• 
• 
• 

This three-part series of blog posts was motivated by the healthcare industry’s continuing vulnerability to cyberattacks, as demonstrated by the hundreds of security breaches reported over the last year. We have already seen over twice as many breached patient records as 2018’s total of 15 million, with 332 incidents affecting almost 36 million records. The HIPAAjournal notes that 42 of August’s reported 49 breaches occurred in provider organizations. Some, maybe most providers have upgraded IT-based security protections and provided training to workers but whatever the strategies, they haven’t been adequate. Without a doubt, hospitals and other providers must do more.

Hopefully, the series will inspire providers to engage in an enduring effort to achieve a top-to-bottom cybersecurity culture that will effectively prevent or neutralize criminal attacks.  In Part 1 we outlined overall conceptual strategies for designing an enterprise-wide cybersecurity culture-building program that will protect patients from data compromise, empower employees, comply with HIPAA, and reinforce the viability of our healthcare organizations. In Part 2, we took a deeper dive into current-state assessment and planning activities, with a strong focus on the need for a deliberately disruptive plan of integrated actions to foster long-term culture change.

Here in Part 3, we offer recommendations for incorporating specific approaches in your hospital’s culture change plan, with the intention of charging up your workforce, keeping them engaged, and helping them integrate best cybersecurity practices into their everyday lives.

Get the right people involved.

It can’t be over-emphasized how important creating a strong leadership structure will be to the success of your program. At least four groups should be recruited: sponsors, security advocates, security-aware, and convertible talent. Sponsors are executives who are committed to shaping the security direction and strategy, and will make sure that the program’s elements align with business objectives. Security advocates are influential leaders within the organization who have a clear passion for keeping data secure.  These people often hark from IT, but could be HIM leaders, CFOs, CNOs, the security officer and super-users. Ideally, at least some of the program’s sponsors will also be advocates. The security-aware may not be as passionate but realize they need to contribute to making security better. They may be represented by workgroup directors and managers, HR and/or others.

What is convertible talent? As we discuss later, your culture change program will not work without engaging users, including making it interesting, valuable and even fun. You will need the support of people with creative communication talents, who could come from Marketing or HR. A big part of their job will be inspiring engagement through attractive, energizing activities and materials. Your HR staff may also include people who have worked on other culture change programs; their experience and insights will be invaluable.

Every member of your steering committee and workgroups must be committed to the goals of the program, and willing to influence and/or lead by example.

Collaboratively craft the program using agreed-upon S.M.A.R.T goals.

SMART goals shouldn’t be new to anyone who’s been involved in a major program for organizational change. A simple, widely used system for corporate planning, Jack Welch famously credited it for tripling General Electric’s stock in just eight years.  Basically, S= Specific; M= Measurable; A= Achievable; R= Relevant T= Time-bound. With SMART goals agreed upon by your change program leaders and stakeholders, developing the right plan for your organization can be done by designing back, using desired results as the starting point for the program’s design. If you or your cultural change program leaders need a refresher, visit one of many web sites that describe the SMART system in detail, and even provide a free download of SMART templates.

A program is not a project: plan on a longterm effort to achieve lasting change.

Recognize that a short term several-week security awareness project, no matter how engaging, may gain interest, but not longterm behavioral changes. More likely, having experienced past short term initiatives, users will patiently (or impatiently) wait till it’s over. Project goals and activities that aren’t supported by continuing, consistent reinforcement, will be forgotten. Your program should assume regular follow-up projects if it is to succeed. It should take the workforce on a meaningful journey to achieve measurable results over time. The good news for planners is that every follow-up awareness project needn’t be defined in detail today.

The program must focus on defined security challenges and goals, not on a mandate for “culture change.” 

In other words, don’t plan to talk much about culture, except at the leadership level. Definitely don’t use the word culture in the program’s name. Sound contradictory? The term “culture change” is likely to be meaningless, at best, to most workers. At worst, the words will be threatening. Sure, your leadership recognizes employees are a weak link in the organization’s data security posture, especially those who have access to patient and financial information. And yes, this problem has driven your leadership’s decision to work toward a more security-savvy culture.

But a major expectation and a program goal should be that your users will become a strong security asset. Promote this concept as the program’s central premise. If the program is framed in terms of the very real security risks facing the organization and the industry, and how everyone is needed to overcome them, users are much more likely to engage in the effort. Talking “culture change” is likely to be interpreted by many employees as an indictment of them, creating wariness and distrust.

Apply activities that match up with user groups’ learning styles and values. 

Healthcare workers are so diverse that there are no one-size-fits-all awareness and reinforcement tactics. Most people have a primary learning style and central job-related values. Identifying these factors upfront within workgroups of like employees (e.g. nurses, IT workers, revenue cycle staff, executives) will greatly enhance program success.

