• Contact
  • 888-54-FIRST
  • Client Login
    • Client Portal
    • Online Store
Search
First Healthcare Compliance
  • Solutions
    • Compliance Management Software
    • Online Compliance Courses
    • Compliance Management Suite
  • Plans
  • Resources
    • Blog
    • Virtual Education Hub
    • 1st Talk Compliance Podcast
    • Connect Magazine
    • Compliance Posters
    • Healthcare Compliance Books
    • Newsletter Signup
  • News & Events
    • Press Releases
  • Our Team
  • Request Demo
  • Menu Menu
  • Shopping Cart Shopping Cart
    0Shopping Cart

Blog

cybersecurity-data-privacy_ftFIXed

Cybersecurity & Data Privacy Training, A New Approach with Rebecca L. Rakoski & Sajed Naseem

September 13, 2021/in Blog, Cybersecurity, HIPAA

Cybersecurity & Data Privacy Training, A New Approach with Rebecca L. Rakowski & Sajed Naseem

Rebecca L. Rakoski, managing partner at XPAN Law Partners and Sajed Naseem, Chief Information Security Officer (CISO) from NJ Courts recently presented the webinar “ Stop the Insanity! Why Healthcare Organizations Need to Take a New Approach to Cybersecurity & Data Privacy Training .” Rebecca and Saj returned to answer many commonly asked questions from the webinar.

Nearly every regulation or standard requires training, why is it so important?

As we have seen repeatedly, cybersecurity goes beyond just a tech issue, it is really a “people” issue. Employees are undoubtedly an organization’s greatest asset but can be its biggest liability because cyber criminals only really need 1 employee to make a mistake. This can take the form of clicking on a bad link in a spear phishing email, transferring money to a fraudulent account, or inadvertently downloading a virus from the internet. Employees are by their very standing in a company on the front line of our cyberwar against hackers. Accordingly, the Biden Administration has acknowledged the growing threat to both the public and private sphere. In fact, the White House has warned business leaders to “step up” measures to protect against ransomware attacks. The reason for such a warning has been the significant increase in ransomware incidents that have literally leapt out of cyberspace and had a disruptive impact on American’s daily lives (i.e., increased gas prices, violations of consumer privacy, and illegal appropriation of proprietary information). For a while now, cybersecurity experts have known that true data security is not a simple problem to solve, and surely not a purely technological one, but one that is layered and interdependent on the strength of the defenses around it. Therefore nearly every regulation and standard require training and where the starting point of implementing a strong security and program really begins.

How do companies train now and are those efforts effective?

It is all too clear that current approaches to cybersecurity training is not effective nor is it working for the simple reason it is not being done well. Daily we are bombarded by news of data breaches lacking any sort of context but generalized to include human error as the cause even though many organizations have for the most part yearly cybersecurity training. Companies implement a broad range of techniques to gauge whether employees will click a bad link – one being phishing campaigns. Unfortunately, this type of research only gives the organization a partial picture and a hazy one at that. Typically, it shows that an employee clicked, but it does not answer the revealing question of why the employee clicked. Click rates are tools after all but not the whole toolbox. Organizations need to understand the why to prevent it from happening. To solve this problem, organizations need to start by doing two critical things: (i) employees need to be able to “recognize” risks and “respond” appropriately, and (ii) employers need to teach them “how” by raising their situational awareness and keeping it top of mind. In the current security awareness environment, training programs largely fail because they lose the human component to training and rely too heavily on video training that often fails to engage the employees in the actual training. Frequently, employees see this type of training as something they must do, or a box they have to check for their employer. It is therefore common for organizations that are hacked to have “trained” their employees but to have failed to create a strong practical and effective cybersecurity and data privacy program. When it comes to training, results are key indicators of efficacy. The proof at the end of the day is in the pudding.

Why is quantification so important?

