Carley Tobola

Doctor Said

Writing as Inquiry 007

2 November 2021

Statement of Problem

How would you feel if your personal medical history was being sold on the black

market? This can be a daunting thought when you realize how much information, like your social

security number and credit cards, is kept inside these databases that are constantly at risk of

being hacked. Hackers are interested in getting ahold of your Personal Health Information (PHI)

which can be sold for 350 times more than the price of credit card information, making

healthcare databases particularly prized targets (Sager). Weak passwords, malware, and a lack of

education among companies are leading to healthcare practices being unable to operate and the

loss of trust from patients. Some possible solutions to this problem include multi-step

verification methods and implementing encryption into software. However, most data security

issues are caused by human error. To solve the problem of data breaches in the healthcare

industry, individual practices should implement employee security awareness training because

employees will have the knowledge of how to properly protect their data, patients will have more

confidence in the company, and the success of the program will be measurable.

Proposed Solution

Employee security awareness training consists of programs that inform employers and

employees of potential security risks and how they can successfully combat them. While this

may sound like a painful learning experience, some companies have included videos and

interactive slides within their modules that range from 5-10 minutes in length. According to
Tissian, a security firm, younger workers are five times more likely to make detrimental security

mistakes (Becerra). Employers should make sure employees complete security safety modules

soon after they begin working to build their knowledge of popular hacking tactics, and what they

typically look like as they start to encounter them. Additionally, companies should routinely

implement the modules throughout the year to make sure employees are always staying alert and

aware of proper precautions. Companies should undergo this training during the work day and in

the place of work to ensure employees are engaged and practicing these measures in the manner

they would encounter them at work. There is not much progress being made if the employees do

not use the skills they are taught in the modules practically and in the setting they will later face

these challenges in.

Justification

One reason employee security awareness training is the best solution to data breaches in

the healthcare industry is that employees will have the knowledge of how to properly protect

their data. According to a study done by Stanford University Professor Jeff Hancock and security

firm Tessian, 88% of data breaches are caused by human error (Psychology of Human Error'

Could Help Businesses Prevent Security Breaches) which emphasizes that employees are at the

forefront of data security. In a personal interview with Brigitte Tobola, a cyber security

consultant for the National Institute of Health, she stated, “I have worked with many employees

whom have said awareness training has helped them in securing their data and making far less

mistakes” (Tobola). It is imperative that they know how to recognize tactics like phishing and

malware, as well as be wary of mistakes made when they are tired like sending an email to the

wrong person. Employee security awareness training can stress the importance of making
security a habit rather than a hassle. The implementation of this system will benefit your

employees, but it will also positively impact your patients.

Another reason employee security awareness training is the best solution to data breaches

in the healthcare industry is that patients will have more confidence in the company. With so

much competition in the healthcare industry, a strong security system will set a business apart

from the rest. In her interview, Brigitte Tobola stated “Practices, especially smaller ones, get

their patients through referrals” (Tobola). You will want your patients to know that you are

secure and trustworthy. You can also use the implementation of this program as a marketing

point. Customers’ confidence in a company is the most competitive point between businesses

(Burt). Patients should not have to worry about more than getting back to being healthy.

A third reason employee security awareness training is the best solution to data breaches

in the healthcare industry is that the progress is measurable. Companies will be able to monitor

the employees’ progress of the modules as well as the program’s success rate. Most programs

send out simulation emails to see if employees use the skills they have been taught (Becerra).

Measurability is important in an effective solution because then it can be altered and tailored to

match a company's specific needs or focus on a defined weak point based on the security

measures that are most often compromised.

Considerations and Limitations

The first major consideration that comes to mind is money. Not only does the training

cost money to put on with the teachers, location, and curriculum, but when you add on the

revenue lost during training time it can seem steep. These programs can range from $250 to

$1650 and up depending on how many employees are being put through the program (Becerra).

What can help alleviate the shock of those numbers is looking at them next to the financial
damage that security breaches can reap on medical companies. The average data breach costs

around $200,000, depending on the size of the company and the amount of data lost (Stika). This

cost does not take into account the legal fees, let alone the damage of reputation a company can

face. As one can see the monetary cost of training seems big at first but when compared to the

costs it is saving, it pales in comparison and seems like a clear decision. This figure does not take

into account the new customers that will be brought in if stronger security measures are

implemented. Most new business in the sector comes by word of mouth; if a firm is known to

have secure databases and informed staff they will surely gain popularity.

Another limitation companies in the healthcare industry might face is a lack of time to

implement the modules. You might think the revenue lost during the time these programs are

being implemented will be detrimental, but the benefits will pay for the lost time. According to

Pensar, Security-related risks are reduced by 70% when businesses invest in cybersecurity

training and awareness (Williams). A data breach is not something you should risk when dealing

with your company and the safety of your patients. Once these programs are implemented the

fear of a data breach occurring will be eliminated and healthcare workers will be able to focus on

their main concern: their patients.

Conclusion

You may be thinking “What’re my next steps now?” The first step would be researching

credible cyber security companies that offer training for employees. The things that should be

considered are success rate, cost of program, and the duration of the program. Finding a

company that is the right balance for your employees will be important; you do not want to take

too much time away from your employees’ doing their job. You will also want to research what

aspects of cyber security are taught and if they keep up to date with the latest hacking techniques
and patterns. Incorporating cyber security awareness training will not eliminate cyber attacks

completely, but it is the step we need to a more secure and safe world.

Table 4 shows the total number of healthcare data breaches and the total number of individuals

affected between the years of 2010-2017 (Seh et al.).

 Works Cited

Becerra, Xavier. "Security Awareness and Training." HHS.gov, US Department of Health and

Human Services, www.hhs.gov/about/agencies/asa/ocio/cybersecurity/security-

awareness-training/index.html. Accessed 1 Nov. 2021.

Burt, Andrew. "Cybersecurity Is Putting Customer Trust at the Center of Competition." Harvard

Business Review, 2021. Harvard Business Review, hbr.org/2019/03/cybersecurity-is-

putting-customer-trust-at-the-center-of-competition. Accessed 1 Nov. 2021.

"'Psychology of Human Error' Could Help Businesses Prevent Security Breaches." CISOMAG,

12 Sept. 2020, cisomag.eccouncil.org/psychology-of-human-error-could-help-businesses-

prevent-security-breaches/. Accessed 1 Nov. 2021.

Sager, Tony. "Cyber Attacks: In the Healthcare Sector." Center for Internet Security, 7 Feb.

2017, www.cisecurity.org/blog/data-breaches-in-the-healthcare-sector/. Accessed 7 Oct.

2021.

Seh, Adil Hussain et al. “Healthcare Data Breaches: Insights and Implications.” Healthcare

(Basel, Switzerland) vol. 8,2 133. 13 May. 2020, doi:10.3390/healthcare8020133

Stika, Nicole. "5 Ways to Drive Energy Efficiency at Your Business in 2016." Greater

Cleveland Partnership, COSE, 7 Jan. 2016, www.cose.org/Mind-Your-

Business/Operations/5-ways-to-drive-energy-efficiency-at-your-business-in-2016.

Accessed 1 Nov. 2021.

Tobola, Brigitte. Telephone interview with the author. 8 Oct. 2021.

Williams, Mark. "10 Statistics That Show Why Training Is the Key to Good Data Protection and

Cybersecurity." Pensar, 18 May 2018, www.pensar.co.uk/blog/cybersecurity-

infographic. Accessed 1 Nov. 2021. Infographic.