Education Methods
Nowadays, the information security (IS) of healthcare systems of the state is considered an integral element of the overall work performance of a facility. In addition to a general security training program designed for each employee in an organization, specific training is needed to address information security tasks and responsibilities. The level of this education depends on the scale of importance of information security to the company and should vary according to the requirements of the work. The management should also consider more advanced education, including lectures, special courses, and instructions. The information security training program should be designed so it could cover all the security needs of a particular organization. Fortunately, different teaching methods could be implemented to ensure that employees are qualified enough to work with technology.
Instructor LED training is one of such methods, according to which an instructor presents information to a group of people. According to researchers, it provides a “kinetic learning experience, which requires both computer hardware and a training database that mirrors the actual information-technology environment” (Hebda et al., 2019, p. 219). The advantage of this method is the opportunity for workers to interact with their trainers and get answers to all possible questions immediately. However, one of the drawbacks of LED training is its cost-effectiveness. Since trainers spend time preparing for lessons, communicating with employees, assessing them, and evaluating their progress, hiring them can be expensive for a company. For this reason, a facility should also consider other reliable methods and systems that allow workers to work with the information independently.
The necessity to provide training at lower costs creates several different programs of distance learning systems. There is no doubt that such systems cannot be considered full training programs. Nevertheless, they are capable of delivering the information and the training material to the end-user. In addition, in recent years, different projects were created that could also evaluate the employees’ progress of learning. Therefore, when choosing a distance learning program, management should pay attention to different factors. They include considering the main functions, which must contain the ability to manage the training process for workers. The system should also allow them to generate reports and feedback on training to eliminate any possible mistakes. The amount of learning materials in the program is vital, as well as the evaluation tool.
The review of methods for training employees in a matter of information security issues could not be called complete without considering possible methods for assessing the effectiveness of learning. Evaluation is crucial in this matter since employees need to be tested before concluding that they are competent enough to work with security technology. One example of assessing practical knowledge instead of theoretical is the use of case studies. The point of this method is to simulate a situation in which the actions of a user can lead to a violation. Therefore, to prove that a worker successfully passed the training process, he or she should effectively solve this case.
Protecting Information
Clinics, medical centers, and other healthcare facilities are faced with a large amount of personal data of both employees and patients. Many documents and information, in this case, fall into the category of medical confidentiality. Therefore, information security technologies in medicine should advance to a new level. As the number of viruses and other cyberattacks increases, it can be assumed that healthcare institutions are prime targets for hackers. According to researchers, “preserving data privacy from adversary parties in a healthcare information system without affecting data utility, model learning, and data sharing are challenging” (Sharma et al., 2018, p. 43). Medical records contain all critical information, including social security numbers, date of birth, and many other vital factors. This allows hackers to use such data for unlawfully obtaining loans, tax fraud, issuing fictitious invoices to insurance companies, obtaining drugs, and other illegal actions.
There is no universal method or program that will ensure the protection of the data system and fully secure it. However, a set of methods is more likely to make it possible to secure information systems that are located in medical institutions. First of all, it would be important initially to set clear requirements for the information security of databases and make them clear to the staff. The reason for this is that the processed data belongs to the first class of information systems. In other words, health information is one of the most personal and important categories of information. Therefore, their protection must be provided in every facility, and the failure to do so should be punished at the legislative level.
To prevent leaks of medical data outside organizations, as well as to stop their unauthorized distribution within a facility’s information programs, it is necessary to use full-fledged Data Loss Prevention (DLP) systems. It also should be noted that the key indicator of the usefulness of a DLP system should be its ability to detect and prevent the unauthorized transmission of protected information by blocking transmission. In other words, monitoring data transmission channels and subsequent investigation of incidents should not be their only tasks. The facility must also establish an effective management team that is responsible for cybersecurity. Hiring specialists who will manage the information security department, or, in other words, the chief security officer is crucial in this matter. Such professionals must be tested and certified for compliance with the protection system with regulatory requirements. However, its cost-effectiveness is also doubtful since it requires additional financial expenditures.
Unfortunately, there is no universal software or technology that will guarantee the most effective data protection. Nevertheless, it is important to understand that leaving a data system unprotected is simply unacceptable and reckless. The risk of cyberattacks is no longer the concern of just one IT department. Currently, this is a key issue that should be considered by the leaders of all medical facilities. The field of healthcare services should not bypass the issue of patient data protection and everything related to this topic. The state also should participate in resolving this problem and offer funds for data protection.
Education on Phishing and Spam Emails
In recent years, hacker attacks on electronic health information security systems have become common. Providing an effective program that is capable of protecting all necessary data is crucial; however, it cannot be efficient without proper training. Offering education on this matter to employees allows them to be aware of hidden targeted attacks and prevent phishing. The last type of attack has already become one of the most widespread threats to information security nowadays. Even though there are many educational anti-phishing programs, most employees hardly visit them voluntarily. For this reason, it is vital to train employees who do not possess initial knowledge about information security and protection against such attacks.
Different methods could be implemented to teach the staff about this issue and offer methods to solve them. For instance, a facility could hire a trainer that could simply deliver the material. A trainer could also evaluate their learning progress and provide this data to management. Since workers, in this case, are controlled and are forced to go through tests, this teaching method can be considered efficient in ensuring that the staff has proper education on phishing. Nevertheless, this method can be expensive, and not every facility can afford it.
Another way to make training more engaging and effective is to integrate training directly into the work process. This method can be considered as a built-in training system, and it is used to teach users to recognize and avoid phishing attacks. In this case, the organizational unit that is responsible for training personnel sends emails that mimic such emails. These emails should contain an inline message that opens when a user clicks a mocked phishing URL. Then the employee receives a warning and an explanation of the possible consequences of suffering from these types of attacks. After that, he or she gets acquainted with the educational material presented in the form of a concise and clear presentation. Such a presentation defines a phishing attack and an algorithm that helps to avoid them. To make sure that an employee has learned the information, a test is offered that evaluates the progress of training. The assessment process should take into account whether users clicked links in legitimate and phishing emails before and after training.
The built-in training facilitates the effective transmission of information since it offers a practical method to test the competence of the employees on this matter. This allows the staff to effectively identify phishing messages without misidentifying legitimate messages in the future. In other words, it teaches them how to effectively detect useful work emails. However, several researchers argue that “click rates decrease over time, a mandatory training program for the highest-risk employees cannot substantially reduce click rates” (Gordon, 2019, p. 550). This statement suggests that a large number of people still can remain susceptible to phishing. For this reason, there is a clear need for further research to come up with simple training methods that reduce this vulnerability.
References
Gordon, W. J., Wright, A., Glynn, R. J., Kadakia, J., Mazzone, C., Leinbach, E., & Landman, A. (2019). Evaluation of a mandatory phishing training program for high-risk employees at a US healthcare system. Journal of the American Medical Informatics Association, 26(6), 547-552.
Hebda, T., Czar, P., & Mascara, C. (2005). Handbook of informatics for nurses and health care professionals (pp. 120-121). Pearson Prentice Hall.
Sharma, S., Chen, K., & Sheth, A. (2018). Toward practical privacy-preserving analytics for IoT and cloud-based healthcare systems. IEEE Internet Computing, 22(2), 42-51.