Hospital CISO: Personalizing security training generates buy-in


Personalizing security training can help drive home the message for users and top healthcare management alike, according to Dave Summitt, chief information security officer of the H. Lee Moffitt Cancer Center and Research Institute in Tampa, Florida.

That's because attacks "aren't just against organizations," but also "individuals," he says in an interview with HealthcareInfoSecurity. Summitt focuses training on helping people see the effects of a compromised identity, bank account or health record, and helping people secure their own workstations at home and at work.

“When you make it more personal, people take a little more notice,” he says.

Healthcare organizations struggle with lack of understanding at top management levels of how serious attacks can be and in getting qualified and experienced cybersecurity pros on board. Many organizations' information security departments just aren’t large enough to handle the problem, according to Summitt.

They lack understanding of exactly what their network is supposed to look normally, what applications are really doing, where applications are within the organization and all the places that protected health information resides, he says.

“If you don't where that is, or what it's supposed to look like, it makes it very challenging to protect those assets,” Summitt says.

Regulations, he believes, are driving improvements, and with stories of healthcare breaches in the news, top executives are taking notice.

“That, to me, is the biggest thing that can change an organization--that higher-level awareness and understanding of what’s going on, so they can apply the proper resources.”