Catherine Short speaks with Rebecca L. Rakoski, managing partner at XPAN Law Partners and Saj Naseem, Chief Information Security Officer (CISO) from NJ Courts on the topic of “Why Healthcare Organizations Need to Take a New Approach to Cybersecurity & Data Privacy Training.” Employees are one of an organization’s greatest strengths and weaknesses. For years, cybersecurity advocates have argued that trained employees are the only way to safeguard the organization. However, these same organizations engage in training for their employees only to see the next data breach caused by one of those same trained employees. The question then becomes, why do we repeat the same exercise expecting a different outcome? In addition, as many employees continue remotely, this has created an additional operational hurdle for IT and IT security professionals. Simply put, the basic “people problem” needs to be re-defined and updated using science. On this episode, we will discuss how training, using traditional methods can cause greater liability and threats to an organization. Finally, we will review how measuring an employee’s Knowledge (K), Attitude (A), and Behavior (B) (“KAB”) toward cybersecurity can help to create a tailored solution for cyber awareness training and provide a workforce the weapons they need to effectively stave off cyberthreats.
- Why Healthcare Organizations Need to Take a New Approach to …
employees, training, organizations, compliance, people, measure, healthcare, pandemic, important, effective, phishing emails, cyber attacks data breach, stop, understand, KAB, work, security
Catherine Short, Saj Naseem, Rebecca L. Rakoski
Catherine Short 00:02
Welcome and let’s 1st Talk Compliance. I’m Catherine Short Partnership Marketing Manager at First Healthcare Compliance. Thanks for tuning in. This show is brought to you by First Healthcare Compliance as part of our commitment to provide high quality, complimentary educational resources. We help create confidence among compliance professionals throughout the United States. Please show your support by taking a moment to provide a review on Google, Facebook or iTunes. You can follow us on Instagram, Twitter, and subscribe to our YouTube channel.
Catherine Short 00:36
On today’s episode, we are speaking with Rebecca Rakoski, Managing Partner at XPAN Law Partners and Saj Naseem, Chief Information Security Officer CISO from New Jersey Courts on the topic of “Stop the Insanity! Why Health Care Organizations Need to take a New Approach to Cybersecurity and Data Privacy Training.” Employees are one of an organization’s greatest strengths and weaknesses. For years, cybersecurity advocates have argued that trained employees are the only way to safeguard the organization. However, these same organizations engage in training for their employees only to see the next data breach caused by one of these same trained employees. The question then becomes why do we repeat the same exercise expecting a different outcome. In addition, many employees continue remotely and this has created an additional operational hurdle for IT and IT security professionals. Simply put, the basic people problem needs to be redefined and updated using science.
Catherine Short 01:42
On this episode, we will discuss how training using traditional methods has caused greater liability and threats to an organization. Finally, we will review how measuring an employee’s knowledge, attitude and behavior towards cybersecurity can help to create a tailored solution for cyber awareness training and provide a workforce the weapons they need to effectively stave off cyber threats.
Catherine Short 02:09
Before we begin, I would like to mention at First Healthcare Compliance, we strive to serve as a trusted resource for compliance professionals and every month we celebrate their hard work and dedication with our compliance super ninja recognition. For this episode, we’re spotlighting Super Ninja Becky Doolin, office manager at Advanced Vein and Laser Center who says that she enjoys most about working there is that we have a great staff and I enjoy working as a team to give our patients the best care possible.” Congratulations, Becky, our team is honored to have the privilege of working with you.
Catherine Short 02:47
So hello, Rebecca, and Saj. Thank you so much for joining me today on 1st Talk Compliance. Thanks for being here.
Saj Naseem 02:53
Thank you very much for having us.
Rebecca L. Rakoski 02:56
Yes, thanks, Catherine.
Catherine Short 02:58
Nearly every regulation or standard requires training. So why is this so important?
Rebecca L. Rakoski 03:04
First of all, I mean, training is one of the it is required. So that’s the initial thing, right? I mean, most data privacy or cybersecurity regulations require training, HIPAA being one of them, you have to have yearly training under HIPAA. But beyond that, it’s also important because your employees are basically your first line of defense. You know, I like to say all the time that you are you’re literally arming your, your army of, of your employees, they’re the ones who are receiving the phishing emails, they’re the ones who are the hackers are trying to trick in order to, you know, get into systems. And so it’s critically important that regardless of the fact that you have you have this regulatory aspect of it, which is I’m not saying it’s not important, but they are literally These are the people you need to be as informed as possible in order to stave off these attacks. And so beyond just the the check the box which I don’t subscribe to, if you’re going to have to train anyway with regulation, then why not do it in a way that arms these people in and informs them and puts them in the best position to be successful personally in their own career and also to defend the organization from from cyber attacks.
