Increasing cyber security awareness of hospital staff
Increasing cyber security awareness of hospital staff
Interview with Professor Luigi Lo Iacono, Institute for Cyber Security & Privacy, Bonn-Rhein-Sieg University of Applied Sciences
Medical facilities are considered a critical infrastructure sector. Staff members must receive regular cyber security training to ensure proper IT infrastructure management and prevent shortfalls in medical care.
Prof. Luigi Lo Iacono
In this MEDICA-tradefair.com interview, Professor Luigi Lo Iacono describes the consequences of negligence, explains how employees are currently made aware of cyber security and reveals how these measures are analyzed as part of the research project "Medical Centre Employee Centered Information Security Awareness (MedISA)" to prompt new approaches.
Professor Lo Iacono, what are the implications of improper IT infrastructure management?
Prof. Luigi Lo Iacono: You might have incidents where data can fall into the wrong hands. This means a privacy breach as this pertains to sensitive health information that must always be protected. You might also have a case where the hospital's IT is hijacked by third parties. This attack puts medical care at risk. In recent years, there has been a dramatic rise in ransomware attacks that target vulnerable systems. Malware employs encryption to prevent users from accessing systems and information, paving the way to extortion demands. Victims are asked to pay a fee to get the decryption key to unlock the systems, though you should never make any ransomware payments.
Phishing attacks are responsible for more than 80 percent of reported security incidents. Administrative staff and healthcare workers are equally vulnerable to phishing scams. They inadvertently click on malicious links in phishing emails because they may simply not be aware of the consequences opening an attachment from unknown sources may bring. Just one mistake can set off a massive avalanche.
How is hospital staff currently trained to maintain cyber security?
Lo Iacono: Hospitals must conduct cyber security training sessions since medical facilities are part of the critical infrastructure sector. Special standards and guidelines outline how organizations can protect their systems and data from cyber threats. For example, relevant personnel must receive training every two years to increase awareness among employees.
Measures include awareness posters, web-based training, videos, or on-site training sessions. However, we don't know how sustainable and effectual these measures are for the respective target group from a scientific perspective. It also makes a difference whether you train technical administrators, therapists, or medical staff.
Products and exhibitors related to the topic
Discover more interesting products and exhibitors in the database of MEDICA 2021:
Ransomware encrypts IT systems and puts medical care at risk.
What are the specific objectives of the MedISA research project?
Lo Iacono: We want to gather scientific data to identify the ideal measures that have a lasting impact for the different user groups. We teamed up with two clinical facilities to interview the requisite subjects. The clinics have already taken some measures. We plan to survey the test persons from the different target groups to assess how the participants perceived these measures, how effective they considered them and identify special aspects they can still remember. We also incorporated our own ideas for innovative training approaches in the project, which we want to test and evaluate on a scientific basis.
We intend to gather this information and ultimately create a handout with our findings and recommendations medical facilities can subsequently use as an implementation guideline.
How do you plan to achieve these objectives?
Lo Iacono: We organized a series of interviews, participatory workshops, and usability studies with the various target groups to identify training measures that are effective and fit the daily work routine. From there, we will jointly develop the respective measures, which we will subsequently re-evaluate. This means we will also use these measures to increase awareness in the pilot facilities and review them with the participants at the end of the project to assess their effectiveness.
Our idea pertains to a new measure that does not yet exist in this form. Here we take findings from another discipline, namely behavioral psychology, which uses so-called nudge theory. This concept means you "nudge" people in a certain direction and indirectly influence their decision-making. In our setting, the goal is to suggest choices that benefit security and privacy purposes. One could integrate these types of "nudges" into the IT or communication systems.
By using the IT systems and the "nudges", people would receive regular reminders that the steps they are currently taking pertain to sensitive issues. In doing so, awareness would not be created in one day, but on a sustained basis. Employees receive sensitivity training by using the IT systems. Our hope is that when we have the results in three years, we will also be able to declare the measures successful, efficient, and sustainable for large groups.
More topic-related exciting news from the editors of MEDICA-tradefair.com: