Cybersecurity Workforce Development

Cyber training and education to fortify your environment against security threats

Workforce Cyber Behavior Programs

Awareness, Skills Development, Coaching, and Executive Briefings

Information security for healthcare systems involves a coordination of product, process, and personnel. Most healthcare organizations are making considerable investments in cybersecurity hardware and software. In improving resilience, your physical asset investments must include a consistent effort to developing the workforce. Few are leveraging an iterative approach to address the issue of personnel education across the enterprise. Every member of the workforce has accountability when it comes to security risks, however, lack of monitoring and measuring employee behavior makes it difficult to understand current posture, much less develop a desired future state.

First’s Workforce Development experts are able to identify, assess and help manage cybersecurity risk associated with team dynamics, education gaps, and awareness efforts. Through more formal evaluation models, iterative approaches to education and dynamic courses, we can help your program fit into a larger framework while helping to determine the cause and effect relation between workforce education and business outcomes.

Each successive section of the course builds upon lessons from earlier sections in order to comprehensively strengthen your ability to help your healthcare facility) cope with illegal hackers, botnets, malware, ransomware, medical devices, phishing, unruly vendors, data leakage, industrial spies, rogue or uncooperative employees, or bad publicity connected with IT security. Recent updates to the course address hot topics such as legal tips on confiscating and interrogating mobile devices, the retention of business records connected with cloud computing and social networks like Facebook and Twitter, and analysis and response to the risks and opportunities surrounding open-source intelligence gathering.

Workforce Education & Awareness Services

  • On-Site Privacy and Security Classes (below)
  • Program Assessment, Development and Implementation
  • Training, Coaching, Briefings and On-site Classroom Curriculum
  • LMS System Selection and Optimization
  • UBA User Behavior Analytics
  • Phishing Programs
  • Gamification/Advanced Tabletops
  • Content and Marketing Programs
  • Reward Programs

Program Assessment, Development and Implementation

First’s methodology for determining your current workforce education and awareness posture is unique to healthcare. By evaluating specific employee clusters and using a defined maturity model, your assessment can act as a roadmap to making critical security decisions and prioritizing opportunities for improvement towards a target state. First is able to leverage its advisory talent, training and coaching experience, and knowledge of recognized practice to go beyond assessment to implementation and consistent resilience.

First Workforce Education Courses

Cybersecurity Essentials

Cybersecurity Essentials begins the transition from general Security Awareness to an early level of competency with the technical foundations of a security program to support an employee’s role with respect to IT systems. This course is designed for IT professionals, software developers, financial professionals, database managers, clinical engineering, and technical clinicians who work closely with, or develop your healthcare organization’s information systems.

Regardless of your organization’s size and growth rate, there are certain basic concepts that form the foundation of any effective IT security program and environment. This Cybersecurity Essentials course provides employees with an increased level security material which allows for the development or evolution of a more robust awareness program. Cybersecurity Essentials give employees a familiarity with – and ability to apply – a core knowledge set which is needed to protect electronic information and systems. All individuals who use computer technology or its output products, regardless of their specific job responsibilities, must know these essentials and be able to apply them.

Topics covered in the course include:

  1. Authentication, Authorization, Accountability
  2. Cryptography Fundamentals
  3. Data Protection
  4. Information Security Principles and Risk Management
  5. Networking Foundations
  6. Networking Security
  7. Security Policy and Procedures
  8. Defense in Depth Principles for Systems Security

The material contained in this course will help your employees bridge the gap that often exists between business process/procedure and the technology employed to support them. Employees will learn and be able to demonstrate key concepts of information security including: understanding the threats and risks to information and information resources, identifying best practices that can be used to protect them,and learning to diversify your protection strategy.

Contact First to Learn More

Defending Healthcare Data and Systems

Prepare yourself for the most significant challenge facing healthcare facilities today. Malicious actors first targeted government systems, followed by assaults on the financial then retail communities. Today malicious activity is finding that fruitful attacks can be launched on healthcare systems and malware is preying on the underprepared and poorly prepared members of the healthcare industry. The targeting and theft of sensitive health information along with the ransoming of system data require today’s health care leader to have a clear understanding of relevant legislation and how to measurably defend patient data and related systems.

The Defending Healthcare Data and Systems course is designed to provide attendees with an orientation to current and emerging issues in health care information security and regulatory compliance. The class provides a foundational set of skills and knowledge for students through the integration of case studies, hands-on labs, and defensible control considerations for securing and monitoring electronic protected health information (“ePHI”).

Topics covered in the course include:

  • Review of actual healthcare attacks and incidents
  • Examination of ‘why’ and ‘how’ patient data is being targeted
  • Mitigating the damage resulting from an incident
  • Review of the critical elements of the HIPAA Security Rule
  • How to automate controls in support of the HIPAA Security Rule
  • HITECH/21st Century Cures Act and other key regulations.
  • Review of security controls to identify and mitigate both insider and external attacks
  • NIST and HITRUST Frameworks
  • Explanation of security frameworks, controls, and practical countermeasures
  • Sensitive asset identification and hardening
  • Introduction to data loss prevention (DLP)

Hands-on exercises covered include log monitoring and analysis techniques, vulnerability assessment, asset encryption, and configuration analysis.

