthcare security companies, set to represent a $26B industry by 2027, work with hospitals to conduct an assessment of weaknesses, then draw up a list of recommendations to seal them up. This includes policies and changes that the hospital’s team can manage themselves, as well as technical products and services the firm will provide and manage. Some solutions involve hardware – firewalls with filter rules to control and limit access – as well as software installations and updates/upgrades to existing infrastructure.

Facing the ‘people problem’

Human beings are often the “keyhole” through which hackers penetrate an organization’s defenses; whether for data entry/retrieval specialists, nurses working with patient files periodically, or doctors who have less hands-on activity, it is critical to train all employees to learn and follow protocols and processes for even the simplest online activity.

In one study, 59% of hospital representatives and healthcare IT professionals in the US said that email was the most common point of information compromise. Disasters can be triggered by carelessly responding to phishing hacks, or the overly casual use of minimally secure mail to communicate sensitive information.

The decision about HOW to provide healthcare cybersecurity training, however, presents a real challenge. Here’s why:

• Too risky to practice on real data: It is difficult to teach these skills in the abstract; the most effective training must use real-life scenarios that the participants can relate to. But conducting a training session on a live system, with real patient data, is irresponsible.
• Scheduling problems: Medical personnel are generally overworked, exhausted with complex and frequently changing schedules – with some working at night. Finding time for large groups to attend a “security lecture” can be challenging, and hoping for rapt attention is perhaps too optimistic.

The benefits of going virtual

Cloud-based hands-on training

The ideal model is both flexible for scheduling and more engaging than a one-way presentation: remote, cybersecurity hands-on training. Using a cloud-based, online training platform means that participants can join from offices across the facility, or even from home. Multiple sessions can be run to accommodate demanding schedules, without the trainer physically situated in the building for each session (or even the same city, state, or country!)

A replicated version of the software

The most advanced of these virtual hands-on training platforms offer a fully functional version of the hospital’s software, and both the trainer and participants can interact with it. It is a clean, stand-alone version, meaning that there is no risk of exposing, changing, or deleting real data. The installation can be pre-loaded with sample data for real-world demonstrations, or left clean and ready to be safely populated and then eventually deleted.

Monitoring and analytics

In training systems like these trainers and management can review reports on which trainees went through required steps, how long they spent, and what they did. This both assures compliance with the training program and identifies areas of improvement for the curriculum.

Hands-on active practice

Most important, the hands-on approach to healthcare training software means that the experience is active, not passive. The hospital staff can “live” the simulated experience, trying out the techniques they are taught in a safe, controlled, but authentic environment. This practice will help prevent confusing or panic situations later, as fewer new, unexpected procedures will arise.

No one can be an expert in everything

Our society (especially during COVID) values the life-saving contributions of doctors, nurses, and other medical specialists and support staff. But they are not perfect. With their focus on patient care and critical snap decisions we cannot expect them to also serve as cutting-edge data warriors. To optimize their training – and to give their hospitals the best chance of avoiding dangerous missteps and lawsuits – a fully immersive, hands-on approach to training by cybersecurity firms is just as important as their purely technical defensive measures.