We invited privacy & security professionals Lynn de Vries (Rijnstate hospital) and Charlotte Straus (Merem medical rehabilitation) to share their experiences and best practices from cybersecurity and privacy awareness training in the Dutch health care sector.
What are the challenges in creating a good and sustainable security and privacy culture within health organizations?
The challenges the medical rehabilitation is facing, just as other health organizations, is the lack of time but also the lack of interest in these subjects. ‘Junglemap’s NanoLearning face these subjects with examples which are relatable in both private and work life. For example, using safe passwords and the characteristics of phishing mails, says Charlotte Straus. One of the solutions to tackle the problem of time is to provide privacy and security ‘snacks’. Easy digestible lessons which don’t take time from your agenda; they only take 2 to 3 minutes to complete.
Besides all the mandatory medical training the healthcare professionals have, privacy and security awareness training is basically competing with it. As Lynn de Vries also mentions; ‘We need to be careful with patient and employee data and repeat the importance of this all the time. Also think through when sending awareness lessons and how to approach it. We make it as low-threshold as possible but, at the same time, we send a link in an email, while we tell our people to not click on links in emails.’
Charlotte Straus adds to that; ‘Communication is key here. We started announcing the awareness training way before by sending from what email address the lessons will be sent, at which moment the employees will receive the NanoLearning in their inbox and - with a screenshot - how a lesson and/or the email will look like. That makes them feel safe clicking and helps our employees starting and completing the lessons.’
Talking about a good cyber security culture, Arno van den Hof, Country Manager for Junglemap in the Benelux says; ‘it takes time and effort to create a decent cyber security culture. I heard no one ever saying that they look forward to the security or privacy training because these are just not the most beloved topics to learn about.’ While organizations are being hacked and affected with ransomware, we need to be very careful. Health care is handling a lot of sensitive data, and people can make mistakes. That’s just how human beings are, but by learning from mistakes a good security culture can grow.
Regarding risks and developments from the hacker side, Lynn de Vries says; ‘The methods criminals are using, are becoming more and more advanced. which means that we need to be even more aware. For instance, phishing mails are not as easily recognisable as before. We are very happy when people approach us to ask whether an email is safe since it means that they are aware of the risks. Phishing attempts are happening daily, so you need to be aware of what the possible threats are and how to respond to it.
Charlotte Straus adds to that; ‘It’s an ongoing trend and it will be even more important in the future.’
How can we foster good cybersecurity and privacy behaviours in an environment with an already challenging workload?
In addition to what’s said above, Arno van den Hof adds; ‘after a week people have already forgotten more than half of what they’ve learned in the traditional e-learning that often takes at least half an hour to complete. By splitting the information into smaller pieces, relating subjects in upcoming lessons and use repetition, we help people remember what they’ve learned.’ These topics are too important to just train once or twice a year.
Charlotte Straus says, ‘We get compliments of employees on the learning method we use and the number of intern notifications of privacy and/or security (near) incidents slightly increase. That’s a good thing which means people start recognizing suspicious stuff and make a notification.’ ‘We also see that external auditors appreciate the awareness method we use.’ Adding to that, Lynn de Vries says; 'We show compliance by using awareness training, it’s an ongoing process. If we can help people to increase their completion rates, we’re happy to help! We are glad they ask us questions and get more pro-active.'
How can we get awareness training in place – when there’s a constant lack of time?
Lynn de Vries tells us that employees sometimes say that they have no time to do the training and don’t like that they get reminders when not finishing lessons. ‘Now people start doing lessons together as a team, it only takes 3 minutes, and it helps bringing up conversations about privacy and security. This snowball effect is exactly what helps in remembering important topics.’
Both Charlotte Straus and Lynn de Vries agree on the positive effect of reporting in the NanoLearning platform. ‘The completion rates are much higher than traditional e-learnings and opening rates of newsletters we send out within the organization.’ Besides that, Charlotte Straus points out that for the NEN7510, which is the information security standard in the health care sector in the Netherlands, organizations need to show what they do on creating awareness on a structural basis. ‘The auditor appreciates the method with positive effect we’re using now.’
Rounding off, Arno van den Hof is highlighting; ‘Having employees complete the lessons is what you want to achieve. Organisations struggle to maintain focus on awareness and repetition is a great way to help people remember things. Completion rates are usually not that high. AI is making it more difficult with for example deep-fake voice and video to recognise scams. Technology is going fast, and criminal organisations will make bad use of it and try to mislead us. We need to be more aware than ever, and it will be even more important in the future. The impact is increasing by time.’