Healthcare organizations are increasingly under attack from cybercriminals, who seek all opportunities to breach networks and systems in hopes of obtaining valuable information about patients, employees, and internal policies and procedures. Many of these organizations have turned to Wombat Security for help in addressing a critical area of vulnerability: end-user risk.
Our healthcare customers have applied our methodology with success, seeing up to an 86% reduction in phishing click rates in just a few months. Customers in many industries have seen measurable improvements in a variety of metrics, including fewer successful phishing attacks and malware infections from the wild; less employee downtime; more effective use of IT resources; and better identification (and reporting) of suspicious messages. Join them and make our unique, four-step Assess, Educate, Reinforce, Measure methodology the foundation of your security awareness training program.
We suggest that U.S. healthcare organizations use our Protected Health Info Predefined CyberStrength® assessment to kick off their cybersecurity education efforts. This exercise will not only give a baseline measurement of staff knowledge about a critical topic — safeguarding protected health information (PHI) — it will allow organizations to immediately begin to address areas of vulnerability. Our unique and effective Auto-Enrollment feature allows program administrators to automatically assign follow-up education about PHI and the U.S. HIPAA mandate to any staff member who does not exhibit a desired level of familiarity with these principles. This stop-gap training measure is an excellent opportunity to jump-start risk reduction.
International healthcare organizations should start with our Protecting Personal Data Predefined CyberStrength assessment, which covers topics related to personally identifiable information (PII) and proper safeguards for sensitive data and documents throughout their lifecycles. As with the PHI predefined assessment, administrators can utilize the Auto-Enrollment feature to automatically engage the most susceptible users in follow-up training and immediately begin closing concerning knowledge gaps.
All organizations should use our ThreatSim® Phishing Simulations in concert with CyberStrength assessments. With our portfolio of customizable templates, you can evaluate users on multiple threat vectors — malicious attachments, embedded links, and requests for personal data — and track results at the campaign level and user level. Healthcare-specific templates allow you to test staff members’ reactions to messages that are targeted to your industry.
Staff members who fall for a simulated attack are automatically presented with a Teachable Moment, which is a customizable “just-in-time teaching” message that alerts users about the mock attack, explains the dangers associated with real phishing emails, and gives practical advice and tips they can use to avoid future traps.
As with CyberStrength, Auto-Enrollment makes it easy to initiate follow-up education. Any user who falls for a ThreatSim email can be automatically assigned an interactive training module of your choice.
Our interactive training modules will give your staff members a broader understanding of the different kinds of threats that are common in today’s workplace (and beyond). More importantly, they will be taught best practices and how to implement them. We apply "learn by doing" principles in our modules, which are an ideal fit for practical learners in the healthcare industry.
To make the most effective use of training time, all modules are brief and focused. Our mini-modules take, on average, just 5 to 7 minutes to complete; standard modules can generally be finished in just 10 to 15 minutes.
For added flexibility, all training is available on demand, and we offer a selection of mobile-responsive modules that can be viewed on any connected device at any time. This is a significant benefit in markets like healthcare, where varied shifts and job functions make more structured training schedules a challenge (and a source of frustration for staff members). And because mobile-responsive modules comply with U.S. Section 508 and the Web Content Accessibility Guidelines (WCAG) 2.0 AA standards, you have the ability to provide consistent training to all employees.
Suggested Training Modules
To effectively implement the Wombat Healthcare Security Awareness and Training Program, we suggest licensing the following modules at minimum. This mix of game-based and scenario-based interactive training — all of which allow for customizable content at the beginning and end of each module — will help to address some of the most pressing cybersecurity issues we are seeing in the healthcare space today:
- Protected Health Information (standard module; U.S. organizations) – Explains PHI identifiers; mandates and components of PHI compliance; and best practices for using, disclosing, transmitting, and storing PHI. (Note: We worked with our healthcare customers to ensure this training meets the needs of U.S. healthcare organizations.)
- Personally Identifiable Information (standard module; global organizations) – Explains how to identify PII; best practices for handling, storing, and sharing PII; and the fundamental actions to take in the event of a PII breach.
- Email Security (standard module) – Teaches users how to spot and avoid the traps commonly found in phishing emails and spear phishing attacks.
- Protecting Against Ransomware (mini-module) – Helps staff members learn how to recognize and avoid ransomware attacks, which have become a significant threat to healthcare organizations.
- Data Protection and Destruction (standard module) – Highlights the importance of protecting data throughout its lifecycle.
- Physical Security (standard module) – Introduces the key components of physical security and teaches staff members about their role in maintaining a safe and secure work environment.
To get the most out of your education plan, we recommend licensing at least three additional modules from this list: Mobile Device Security, Password Security, Payment Card Information Data Security Standard (PCI DSS), Security Essentials, Social Engineering, and URL Training. The topics covered in these modules will further expand your staff’s understanding of key cybersecurity principles.
Because cybercriminals continue to become more sophisticated, it’s critical to keep reinforcing best practices to improve retention. We recommend healthcare organizations use our PhishAlarm® email reporting tool and our portfolio of Security Awareness Materials to make the most of their awareness and training efforts.
Our PhishAlarm email client add-in enables your employees to report a suspected phishing email with a single mouse click. Users who report a suspicious message are immediately rewarded with a "thank you" pop-up message or an email that encourages this behavior in the future. You can also add PhishAlarm Analyzer to prioritize reported messages and streamline response and remediation.
Our Security Awareness Materials are visible reminders of best practices learned. We offer two key sets of materials to support your awareness and training activities:
- Awareness Video Campaigns – Short videos and companion posters and images allow you to build lighthearted awareness campaigns. They offer a great option for introducing the idea of security awareness and training, and they can keep staff members thinking and talking about cybersecurity.
- Education Materials – We offer a wide selection of posters, images, and articles that complement our training modules to reinforce key messages and keep cybersecurity top-of-mind year round.
By continuing to raise awareness, emphasize best practices, and encourage good behaviors, organizations can reduce their vulnerability to attack.
Measure and Analyze Results
Measurement is a key component of all our security awareness and training products because we feel tracking and analysis provide value on many levels, including identification of ROI.
We offer a range of detailed reports that give you broad and granular insights into the results of your assessments and training. Analysis tools help you determine which mock attack to send next and the areas in which your users are likely to benefit from additional education.
The information we provide can be used to support a number of key initiatives:
- Reporting to Board members and other stakeholders
- Integrating employee training data with other metrics for better measurement of cross-organizational cybersecurity initiatives
- Securing cybersecurity insurance policies
- Providing proof of awareness and training activities to key partners, covered entities, and business associates
- Improving processes related to internal and external cybersecurity audits
To learn more about the Healthcare Security Awareness Training Program, including our suggested program plan, which maps out a recommended schedule for assessments and training assignments, request a demo.