In light of this significant and growing issue facing business today, a new face for cybersecurity awareness needs to be measured, resolved, and/or mitigated in order to continue to provide justice, secure assets, minimize liabilities, and increase positive growth. Privacy and security programs need to incorporate security awareness that needs to be quantified to ensure employees are informed and aware of security risks. This protects both themselves as well as an organization’s assets. So, when it comes to adding value to an organization using a security awareness program, it is necessary to have a set of methods to both study and measure its effect. Properly defined analytics and the rise of artificial intelligence make spotting potential insider threats easier and less intrusive. Measuring elements like Knowledge, Attitude, and Behavior (“KAB”) can provide both quantitative and qualitative insights into an employee’s cyber awareness. The knowledge component entails core requirements which an individual employee either knows or does not know. Conversely, tailored behavioral analyses take defined analytics a step higher by allowing for the revelation of underlying attitudes and the situational actions that one takes in response to denied stimuli. This is where Implicit Association Testing (IAT) has proven to be a valuable tool to reveal hidden or subconscious biases in attitude. Combined with objective situational assessments that include a time component, it provides powerful insight into an individual’s response to various cyber threats. In sum, binding these factors together is what leads to better predictive models of degrees of cyber vulnerability. CISO’s that employ this in their organization can in turn use this information to develop custom training programs tailored to employees’ particular environment and job responsibilities, thereby creating an effective cyber awareness program that significantly improves its odds of preventing a cyber-incident.

Are you just talking about more training?

Businesses thrive not by doing things more frequently but to, in fact, do it better. The prevailing thought for years now has been to employ poorly designed and generalized applications of cybersecurity training with minimal consideration of what actually works and inevitably leading organizations to still get hacked. So, this begs the question – why do we keep attempting to manage a square peg in a round hole but expecting a distinctly different outcome? Measuring an employee’s KAB toward cyber security will allow an organization to go beyond a simple click rate survey and instead understand “why“ the employee is still clicking. Using this metric, an employee’s training can be better tailored using the KAB to increase both the effectiveness and value of that training. Ultimately, tailoring a program to an individual employee based on their unique metric and organizational directive in the company infrastructure will dictate the degree of success and advantage a security and privacy program can bring to an organization. As a parallel example, science is now working on creating pharmaceuticals and different therapeutic treatments specifically tailored to an individual’s DNA sequence. Based on research to this point, this type of tailored treatment has shown to be more effective and efficient because it is particular to that individual and thus reducing unwanted and unforeseen consequences. Same principle applies here. A KAB score does the same thing for cybersecurity by increasing the benefits of a security and privacy program through tailored analytical consideration to better understand and then train the organization’s most important, but often highly unpredictable, variables – its employees.

Rebecca L. Rakoski is the managing partner at XPAN Law Partners. Rebecca counsels and defends public and private corporations, and their boards, during data breaches and responds to state-federal regulatory compliance and enforcement actions. As an experienced litigator, Rebecca has handled hundreds of matters in state and federal courts. Rebecca skillfully manages the intersection of state, federal, and international regulations that affect the transfer, storage, and collection of data to aggressively mitigate her client’s litigation risks.

Rebecca serves on the New Jersey State Bar Association’s Cyber Task Force. Rebecca is Vice􏰓Chair Elect for the New Jersey State Bar Association’s Bankruptcy Law Section and also served on the Complex Business Litigation Committee that drafted and revised the Court Rules involving electronic discovery in complex litigation matters. Rebecca has been appointed in several litigation matters by the New Jersey Superior Court as a Discovery Special Master.

Rebecca is on the Board of Governors for Temple University Health Systems, and an adjunct professor at Drexel University’s Thomas R. Kline School of Law and Rowan University.