Contact First to Learn More

How to Fund and Build a Secure Healthcare Organization

Healthcare organization leaders now realize that cybersecurity breaches can cost their organization plenty in terms of financial liability and patient perception. They know they need to address the need for information security, however information security has historically been perceived as a cost center and therefore not been viewed favorably. Your attendance in this class will help you develop the information you need to change your organizations unfavorable view of security expenditures. Change them from unfavorable to favorable, where cybersecurity investments support and extend the business.

The biggest challenge for cybersecurity professionals is simply getting and keeping a funding source necessary to carry out a security program. There are a large number of tools, techniques and procedures available on how to deal with the never-ending, ever-expanding list of threats; and literature on security best practices are widely available. However, you will find that little information or guidance is available on how to prepare for the critical budget discussion on funding i necessary to gain and maintain a strong cyber security posture.

Most funding requests are supported by an ROI (return-on-investment) analysis. However, information security funding requests are traditionally viewed as expense, not investment. To be presented in ROI language, security investments measured against potential liability caused by security breaches.

Topics covered in the course include:

  • Developing your pitch
  • Finding a sponsor
  • Identifying the right framework
  • Developing your risk-reward curve
  • Creating examples for reassurance
  • Showing the right metrics
  • Explaining the business value proposition
  • Exploring self-funding to lessen costs
  • Using the right buzzwords while avoiding scare tactics
  • Bringing in the supporting role of expert opinion
  • Creating the final request and presentation

Contact First to Learn More

Key Metrics in Healthcare Security - Gaining Visibility & Increasing Communication with the Board

Every healthcare organization and its executives are fully aware of the impact cyber security threats can have on their business. Based on all indications, this is only the beginning. The intensity and frequency of attacks targeting our field are only going to increase over the next several years. While resources are required to address security, this leads to an approach where organizations are broadly doing good things but are not focused on the activities that have an impact enterprise-wide.

The approach that many healthcare organizations take to address information security risk is: hire people and spend money. Key metrics show progress and bolster BoD funding enthusiasm. Built on decades of experience, this half-day course shows how CISO’s and CIO’s can gain added visibility into their organization, efficiently track key security metrics and create an executive dashboard to increase board communication and provide greater clarity with executive stakeholders.

Topics covered in the course include:

  • Identifying key indicators of compromise in hospitals
  • Tracking and monitoring key metrics
  • Creating an effective real time security dashboard
  • Gaining executive visibility into the overall security
  • Communicating key security objectives to the BoD

Having worked with many healthcare organizations, the root cause of this lack of focus is minimal leverage of metrics-driven, simple to absorb information. Creating dashboards with proper metrics that accurately show the true state of security across entire healthcare organization is a critical communication tool. This course not only identify what the key indicators of compromise are for healthcare organizations and how to address them, but more importantly it will provide details on what metrics should be tracked and how to create executive-level real-time monitoring of security issues. By evolving from reactive to proactive security measures, organizations can properly prevent, detect and respond to cyber-attacks.

Contact First to Learn More

Healthcare Cybersecurity and the Law: Pre-and Post-Breach Action Planning

In healthcare, it is more important than ever that in-house and outside counsel stay abreast of the most current developments and best practices in cybersecurity.

This course is designed to work with legal teams and senior management to prepare them for data breaches and minimize their potential legal exposure by drafting internal policies and procedures as well as contractual provisions regarding discovery, investigation, remediation, and reporting of breaches. The course examines a number of recent incidents to show the extent to which a breach can reach across a healthcare organization and analyze what is required under applicable laws. This course also covers the law of business, contracts, fraud, crime, IT security, liability and policy – all with a focus on electronically stored and transmitted records within a healthcare organization. It also teaches how to prepare credible, defensible reports, whether for cyber-crimes, forensics, incident response, human resource issues or other investigations. The course also provides training and continuing education for many compliance programs under information security and privacy mandates such as GLBA, HIPAA, FISMA, and PCI-DSS.

Topics covered in the course include:

  • Enforcement of HIPAA and other healthcare data security laws
  • Understanding the legal and political adversaries of a health entity’s data security program, including diverse regulators, politicians, news media and class action lawyers
  • Confusion over the interpretation of laws and regulations applicable to healthcare data security
  • Measures for reducing legal risk in data incidents and breaches, including invocation of attorney privileges of confidentiality
  • Procurement and negotiation of cyber insurance by healthcare entities
  • Procurement and negotiation of technology products and services, with a view to improving data security and compliance
  • Legal responsibilities of executives and boards of directors to address data security
  • Smart techniques for executing cyber investigations

Contact First to Learn More