Building a Culture of Cybersecurity in Your Health System - Cover

Building a Culture of Cybersecurity in Your Health System

Health systems are continually being attacked by bad actors. Having strong systems and programs in place is vital to mitigating cybersecurity attacks. Health systems are proactively purchasing and enhancing their security infrastructure. While health systems continue to enhance security tools and programs, it is critical for them to also establish a culture of cybersecurity awareness.

With this in mind, KLAS recently asked several security and privacy firms for their advice on the following question: How can health systems and payers continually boost their culture around cybersecurity? 

The following healthcare-focused cybersecurity firms provided a response:*


The process for building a culture of cybersecurity awareness begins with an organization’s board. The board must have a basic understanding of cyber risk management terms and concepts to provide effective communication and oversight. One way to kick-start the process is to begin including cyber risk management as a regular agenda item at board meetings. Information and discussion about the organization’s specific cyber risks, the status of the organization’s enterprise cyber risk management program, and education about best practices should be part of every board meeting. Do not wait until a cyber incident has occurred to start having these conversations at the board level.


Cybersecurity awareness can’t simply be an annual training exercise; cybersecurity awareness needs to be postured and embedded as a core part of the culture of an organization, from the tone at the top on down. 

The board of directors must be engaged and educated on current cyber threats and associated issues. Further, organizations need to initiate awareness campaigns across all employees and third parties on how significantly today’s threats can compromise the systems and data that organizations depend on to provide patient care. Campaigns should include discussion on the privacy of patient information and the handling and usage of that information.

Impact Advisors: 

Communication is important, but engagement is the key to building security awareness and cultural development. With increasing volumes of clinical and compliance messaging, keep the employee’s attention by engaging them specifically. Focus on specific groups of staff with targeted messaging delivered at a time and place relevant to their job function, and utilize their upper management for reinforcement. Create participation elements, such as phishing campaigns, to stimulate engagement and diminish unwanted behavior. Consider marketing to a group of staff through promotional items and events that convey reinforcing messages for that group. Avoid overcommunicating, engage users to reduce risk, and capture metrics to drive improvement.

Intraprise Health:

Providers that have increased compliance with cybersecurity policies and best practices use a two-pronged approach to foster a culture of cybersecurity awareness. Fundamentally and per HIPAA, security leaders need to implement comprehensive and continuous training programs, and they need to address user behavior, which is just as important. There are individual differences, especially in patient care settings, underlying cybersecurity behavior. We recommend designing training programs and security reminders with these three considerations in mind: present training and security reminders with engaging and dynamic content ideally tailored to different roles and functions; reward good behavior while penalizing bad behavior; and highlight the consequences of poor cybersecurity practices.

Fortified Health Security: 

Humans are the common thread in cybersecurity breaches—having weak passwords, falling for phishing scams, and making poor decisions resulting in malware infections. The list goes on. As a result, forward-thinking cybersecurity teams are focusing on ways to enable and empower users with Security Awareness Training (SAT). 

With SAT, employees become active participants in recognizing and reporting potential security threats, and that result enhances an organization’s enterprise security stance. SAT also cultivates a culture of cybersecurity awareness, instilling confidence around employees’ habits and making employees feel included in protecting the safety of the entire organization because cybersecurity awareness is woven into the fabric of the organization’s culture.

Meditology Services:  

Establishing culture is about getting a group of people to behave consistently without having to think on the fly. It’s about creating muscle memory such that everyone in an organization acts in a secure way by default. The way to achieve muscle memory is through continual training and practice. Some of the most effective awareness training vehicles include ongoing phishing simulations, tabletop exercises with various stakeholder groups, vignette-style role-based training, and routine dialog with the workforce. Don't bore your users with hours of nonsense repetitive training. Keep it real, keep it short, and keep it interesting. Finally, measure your program to gauge progress over time.


Payers and providers should focus on the “people” part of cybersecurity, providing information and resources to help educate their workforces to make smart decisions, whether on the job, at home, or at school—now and in the future. Encourage staff to create their cyber awareness campaigns and share this message with their peers:

  • Think before you click: recognize and report phishing.
  • Update your software: don't delay—if you see a software update notification, act promptly. 
  • Use strong passwords: use password managers to generate, remember, and encrypt passwords. 
  • Enable multifactor authentication (MFA): MFA makes you significantly less likely to get hacked.


Cybersecurity is a journey and not a destination. Continuing education and concerted efforts to strengthen security programs and tools are essential to start stemming the tide in cybersecurity.

For additional insights about the firms that participated in this article, go to KLAS' data on security and privacy consulting services and our data on security and privacy managed services.

*Responses were limited to 100 words.

Photo credit: maxsim, Adobe Stock