Sajed Naseem (“Saj”), is the Chief Information Security Officer (CISO) of New Jersey Courts. Sajed has over twenty years of experience with information security and information technology across many industries. As the Chief Information Security Officer (“CISO”) of the New Jersey Courts, Sajed has focused on Cybersecurity Readiness & Performance, Information Governance, and Network Security. Sajed holds Masters degrees from St. John’s University and Columbia University. Sajed routinely speaks at Cybersecurity conferences nationally, Europe and with the New Jersey Bar Association. Sajed is also an Adjunct Professor at St. John’s University in Information Security since 2010 and a native of New York City.

Be sure to view a recording of this webinar here and don’t miss our many other expert webinars, podcasts, and blogs with our presenters here. Take a look at our book: HIPAA Privacy and Security , and our online compliance training courses such as What is HIPAA? , and HIPAA Business Associate Agreements Under HITECH .

Tags: Business, Cybersecurity, healthcare, technology
Share this
  • Share on Facebook
  • Share on X
  • Share on LinkedIn
  • Share on Reddit
  • Share by Mail
https://1sthcc.com/wp-content/uploads/2021/09/cybersecurity-data-privacy_ftFIXed.jpg 758 1200 Catherine Short https://1sthcc.com/wp-content/uploads/2022/10/1sthcc-logo-1024x378.jpg Catherine Short2021-09-13 14:54:062025-04-15 12:42:57Cybersecurity & Data Privacy Training, A New Approach with Rebecca L. Rakoski & Sajed Naseem
You might also like
compliance How to be a Wildly Effective Compliance Officer with Kristy Grant-Hart
Steering Clear of Legal Liability
Negotiations in Healthcare Webinar Negotiations in Healthcare and Technology
Causes vs. Reasons for Data Breaches Infographic: Causes vs. Reasons for Data Breaches
Why Healthcare Organizations Need to Take a New Approach to Cybersecurity & Data Privacy Training
Appropriate Use Criteria – Delayed but Not Gone

Subscribe to Weekly eNewsletter

Get the latest healthcare compliance updates straight to your inbox.

Subscribe to Newsletter

Recent Posts

  • Navigating the HIPAA Security Landscape: A Comprehensive Guide to Security Risk Assessments
  • OSHA Recordkeeping in Healthcare: Answers to Frequently Asked Questions
  • Naughty or Nice? The Rules of Giving and Receiving in Healthcare
  • fraud waste abuse healthcare compliance
    FWA in Healthcare: How to Respond Appropriately to Detected Offenses
  • Infographic: 6 Areas of Potential Liability for Healthcare Providers
    6 Areas of Potential Liability for Healthcare Providers
  • 5 Benefits of Automating Incident Reporting in Healthcare

 

First Healthcare Compliance is a division of Panacea Healthcare Solutions. Learn more

Subscribe

Get the latest healthcare compliance updates straight to your inbox.

Subscribe to Newsletter

Connect

Get started: Request Demo

Call: 1-888-54-FIRST

E-mail: Contact us

  • Link to Instagram
  • Link to Youtube
  • Link to Facebook
  • Link to LinkedIn
  • Link to X
© Copyright 2026 Panacea Healthcare Solutions, LLC | Disclaimer | Privacy Policy and Copyright Notice
Scroll to top Scroll to top Scroll to top

We and our third-party partners use cookies to improve and personalize your experience on the site and with our services in addition to delivering and reporting on ads. Please visit our Privacy Statement for more information. By continuing to browse the site, you are agreeing to our use of cookies. Read Privacy Statement.

OKDismiss

Cookie and Privacy Settings



How we use cookies

We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.

Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.

Essential Website Cookies

These cookies are strictly necessary to provide you with services available through our website and to use some of its features.

Because these cookies are strictly necessary to deliver the website, refusing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.

We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.

We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.

Other external services

We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.

Google Webfont Settings:

Google Map Settings:

Google reCaptcha Settings:

Vimeo and Youtube video embeds:

Privacy Policy

You can read about our cookies and privacy settings in detail on our Privacy Policy Page.

Privacy Policy and Copyright Notice
Accept settingsHide notification only