Why Healthcare Security Awareness Training Doesn’t Work (And What to Do About It)

December 27, 2017  |  Dane Boyd

The last five years have seen a meteoric rise in the number of cyber attacks targeting healthcare organizations.

Why? Because healthcare organizations boast some of the lowest security budgets of any industry, and personal healthcare records are worth a fortune on the dark web.

Don’t believe me? Try this: Threats actors can make between $285,000 - $1.7 million from a single successful healthcare data breach. At that rate of return, it really shouldn’t be surprising to see how regularly healthcare breaches are hitting the headlines.

If you’re in the healthcare industry, you’re probably feeling concerned. After all, healthcare organizations are highly complex environments and they can be a tremendous challenge to secure.

Where should you even start?

User-Centric Security

Before you start spending big out on expensive security products, it makes sense to look at where the greatest risks lie. To do that, let’s take a look at the most common causes of healthcare data breaches in recent years.

According to the 2016 Data Breach Investigations Report, produced by Verizon, there are three primary concerns:

1.Insiders (mainly negligence)

2.Lost or stolen devices


Do you notice anything about these threats? Here’s a clue: They aren’t rooted in technology. Quite the opposite, in fact, they’re all rooted in human behavior.

Now, of course, security products can be invaluable in dealing with these threats. Devices can be encrypted, user access levels can be tightly controlled, and network activity can be monitored. You can even use spam filters and content scanners to weed out most malicious communications.

But what you can’t do is totally isolate your users from malicious activity… it’s just not possible. One way or another you users will be exposed, and they must be ready to deal with it.

By making the effort to properly train your users, you can hugely raise the security profile of your security organization.

Out with the Old

If I had to guess, I’d say your existing security awareness training is… less than comprehensive.

You’re not alone.

In most healthcare organizations, security awareness training wouldn’t even exist if it wasn’t a major requirement of HIPAA compliance.

But knowing that the greatest threats to your organization are all rooted in human error, doesn’t that seem crazy? If you’re genuinely serious about reducing cyber risk, there are going to need to be some dramatic changes.

Perhaps the biggest problem I see with the average security training program is that it is focused on completely the wrong metric: Awareness.

Ask any behavioral psychologist whether having more information causes people to make better decisions, and you know what they’ll say? Absolutely not.

That’s why, despite understanding more than ever about nutrition, we have a global obesity crisis.

If you want to make fundamental changes to the way your employees behave, you’ll need a training program that focuses exclusively on that goal.

How to Fight Phishing

Phishing is arguably the single greatest threat to the healthcare industry.

Phishing emails are used to deliver malware, trick users into revealing their login credentials, and even trick staff into making large payments by posing as senior members of your organization.

And here's the kicker. According to Verizon, over 90 percent of all reported data breaches incorporate a phishing component at some stage during the attack.

But as I’ve already noted, while technical security controls can dramatically reduce the number of phishing emails reaching user inboxes, they can’t prevent all of them. To fully tackle the threat posed by phishing, then, you’ll need to train your users to identify phishing emails and report them, rather than being tricked by them.

How? By creating your own simulated phishing lures, and sending them to your users.

That might sound odd, but hear me out. If your users are going to improve their ability to spot phishing emails, they’re going to need an opportunity to practice when they aren’t in a formal training session. Either you can turn off your spam filter for a while and see how they get on (which I don’t recommend) or you can systematically construct realistic phishing simulations, send them out, and track your users’ responses over time.

Now, of course, you will need to provide some training first. Your users need to understand how the program will work, why it’s necessary, and what’s expected of them.

Perhaps even more importantly, your users need to understand that simply deleting phishing emails isn’t enough. What you really need is for suspected phishing emails to be reported to your security team, enabling you to identify and quarantine similar emails in the future, and providing valuable source material for future simulations.

But once all that is out of the way, it’s time to go phishing.

The Four Commandments of Phishing

Did all that seem a bit simplistic? Of course, it did. Now it’s time to take a deeper dive into some of the key components of a powerful anti-phishing training program.

1) Content is King

If your program is going to yield real results, you’ll need to consistently generate phishing simulations that strongly resemble those observed in the wild. For that to be possible, you’ll need:

•A source of high-quality phishing intelligence, including real healthcare-specific samples

•A highly skilled and experienced security professional to oversee the program and create strong phishing simulations

•The patience to gauge the average skill level of your users, and increase simulation complexity gradually over time

2) Make Success Easy

As I’ve already noted, a huge part of the value to be gained from this type of program is the constant supply of real reported phishing emails. These should be routinely analyzed to inform future simulations, aid in the tightening of technical controls, and more.

But believe this: If reporting an email takes even a few seconds…it won’t happen. To make the process as easy as possible, I strongly recommend adding a simple “report phishing email” button directly to your users’ email client.

3) Point-of-Failure Training 

Unlike traditional, classroom-style security training, the type of program I’ve described here will enable you to only train users when they actually need to be trained. For instance, if a user correctly identifies and reports a simulation, is there really any point in forcing them to sit through training they have clearly already internalized? I’d argue not.

On the other hand, when a user fails one of your simulations, you have the opportunity to provide them with highly specific training that focuses on the type of phishing lure they have just seen. This “point-of-failure” training is highly effective at altering behaviors because it’s delivered at precisely the moment it’s needed.

4) Support Low Performers

Cybersecurity is what's known as a “weak link” process, meaning that a small number of under-performing users can have a disproportionately negative impact on your overall cyber risk profile. In the industry, we call these folks VIPs – very incident-prone.

Whenever you encounter a user who repeatedly fails your simulations, I highly recommend intervening personally to provide additional support. Often these situations arise from a misunderstanding, rather than a lack of ability, so try to address them before any serious problems arise.

The Long Haul

Over the next few years, you can expect your healthcare organization to be on the receiving end of a truly massive volume of incoming cyber attacks. And, as we’ve already learned, the vast majority will utilize phishing in an attempt to gain an initial foothold within your network.

The anti-phishing program I’ve described this article, in combination with sensibly chosen technical controls, will help mitigate the threat posed by phishing… but only if it’s applied consistently over time. This is not an overnight fix, and it’s not something you can try for a few months and then shelve.

But if you commit the necessary resources, and trust in the process, this type of program will drastically reduce the chance of your organization becoming the next in a long line of healthcare data breach headlines.

Share this with others

Featured resources



2024 Futures Report

Get price Free trial