Healthcare Cybersecurity PHOTO: Cybercrime Magazine.

Healthcare CIO And CISO Provide 68,000 Employees With Security Awareness Training

Northwell Health uses phishing simulation, posters, newsletters, intranet postings, and screensavers as teaching aids

Steven T. Kroll

Northport, N.Y. – Apr. 4, 2019

Northwell Health, New York’s largest private employer and one of the nation’s top healthcare systems, has an innovative and well-orchestrated program for training its employees on how to detect and avoid phishing scams — which can otherwise lead to ransomware and other types of damaging cyberattacks.

CIOs and CISOs should team up on educating their organization’s employees on cyber threats, according to John Bosco, chief information officer, and Kathy Hughes, chief information security officer of Northwell Health, which employs a whopping 68,000 people.

The healthcare industry has been one of the most cyber-attacked industries for the past five years. Personal health information (PHI) records can fetch upwards of $60 per record. “The data can be used for filing false tax claims, insurance fraud, prescriptions, and obtaining medical services and procedures,” said Hughes. This versatility makes it all the more attractive for cyber thieves. 

Believe it or not, medical records have been digital for only a relatively short time. The transition from paper to electronic record keeping happened around 2010, and since then the healthcare industry has paid critical attention to security. “We probably had a few people in IT security back then. Now we have a very large IT security organization that we spend tens of millions of dollars a year on that we just didn’t do in the past,” said Bosco.



The massive size of Northwell Health’s operations adds to the intense pressure that cybersecurity professionals face, with 23 different hospitals, 700 physician practices, 70,000 endpoint devices, and about 200,000 medical devices — cat scans, MRIs, ultrasounds, and all the different types of medical equipment.

Additionally, the company has been expanding by one physician practice per week over the last five years, and in 2019 that number is going to be almost double. “Healthcare organizations are very complex, and decentralized organizations like ours really add to the challenge of training and protecting,” said Bosco. This is because each separate practice has its own security culture that may not meet his standards, which is another obstacle.

“Security is our number one priority when it comes to protecting the environment,” said Hughes. “We have a dedicated security team that focuses on training and nothing but training. And we use a variety of methods to try to reach the 68,000 employees.”

An organization as vast and complex as Northwell Health can’t simply have a one-size-fits-all program. That would lead to disaster, so Bosco and Hughes apply many techniques to their security operations. For starters, they publish a plan for the year that’s adjusted according to changes in the environment. This keeps them and their employees up-to-date on the latest threats.

Another aspect of their security awareness initiative is the customization of training content. They design specific modules to appeal to an individual’s role within the system. For example, clinicians need different training from administrators who handle money. Overall, though, the importance of protecting data is paramount.

Then there’s the tried and true method of continuous practice. “We do use a phishing simulation tool that creates phishing campaigns and provides results and all kinds of analytics,“ said Hughes.

“I think the key is it has to be constant and ongoing. There’s never a break,” adds Bosco.

Another part of the program is the use of posters, newsletters, intranet postings, and screensavers as training tools. The purpose is to have security on top-of-mind and visible for every employee.

Northwell Health’s security awareness culture impressed Kyle Metcalf, CEO of Inspired eLearning, and an expert on educating employees on cyber threats. When asked about the massive healthcare provider’s practices, he answered that a lot more organizations should follow their example of assessment, training, and reinforcement.

Metcalf cautions, “Folks that are looking to check the box and run a training once, an assessment once, and print out a spreadsheet and call it done — those people are in trouble.”

You can’t compare an annual physical to a healthy lifestyle. That’s the mentality that the Northwell CIO and CISO seemingly bring to cybersecurity, and it’s keeping their employees and patients safe.

Steven T. Kroll is a public relations specialist and staff writer at Cybercrime Magazine.

Inspired eLearning Archives


Sponsored by Inspired eLearning

At Inspired eLearning, we are committed to delivering eLearning solutions of the absolute highest quality, ones which don’t simply check a box, but which drive positive and measurable changes in organizational culture as well. We want to help clients nurture and enhance workforce skills, protect themselves against cyberattacks and regulatory violations, and maximize the return on their investment in organizational training with our eLearning for employees.