The healthcare industry has undergone major transitions with the advent of modern technological innovations. Implementation of modern technology in the healthcare sector has provided it a major facelift. Many complicated medical procedures and techniques have been made easier with the introduction of latest technologies and equipment in the healthcare sector. Medical research and development and various operational procedures are nowadays greatly supported by modern technologies. Hospitals and medical institutes are increasingly using data driven technologies in order to smoothen the workflow.

In spite of all the advantages it provides, modern data driven technology also comes with its share of risks and disadvantages. In the recent years, the healthcare industry has found itself under constant attack. Data security threats on the healthcare industry are increasing rapidly. Many healthcare institutions are being targeted by cybercriminals who infiltrate their websites, networks, devices, and databases, and gather crucial information almost regularly. Moreover, most hospital networks are general and not segmented which may easily spread digital infections from the IT and clinical networks.  Healthcare data are also highly demanded in the black market as they can be used illegally in various ways. In fact, as per recent data, in just the first two months of 2018, data breaches affected 24 health care provider organizations and over 1,000 patients each.

Hospital authorities have to critically worry about the above given possibilities of attacks on their networks and servers which may lead to loss of essential and sensitive patient and organizational data. They have to take necessary steps to protect their network from external threats. Most authorities are wisely investing in technical controls to protect their networks. But an important aspect that most hospitals overlook is the human element in data security.

It is a known fact that healthcare is a high stress industry. Authorities don’t have much time to provide information security training to professionals. A recent survey states that only 30% of global information workers at healthcare organizations indicate that they were trained about workplace data security, and only 38% have knowledge about their organization’s security strategies.

Most healthcare organizations have the desired security policies, but less attention is paid on proper implementation of such policies.  If the employees are not properly trained about security measures and policies, they may invite various risks like carelessly opening harmful emails, clicking on suspicious links, and other such threats.

Healthcare employees are medical professionals first. Hence, they have to give their best in healthcare support.  Paying more attention to security policies will obstruct their usual work routine, affect their performance, and reduce the productivity. Instead, employees should be enthused to act cautiously as a part of their day-to-day routine.

Planning for Behavior Change

Hospitals should not start a security campaign with posters of do’s and don’ts. Instead of starting an awareness campaign, they should go for an ongoing behavioral program.  They should conduct a study on the risk factors the hospital is facing (like stolen and manipulated data, malfunctions, and system breakdowns), and evaluate how staff behavior can worsen or reduce those risks.

Authorities should record how employees can contribute in reducing those risks, and then develop a list of desired guidelines for making it easy for the staff to adopt. It is important to establish a target audience for delivering the required messages. Authorities should select a specified audience to which security related messages and information should be conveyed.

Each organization is unique in terms of the culture and context in which they operate. Authorities should utilize the existing communication channels and cultural tone. Hospitals should conduct weekly staff meetings, quarterly prizes for proper behavior, and financial incentives for boosting the morale of the staff.

Developing Appropriate Content

Hospital authorities should come up with interesting contents. The behavior-change security programs should not be boring; rather, the content should be engaging and should attract the employees’ attention. Management should make sure that the employees shouldn’t tune out without completely going through the content.

Hospitals should make the message personal. They should aim at creating messages which would help the employees understand why data security is important for them and their companies, and how the employees can contribute in data protection.  They can reinforce the message by highlighting real-life examples of data-security attacks and near misses of various peer organizations. Moreover, many hospitals can put policy reminders at various places like a poster near the elevator asking the employees if they have logged out of their computers, or blocking questionable websites.

If gamification tactics are a good fit for a hospital’s organizational culture, they can encourage friendly competition among the staff. They can create scenarios where the employees compete with each other or for their own best scores. The hospital authority can encourage the employees by including rewards for the team with the strongest passwords, fewest data loss, or highest scores on training sessions.

The prime focus of healthcare providers is non-stop patient care, service, and satisfaction. None of these objectives can be accomplished without ensuring good data security. Healthcare institutions should connect and communicate with their employees and make sure that they are performing responsibly and are considering data security as an important part of their day-to-day responsibilities.