For a program to be truly outcomes-based, learning materials should be customized as much as possible for intended audiences.  Inadequate matching can inhibit individuals’ learning and desired behavioral changes. Understanding the audience can be done through reviewing internal processes, conducting focus group sessions, and performing on-the-job observation. With this documented knowledge, planners can pull everything that should be used for developing a meaningful high-impact awareness regimen.

Similarly, though everyone has a “best” learning style, we all find greater understanding via many different learning methods. This requires applying a variety of communications tactics.  It also means tailoring messaging such as stories, case studies, exercises and other reinforcement to individual workgroups’ patient care and/or business activities. Draw on a variety of media e.g. videos, infographics, contests, posters, role-playing, suggestion programs and more, without sacrificing all-important in-person sessions conducted by program advocates and influencers. Timing and scheduling of activities should be similarly tailored. No physician will interrupt an appointment schedule for a security problem-solving session.

Staff must know why they are expected to behave in certain ways or follow specific policies.

This point may seem obvious when considering cybersecurity. However, even if people intellectually understand security program information it is common that they won’t adhere to it. The reasons are often simple: “That problem has never happened to me,” or “In my job, I would never experience a cyber-attack,” or “I can trust that co-worker not to abuse my password.” We have even seen people who have used the same password for all their needs for decades.

Learning activities should repeatedly demonstrate the cyber-risks facing healthcare organizations and their employees, including the consequences of breaches.  They should walk workers through case situations where they will see how like workers and organizations have experienced great harm through inadequate security risk responsiveness.  This was discussed in greater detail in Part 2.

The program should also pay strong attention to the benefits of adhering to it. Participants should see how they can derive personal benefit and value in the knowledge, insights, and guidance provided to them about risk and security. They must come to realize that viewing their actions through an updated lens and using critical and responsible thinking will prevent harm to them, their patients and/or their organization.

Plan to build personal experiences for employees that will induce them to change quickly, e.g. case studies and actual simulations.

Many behavioral changes that individuals make are triggered by a catalyst, something they have experienced: a health scare, a failure in a project, or when it comes to cybersecurity, victimization by a phishing exploit or hack. Exploring case study examples of security breaches and their aftermath is useful, especially if your program provides for regular news to users about new breaches within like organizations.  In addition, consider creating periodic email phishing simulations and sending them to your users. The emails are designed to mimic genuine phishing attacks and then track who clicks the link. The results will provide insights into which employees require more training and will be a wake-up call for them. Simulations can be done responsibly, without being overly threatening or disruptive to your staff. Some quick tips:

• Get executive buy-in before each such initiative.
• Establish a baseline risk score via an initial test to a random sample.
• Make it easy for employees to report a suspicious email.
• Warn all staff when a simulation is approaching (without giving details), and send them reinforcement training materials in advance.
• Change up the timing, types of phishing exploits, and groups who are tested.
• Report results to all employees for each simulation, but never release names of “victims” to anyone, including their managers or executives.
• If you need help in designing or managing a simulation, contact us or go online to the many security firms who offer more detailed recommendations.

Expectations of new behaviors require measurement and accountability.

High, but achievable expectations should be set. Culture change professionals have found that learners are more likely to attain high standards when they are challenged by what is expected. The key to understanding how well your employees are learning and changing is measurement. Various metrics can be applied such as surveying workers to measure changes in awareness and by tracking behaviors and outcomes, amount of reported lost or stolen devices, increases in phishing email reports, decreases in reaction time of incident response teams, and logging of incident types. IT should have technical security event management tools needed to identify and measure items such as rate of infections, network anomalies and authentication failures across the environment.

The effectiveness of any cultural change is amplified when people know they will be held accountable for their actions. Accountability when it comes to cybersecurity is a tricky subject. A policy of blame and retribution is counter-productive. It discourages people from reporting incidents. It’s important to note, too, that users who unwittingly contribute to a security incident are themselves victims. Enabling users to report an incident and even acknowledge their responsibility without disciplinary repercussions will reduce reoccurrences.

Your culture change program should confirm that these users will be listened to and their reports reviewed fairly. Unless malfeasance or negligence is very obvious, security incidents should be used as development opportunities. Unlike disciplinary action, establishing a reward system, especially if it is tied into compensation will serve as a great motivator.

If your organization makes a major investment in enterprise-wide time and effort to address cybersecurity and its dangers, it will send an important message to your employees.

Many, if not most, workers will recognize that if cybersecurity is that important to the organization, it probably should become important to them. There will be a natural transition from that level of understanding to the concept that security is a foundation of the culture and a significant element of the organization’s strategic business posture. A program that includes plenty of regular reinforcement over time will create new behaviors which in turn will become habits — second nature. Culture change.