Catherine Short 04:21
Okay, how do companies currently do training?
Saj Naseem 04:26
So currently, what happens, you know, as my experience in you know, as I see, so when working with different CISOs, and over the years in different organizations, typically the way that the training is done is a yearly compliance requirement where somebody will buy a package from, you know, one of the leading vendors and put it into their learning management tool, whatever that may be. And employees are asked to complete their required learning within a month or so. And at the end, they get a certificate and that’s it and generally it’s pretty generic. It’s phishing, it’s, you know, social engineering and topics along those lines, that’s generally what happens. And time to time some organizations, what they do is they’ll send out monthly newsletters in regards to their Cybersecurity Awareness. And that’s about it.
Rebecca L. Rakoski 05:17
Yeah, and I mean, what I see a lot too, particularly with organizations that I represent is that it is it is like a video, they, you know, that they only have to do this this video or, and that’s one of the things that I always do. One of the first things I’m always changing, I’m like, No, no, no, we’re not just doing a video, having interactive regulations, or interactive training is really important.
Catherine Short 05:42
Do you think that the training that companies are currently doing is effective and why or why not?
Saj Naseem 05:48
So the in terms of effectiveness for this week that I can answer that is if you say, like, if you had, if your car was not working properly, you can say that maybe the miles per hour, you know, on when you’re driving long distance is not, you know, it doesn’t go above 60 miles per hour. And so you can have these, that’s a metric that you can use, right? And you can combine that with other metrics in order to see if your car is working effectively, or as you expect. So again, so the and this gets into, you know, how we look at effectiveness? Is it effective? I mean, you can look at it broadly micro macro level, you can say, have the cyber attacks decreased in any way, do we still see employee errors in regards to cyber attacks? And the answer is yes, we clearly do some of the major ones the last couple of years, where is that there was a situation when Marriott bought Starwoods Hotel, and one of the analysts missed a cyber attack from the, I believe, from the Chinese in that example, and just said it was a false positive. And so that’s the human component right there. In addition to that, the Shark Tank star, Barbara Corcoran, one of her, one of her employees, thought she was getting an email from their CFO and sent $400,000 over to basically scammer so these are examples. Additionally, there was an example, for Capital One, where what had happened was when people were they had contracted a third party, and I’m sure Rebecca will get into third parties. And that third party was bragging about how much information they had posted all over the internet about their customers. So in terms of effectiveness, we could see that there’s examples that it’s made me not be effective, at least indicators of that. Additionally, my question would be how are we measuring that and that’s, we’ll get into hopefully.
Catherine Short 07:42
Yeah, and I think it’s important to recognize too that you know, when these when these incidents happened, and I know we talked about this a lot about you know, how it impacts the organization. You know, just from a regulatory fine perspective, Marriott was assessed 18.4 million pounds or euro by the the ICO in Europe related to that data breach. I think that equates to somewhere around a $24 million fine and and the the breach is bringing in the regulator’s it’s not like the EU regulators in Europe, we’re already looking at Marriott, the breaches what brought them in. And so you see this cascading effect of data breach or employee makes an error, data breach occurs, regulatory fine ensues. And it’s a problem it’s problematic for an organization. And so stopping it at at the first level at the employee level becomes more and more critical for for organizations.
Catherine Short 08:39
Of course, we’ve been having this pandemic it’s been going on now for for over a year. How do you think that’s affected cyber security and data privacy training?
Rebecca L. Rakoski 08:49
One of the things is that it’s changed the landscape of the way organizations do business, okay, we are no longer all sitting in an office together. And so to some degree with to a large degree, really, it’s changed the way we do business fundamentally, and I’m not sure we’re ever going to go back fully to pre pandemic business practices. So we need to rethink the way we’re doing training for our employees because it’s that same old playbook is not going to is not going to work like same stuff different day. That’s not what we’re dealing with anymore. Things have changed and we need to change with it. And beyond that, like as we were just saying, it’s just simply not effective. Why Why keep beating our head hence the name of our I think our initial webinar was the stop the insanity with the definition of insanity is doing the same thing over and over again, and expecting a different result. And yet we train our employees using the same methodology over and over and over again, and we’re not getting a different result. And I think that the the pandemic has highlighted the vulnerabilities and the within our within networks within the network infrastructure, but more importantly, with employees.
Catherine Short 10:01
Why is quantification so important? And don’t our laws just require training?
