Building a culture committed to protecting data in healthcare organizations requires better communication, understanding what roles different workers play in cybersecurity and, sometimes, some creative competition.

A session at HIMSS 2017 in Orlando focused on how to best reach workers from the C-suite down to “the break room” on cybersecurity concerns. To Michael Kaiser, executive director of the National Cyber Security Alliance, that doesn’t mean a one-size-fits-all message throughout an organization.

“We really talk about cybersecurity as our shared responsibility, that everybody has a role, and your role is different at the board room than it is at the break room,” Kaiser said. "Everybody has to know what their role is, what they’re supposed to be doing, what they do that contributes to the security of the whole organization.”

To achieve that, Kaiser and other presenters said communication strategies have to change. He alluded to professionals who feeling security measures limited what they can do, when the perception should be cybersecurity “enables you to do more.”

Lance Spitzner, MBA, director of information security (IS) trainer at the SANS Institute’s Securing the Human division, works with cybersecurity programs across many different industries. He sees a common challenge in organizations that don’t effectively communicating their security strategies to employees, with IS professionals addressing everyone as if they have the same level of comfort and expertise with cybersecurity technology.

The result: Security seems “scary, confusing (and) intimidating.” To get around that “curse of knowledge” from IS professionals, he recommended letting other departments with different skill sets handle communications on security strategies.

“I’m seeing organizations around the world having the most effective awareness programs led by English teachers, graphic designers, sales and public relations,” Spitzner said.

Simple messaging still needs to resonate with employees. Mayo Clinic’s IS director, JoEllen Frain, said the oft-repeated warnings to use multiple, complicated passwords aren’t going to work if the organization isn’t providing workers a way to manage those different logins.

Changing their behavior may require some creative solutions. Many in the audience said they were using proactive phishing emails to test employees’ awareness of these kind of attacks, though fewer were sharing the results of those test beyond the C-suite. To get healthcare professionals to stay engaged and not become fatigued by the phishing tests, Frain said she encouraged departments within Mayo to compete against each other on recognizing those phishing emails.

“So we put up a scorecard that shows how radiology is doing in comparison to anesthesiology,” Frain said. “Then to watch the communication and the traffic—they’re highly competitive. They don’t want their peers to outperform them.”

That level of engagement from healthcare professionals hopefully goes beyond the competition, with departments recognizing sending real phishing emails back to the IS team.

“You know you’re doing a good job when they don’t trust your emails,” Spitzner said.