Role-based cybersecurity training gains urgency in healthcare
DELAWARE, UNITED STATES — A stark 71% of employees admit to actions that risk organizational security, a 2024 Proofpoint Report reveals.
HealthTech Magazine’s Teta Alim writes that this has triggered a pivotal industry shift from generic, compliance-driven training to targeted, role-specific programs designed to actually protect data and patient care.
Security vs. compliance: Why healthcare needs tailored training
The fundamental realization is that effective cybersecurity is not synonymous with compliance. Ryan Witt, Vice President at Proofpoint in Industry Solutions, views security and compliance as two distinct disciplines.
“In the actual safeguarding of data and of an institution, security and compliance are two distinct disciplines,” he said.
This difference is crucial in high-risk areas such as healthcare, where the privacy of sensitive information deserves further attention than checking a regulatory box.
Employees often take necessary risks as part of their job functions, such as HR downloading resumes or IT help desks verifying credentials.
Proofpoint’s data shows these roles receive the “lion’s share of attacks,” making them prime targets for threat actors, including nation-states seeking to monetize valuable research data.
“But these trainings need to support them so that they can fulfill their roles and still have safeguards in place. After all, they’re the ones who are getting the lion’s share of the attacks,” Witt explains.
Training must therefore be customized to support these vulnerable positions, equipping staff with the contextual knowledge—like an understanding that an oncologist is unlikely to be in an emergency department—to spot sophisticated scams.
Bite-sized, real-time learning to counter AI-driven threats
To be effective, the delivery of cybersecurity education must also evolve. The industry is pivoting away from lengthy annual modules toward shorter, more frequent bite-sized trainings. They can be rolled out on the fly in response to a cyber event, and they are a convenient, topical retraining tied to shorter memories.
This development is necessary to counter emerging AI-driven malicious threats, such as deepfakes, which are slight variations of the original form of media or content designed to deceive.
This requires nurturing a culture of greater examination, possibly through the application of sandbox technology to scrutinize suspicious products. The long-term aim is to shift the focus from human targets to ensure that security practices do not hinder but rather facilitate work processes, thereby providing patients with uninterrupted care delivery.
“If your institution doesn’t have the right security posture in place, and you have no ability to provide patient care for a period of time, you are not living up to your mission,” Witt stresses.