Saj Naseem 10:08
Concerning training, I mean, you can open up you have regulatory requirements like PCI DSS, Payment Card Industry data security standard, you’re taking in credit cards, there’s usually a checkbox to say, Have you trained your employees is exactly the training that I was speaking about, in your first question, which was concerning just checking the box to say, Hey, listen, my staff have seen 10 or so videos, and they’ve taken a very basic exam. And that’s it. And so the question that I have in all of that, did that work, when you date when they took the exam, you would have to look at, you know, sometimes they when you did the training, and they took the exam, pretty basic, you know, and you know, oftentimes I’ve even seen employees take the exam, and they have the volume off, because it’s pretty easy. We’ll talk about some basic things. So the exam, part of it is one thing. Additionally, the question would be that in a real life scenario, did it actually work? Did the training actually work? And you can just take a simple example, you can get your driver’s license and live right and we’ve we’ve seen episodes, right of Seinfeld, where when you hit a certain Parkway in New York, you know, it’s life altering, and you know, it’s life altering, but you know, it’s very different taking the exam will never prepare you for that. So that’s real life. So the question I have is that is the training, did it prepare them for the different phishing emails, social engineering scams, all that business, email calm, you know, compromised type stuff going on on the industry? Did they prepare for that? And the answer is largely No, right? All we need to find out, right? That’s why the quantification of knowledge, behavior and attitude is important. I’ll coach you something from a Nobel Prize winner, Richard Kleinman, who said, The first principle is that you must not fool yourself and you the easiest person to fool. So in order to try to avoid that, you’ve got to look at the quantification, the numbers, and make sure that it’s connected to what you’re actually trying to do, which is real life.
Rebecca L. Rakoski 12:04
And I think it’s important to keep in mind too, that we know that people click on bad emails, we know people download things they’re not supposed to. And that tells us one part of this puzzle, it tells us that they’re doing it, it tells us that the action has occurred. But what it doesn’t tell us is why the action has occurred. And that’s really what we see is missing from this from these trading that exists currently today. And what Sasha and I are trying to, I guess we rail against is that we keep doing this training and thinking these people are going to stop clicking on this eat on these emails are stopped downloading these bad, you know, bad links, but the reality of it is, they’re not armed in a way that makes them really understand what’s going on behind the scenes. They’re also not we don’t understand why they’re clicking on it, there must be a reason there must be something about the email must be something about what’s going on, and then it goes on inside of them. That makes them want to click and so until you understand the why part of that you’re never going to stop it. I mean, let’s take the example of the pandemic, we knew the point that the virus was spreading, but how was it spreading? Why was it spreading? What were the activities that we were doing in our everyday life that was making this particular virus spread like wildfire. And until we understood that, why we were never able to slow down the spread of the virus? Well, it works exactly the same way in cybersecurity. We don’t when we don’t understand the why behind something we can’t hope to prevent it. It’s basic science, it’s basic logic. And when when we talk about knowledge, behavior and attitude, this k be that massage, and if we work with them, and we measure for different organizations, when you understand the knowledge, behavior and attitude of your employees, you start, you understand the why. And so you can start to figure out how to change attitude, change behavior, increased knowledge, or maybe direct knowledge in a different in a different path. So that these people are you’re actually training them to be effective cyber warriors as opposed to just giving them the same rote training they get every year worth Assange as they, they mute it, and I hate to admit it, but I’ve done it, I’ve done it myself where organizations have said, Look, we’ll take the training and see see how you do and I mute it and I see if I can pass the exam at the end and I’ve I’ve yet to not score 100% so I understand I’m in this industry, but that’s the point is you don’t have you don’t have to watch everything and take the training in order to pass that little test at the end. So how effective is that little test really,
Catherine Short 14:47
Considering that humans are fallible, and that they do things like what you’re talking about, like taking the tests without really paying attention or doing what they want and also are fooled by things like these phishing emails, how do you think that training can ever be effective?
