Getty Images/iStockphoto
Disaster Preparedness: Tips For Fostering Resilience Across Your Workforce
Fostering resilience across your workforce through customized security awareness training and tabletop exercises can help organizations enhance disaster preparedness efforts.
A robust security architecture, a thorough incident response plan, and technical and physical safeguards are essential to maintaining enterprise-wide resilience in the face of a natural or human-made disaster. And if you are leveraging the cloud, you have the fastest route to remediation and preparedness already at your fingertips.
But fostering resilience and disaster preparedness among your workforce is equally crucial. People are your organization’s first line of defense — encouraging cyber hygiene and promoting a culture of security ensures that the responsibility does not fall on only one individual or team.
Role-based security awareness training, interactive tabletop exercises, and behavior-based security programs can further help healthcare organizations defend against cybersecurity incidents and natural disasters.
Implement role-based security awareness training
Security awareness training is mandatory for HIPAA-covered entities. The HIPAA Security Rule 45 CFR §164.308 requires organizations to implement a security awareness and training program for all members of the workforce to effectively handle cyber threats and safeguard protected health information (PHI).
HHS says that the training must include procedures for preventing, detecting, and reporting malware or phishing as well as for creating and safeguarding passwords. The HIPAA Security Rule also requires training surrounding log-in monitoring and reporting discrepancies. But beyond a few basic guidelines, HIPAA gives organizations the freedom to craft a training program that works for them.
Hector Rodriguez, executive security advisor, WWPS health and life sciences at AWS, suggested that organizations implement a role-based security awareness training program to better serve each member of the workforce and the organization.
“Healthcare organizations first must understand who does what during the day,” Rodriguez said. “Nurses and physicians may not spend a lot of time in front of the computer, so they might react differently.”
Conversely, members of the IT team may spend most of their day in front of a computer and may already be familiar with signs of a cyber intrusion or phishing attack. Every workforce member likely has different levels of comfort and knowledge regarding cybersecurity. Therefore, a generic security awareness training program will not be effective for everyone in the workforce.
The same principles can be applied to natural disaster preparedness—emergency response roles and responsibilities will vary across the workforce.
Role-based security training accounts for the unique challenges that different employees face on a day-to-day basis. Comprehensive security training should address risks that are specific to each role and provide actionable tools to combat those risks. This approach will require more up-front effort but will better prepare your workforce to deal with security incidents as a team.
Employ behavior-based training modules
Role-based security awareness training ensures that employees receive information that is relevant and useful to them. However, security training should also be engaging and behavior-based to effectively resonate with the audience.
“It is not something that should take hours to do, because people don’t have that kind of time. That’s not the way we learn,” Rodriguez observed.
“Security awareness training should be adaptive, behavior-based, and data-driven.”
Anti-phishing programs are a great way to implement behavior-based training modules. Phishing and other social engineering attacks are extremely common cyber threats in healthcare, even prompting HHS to issue an alert to the healthcare sector about the increasing prevalence of phishing campaigns.
Phishing scams are often incredibly successful, as they only require one unsuspecting individual to click a link or download an attachment to infiltrate an organization’s system. In response to this threat, most organizations have a phishing awareness programs that involves sending fake phishing emails to employees to see whether they click or don’t click on the links to determine organizational risk levels and further educate employees as a whole.
However, if someone accidentally clicked on a phishing simulation email, a talk with management or human resources may not solve the problem, Rodriguez noted. With a behavior-based anti-phishing approach, the employee would immediately receive adaptive security training focused on their specific role and behavior to reinforce good cyber hygiene.
Conduct tabletop exercises
Tabletop exercises further enhance organizational resilience by putting security training to use. Incident simulations allow organizations to iron out the responsibilities of each workforce member in the event of a natural or human-made disaster, from a ransomware attack to a hurricane. Leaders can talk through response plans with their teams in a stress-free environment and identify escalation paths and communication procedures. Additionally, plans and procedures can be updated and modernized to include new information or fill gaps discovered during the exercise.
“Tabletop exercises are discussion-based sessions where team members meet in an informal, classroom setting to discuss their roles during an emergency and their responses to a particular emergency situation,” the Department of Homeland Security states on its emergency preparedness website.
“A facilitator guides participants through a discussion of one or more scenarios. The duration of a tabletop exercise depends on the audience, the topic being exercised, and the exercise objectives. Many tabletop exercises can be conducted in a few hours, so they are cost-effective tools to validate plans and capabilities.”
DHS recommended beginning exercise program development by assessing the organization’s needs and current capabilities. Healthcare organizations should also consider what emergencies they are most likely to encounter and prioritize practicing their response to the most probable incidents.
“It really is about getting everyone to understand their role as it applies to the incident response process,” Rodriguez explained. “Everyone has a role in helping the organization maintain business continuity.”
______________________________
Hector Rodriguez works for Amazon Web Services (AWS). For more tips on creating a resilient healthcare organization, please visit the AWS Organizational Resiliency & Continuity Help Center.
AWS is the trusted technology and innovation partner to the global healthcare industry. As the most mature and reliable cloud platform with the broadest and deepest portfolio of healthcare solutions, AWS provides the security and privacy required to enable the highly regulated healthcare industry to increase the pace of innovation, unlock the potential of data, and personalize the healthcare journey.