BOSTON—Multiple mechanisms are required to keep your organization safe from its biggest threat—insiders. A panel of CISOs discussed their organizations’ strategies during a session at the Privacy and Security Forum.

Insider threats include malicious people as well as innocent clinicians trying to take care of patients, said Anahi Santiago, CISO at Christiana Care Health System.

A lot of problems stem from people just doing their jobs and inadvertently doing something wrong, said John Houston, CISO at UPMC.

Whoever causes the problem, “if you don’t have visibility, you can’t protect it,” said Chad Wilson, CISO at Children’s National Medical Center.

To train employees effectively, you need to use multiple mechanisms, said Santiago. “Death by PowerPoint is not effective. Reach them where it’s meaningful—in their daily lives, personal lives with things that they can do at home but also bring to work. Online training is necessary. Wherever somebody will listen to me I will speak.”

Houston joined UPMC about a year-and-a-half ago to a staff of about 50 doing inpatient security. Those employees were split between security, including running tools and investigating problems, and human factors security including raising awareness. He is in the process of rolling out a new, comprehensive training program for the IT staff that includes information on how to build better systems, how to be aware of information security as they are designing systems rather than testing the systems after. “We want to be smarter upfront about implementing security.”

Online was really effective the first year, said Wilson, but people get really acclimated to it “So, we started about a year ago meeting with people on the floor. We do rounds three times a month in clinical areas.” That made a huge difference, he said. They’ve also been able to track some metrics around that. Educating employees about weaponized attachments helped them go from a 20 percent click rate to below 10 percent. They relaxed the rounds and saw that click rate climb back up, proving that a constant effort is needed.

Houston said he’s also made an effort to keep the lines of communication open. “The nurse educator can be your best friend because she can get you in with new nurses.”

One of the most powerful tools for generating awareness is a data loss protection alert system, said Santiago. When her organization first implemented that, the number of incidents spiked and was unmanageable. Four years later, it was almost nonexistent. The constant reminder by the tool to the user is “really, really powerful.”

Houston said UPMC has tools to track people inappropriately looking at information. “You can’t always get out in front of bad activity. Sometimes you have to be really agile on the backend and take quick action. Being a better reactor is a big part of the job.”

He sent out an e-card to test employees and more than 30 percent responded so he knew he had to follow up with a lot of reinforcement.

People are going to get upset about such tests, said Santiago. But, having a one-on-one conversation can be powerful. “Make it personal. Most people aren’t unreasonable. For the most part, people want to do the right thing. We’re trying to educate for better of the entire organization. The majority of the time people walk away feeling educated and like we’ve addressed the issue.”

“The more education you do, the more you’re going to do because people forget, threats change, it’s a neverending cycle. Don’t rely on technology to solve the problem. This is a people problem. Your people are being attacked directly. Your organization is receiving the negative press and repercussions but they’re attacking you, me, everyday individuals.”

When people recognize that you’re watching, you will start to see behavior change. Putting enforcement in the hands of each employee’s manager is “incredibly effective at changing behavior,” said Houston.

Wilson said Children’s National has a huge turnover rate for its nursing staff—up to 40 percent. “With that high volume it’s really important to keep that message going.” A new group of nurses starts every two weeks. He gets his message out during their onboarding but if they click on a phishing email, they go back in the pool for reeducation.  

Houston cautioned against overwhelming new employees. A daylong orientation program means individuals probably will only remember one or two things about privacy and security. “I’ve gone to the philosophy that you have to catch them up. Mock phishing is a great tool. There’s nothing better than one person doing something wrong and getting fired for it. Everyone hears about it and is less inclined to do it.”

“Education is not a point in time event,” said Santiago. “You need to be continuous about the delivery of information. Be greedy—use any opportunity to get the message across. I have a list of 35 vehicles I use to get information out there.”

Remember that you’re affecting productivity, said Houston, so you need effective ways to get out the message—ones that don’t necessarily cost the organization.”