Saj Naseem 15:05
Yes, I mean, so in terms of training being effective, I mean, I think we’re going to go back to the measurement question knowledge, behavior and attitude that has to be measured. If you’re dealing with if you have children, you’re dealing with children, and one of the best things you can do is allow them to make mistakes, ideally, quickly, right? In life, right? make mistakes, and learn from them. And, and learn from them and start to make good decisions, right? That’s just children, right? If you had that, you know, you’re pretty good, you’re doing pretty good. And so what’s going to happen is this, the scams are getting sophisticated, or there’s AI available, people are changing voices, there’s, you know, deep fakes, there’s all kinds of stuff going on. So there’s a certain degree of like, almost street smarts, right, you have to know that the environment is changing. I had a situation I was talking to one of my colleagues, and their dad was who actually worked for the military smart guy, you know, a doctor, the whole thing, and knew all these things, but just for a moment was, you know, when retired was out of touch a little bit, let’s say from the latest things that were going on. And then he got one of those Microsoft calls, right, you know, or fake Microsoft calls, where they were like, Oh, we need to do tech support, your computer’s not working. And then for basically, for half an hour, they’re allowed this fake person or nothing person, but this scammer to log on to their computer, and, you know, installed some malware, and then ask for support or money back, and so on and so forth. Right? Then later on realize, oh, man, this is not going to happen, right. So really, when when we’re talking about quantification, we’re talking about, you know, the environment, you know, we’re in a pandemic, there’s stress, there’s children, people are at home, there’s a lot going on. So the best way to do this, again, is to measure but then moving forward, once you measure, then you’re going to have to see, you may start seeing and I think you will start seeing that maybe the person’s job is maybe they’re in the wrong position, you’ll start seeing different aspects of their personality, different aspects of, you know, how they’re performing at work. In regard to that, I’ve seen examples where we had an employee that was always in public meetings, right, and was an introvert does not want to talk publicly. And after measuring, they did pretty good or, but then I noticed that in public, they really had a difficult time talking about security or dealing with security. And then what will end up happening is, I started realizing that they needed to be spoken to privately, and then they started performing better, right, so you’re gonna start realizing some things about them. So again, we don’t have the final destiny, you know, I think the destination is to learn about who we’re dealing with, and then use that in such a way to put people in the right situation, from a security standpoint, and also from their job standpoint.
Rebecca L. Rakoski 17:45
Yeah, because if you’re if you’re just if you’re just trained doing, it’s not a one size fits all right, security, people have been saying this for years. But it says training can’t be a one size fits all, either. What works for some people is not going to work for another, or for others. But when you so when you start to quantify when you start to measure their knowledge, you know, this, you when you start to use this KAB, this knowledge, behavior and attitude, when you start to get this idea of the score, you can then start to see, well, this person needs this type of particular, it’s not about doing things, it’s not about more, it’s about doing it better, and focusing it on the needs of that individual and really personalizing it, if not to an individual, but sometimes to a department even as well. And you see, you know, as you start to build out a program based on this, it becomes much more effective and efficient. What becomes first of all effective, but then your your department actually becomes more efficient as well.
Saj Naseem 18:42
And it also is piggybacking on what Rebecca was saying in the healthcare environment, you guys are used to that. Currently, in the last decade or so, there’s been a large focus large focus for innovators in the space of healthcare for personalized medicine, which means basically, you know, the idea of taking sergeant’s or Rebecca’s genetic code and seeing if medicines will be tailored or personalized for Saj, Rebecca, and so on, so forth, personalized medicine, that’s the thing. This is no different. We realize that some medicines, they work for certain patients, and we’re seeing it also in this COVID period here. They work for majority of patients, maybe but don’t work for some others. And you know, we see this kind of thing. And so one size fits all is not the solution. It’s you know, it just, it maybe checks the box, but it doesn’t really get us to where we want to go to. So we’re talking about personalized information security training, and it’s consistent with the healthcare environment.
Catherine Short 19:39
If you’re just tuning in, you’re listening to 1st Talk Compliance brought to you by First Healthcare Compliance as part of our commitment to provide high quality complimentary educational resources. We help create confidence among compliance professionals throughout the United States. My guests today are Rebecca Rakoski, Managing Partner at XPAN Law, Partner’s and Saj Naseen Chief Information Security Officer from New Jersey Courts on the topic of “Stop the Insanity! Why Health Care Organizations Need to take a New Approach to Cybersecurity and Data Privacy Training.” Please show your support by taking a few minutes to provide a review of First Healthcare Compliance on Google or Facebook. You can also follow us on Instagram, Twitter, and subscribe to our YouTube channel.
Catherine Short 20:30
So besides just potential issues, how can companies leverage their employees to be assets when dealing with cybersecurity issues?
Saj Naseem 20:40
in order for an employee to be an asset, I mean, this is a whole complex topic. And I’m sure, you know, I mean, management theories and different things have looked into this, in order for an employee to be effective at work and be on the front lines, they have to be engaged at work. So if your employee is bored, and you’re just giving them rote work, or whatever it is that they’re doing, and it’s not really what they want, they’re not going to be engaged, they’re not going to be an engineer security either, potentially, right, we have to measure that. But potentially, right, that potential reality there. And we see things and again, you can go back to learning everybody’s a different kind of learner. Most people are visual learners, but some people are not. And some people, introvert, some people are extroverts, again, this is all the difference again, gets into all these types of issues. So in order for them to be effective, you have to put them in the right position, then you have to hold them accountable. So that gets into some management things. Again, the measurement is important. Once the measurement is there, you’re going to learn more, I’ll give you I gave you the example of that one employee in the last question, who did not want to speak publicly. And I’ll give you another example. So I’m also a professor at the University, we had a course on healthcare information security this past semester, at St. John’s University, I was teaching, and we had one of these students who’s really bright, you know, 4.0 student, and she was like, it just seemed like to me that she was never challenged. She’s just so smart. But she was never challenged. So we had a course and we flipped the script, what we did is we started to ask her questions in a real life environment, when a data breach happened and kept pushing her and pushing her. And, and, in a way, I was a bit concerned that maybe she was being pushed too much. But at the end of the semester, she wrote the sweetest note to me saying that I’ve never seen something like this, you know, like, she got pushed, and she, she really liked it, she felt like engage, one size does not fit all. And once you measure, you’re going to have to learn about your employees. For some employees, it’s going to be really easy to be compliant. And that’s great. And that’s fine, there’s going to be some employees you’re going to need to do more work with and again, that’s where the management and the function will come in, where you will have to see what they’re going to get into what brecha can get more into that.
Rebecca L. Rakoski 22:48
It’s a great point is that but when you when you’re measuring your employees, what we recommend to be clear is that you measure, you take this KAB score, and based on that KAB score, you’re going to train your employees to tailor that training to to them. This isn’t about more, it’s about better. And then after you do this more focused training, you then can you measure again, and you gives a couple of benefits to the employer one it shows is this employee is this employee thriving in this from a security and privacy perspective, obviously, we’re not talking generally. But if this employee is dealing with highly, highly sensitive information, and they are scoring low with this, and they’re measuring low on the KAB chart, perhaps where they are is not where they need to be. Or maybe we need to make adjustments to access levels and things like that, because we’re not seeing improvement over time. But when you measure, test and measure again, you’re actually able to show improvement for employees, you’re able to provide feedback and actual, you know, metrics to your C suite. And it benefits the organization overall. Because you’re you’re actually able to put employees in positions which are best suited to them, and train them in a way that is suited to them. What we keep doing now is we just give everybody the same training, you’re Oh, you work for us, okay, you’re going to take this to our training course Well, that’s great, but maybe what I do doesn’t necessarily involve sensitive information. Or maybe it involves highly sensitive information. Well, my training should be geared towards that. Maybe I’m really good in the knowledge piece of it but my behavior and attitude scores while we’re okay, we need to we need to adjust the training to address that. Because you know, when you take this one size fits all approach, I have to tell tell you out there, right, you buy a pair of sweat pants, it’s one size fits all, that thing’s not going to look half as good on you as a nice tailored pair of slacks. Right? I mean, that’s just it’s, it’s big, it applies in every area of our lives. That’s why it’s so important. And when we see this continued approach where everybody’s doing it the same way over and over again and we don’t see this improvement. That’s where people like stop I get frustrated because really what we could be doing this better.
Catherine Short 25:04
Well, as we wrap up, do you all have any other advice for us?
Rebecca L. Rakoski 25:08
I’ll go back to kind of where we started from, which is stop doing the same thing over and over again and expecting a different result if your organization is concerned about data breaches. If your organization has experienced a data breach, obviously the training that your employees are getting is not as effective as it could be and you’re missing the why and when you’re missing the why you’re missing half the battle and so you know, you really want to go back think about that look at be able to measure your employees and I would encourage your listeners to reach out to massage and myself you know, we’re we’re on LinkedIn as well we’re our email address and you know, we’re happy to have these you know, more in depth conversations, but you know, just stop, stop doing it over and over again, because your your, I hate to say you’re doing it wrong, but you’re doing it wrong.
Catherine Short 25:53
Thank you so much, Rebecca and Saj. Really, really appreciate having you here today. So thanks so much.
Rebecca L. Rakoski 25:59
Always a pleasure to talk with you, Catherine. Thanks for having us.
Catherine Short 26:02
Thanks to you, too. And thank you so much to our audience for tuning into 1st Talk Compliance. We always appreciate you as well. You can learn more about the show on our programs page on healthcarenowradio.com and lend your voice to the conversation on Twitter @1sthcc or #1stTalkCompliance. You can also email me at email@example.com I’m Catherine Short of First Healthcare Compliance. Remember, compliance is the key to achieving peace of mind