Breathing New Life Into Healthcare Cyber Security

royal-cornwall-hospital

Our Customer

Major UK healthcare provider

Their Industry

Healthcare

Location

United Kingdom

Number of Employees

5,000

Taking Care of Southwest England

When people in the southwest of England need medical treatment or specialist care, it’s likely they’ll find themselves relying upon the services of this leading healthcare provider (name withheld for privacy reasons).

Taking care of a population of around 430,000 people is a big responsibility for the 5,000 staff. Their 750 beds provide acute care and specialist health services at three main hospitals across the region.

While the medical staff take care of the patients, the IT team take care of the technology and security. With a big workforce, multiple locations and sensitive patient data at stake, maintaining high levels of data security is paramount.

An Environment of Safety and Security

“We’re an IT department that works across the whole county,” says John (name changed to protect privacy), the Service Operations Manager, “so it's really important that we can talk to all our customers.”

Under his guidance, the team had introduced a number of measures to enhance their security footprint – improved proxy servers, firewalls and 365 end point protection, as well as an IT service management system where staff record suspected phishing emails.

Successful cybersecurity is partly technical, partly educational. But while the technical measures were robust, communications to staff were an area of concern.

“We have managed training every year,” John explains. “But we were very bad about going out and getting feedback from clinical colleagues and administrative colleagues about how the messages were working, and whether we were getting the format right, whether it was sinking in at all.”

A moment of clarity suddenly brought the issue home to him. “I was chairing a working group in cybersecurity, when I really went into what we were doing for user education around this, other than some really long emails. What could we demonstrate? And there was very little.”

quote

customer-quote1-2

We know people don't read emails… You don't know how many people are actually paying attention or clicking through.

John - Service Operations Manager

Major UK healthcare provider

The Risk of Missed Messages

The issue was not only low readership of employee communications. It was also the risk this posed to the organization's data security.

“Over-communication is a problem,” John says. “We know people don't read emails, but it was very hard with the systems we had to tell who was reading what. You didn't know how many people were actually paying attention or clicking through.”

The problem was exacerbated by the different departments sending out messages – each of them with different objectives, but all using the same communication channels.

“Security Managers would send out emails about ‘there has been an attack at a different hospital, this is what happened, you need to be more careful’,” he explains. At the same time, the Corporate Comms team were creating and broadcasting their own messages.

“They're really interested in getting a daily and weekly message out to their staff which isn't an email,” he continues. “It really made them disappointed that staff weren’t engaging with it.”

But what were the teams doing wrong – and how would knowing this allow them to fix it?

 

uk-cyber-security-alert2

 

Communications Which Hit the Target

Two of the biggest drivers of message success are formatting and relevance. Are messages easy to consume, and do what they say matter to the audience?

Lengthy emails were a common culprit. Busy staff haven’t the time or desire to wade through them while balancing their workload. John agrees: “One of the biggest communication challenges is getting everybody to format messages in a way that's easy for people to understand.”

Equally as important were the lack of proper audience targeting. Messages on specific topics were sent to all staff, regardless of their location, department or role type. Unsurprisingly, lack of targeting leads to low relevance, which results in low (or no) readership.

John tells of IT messages concerning network maintenance being sent to nurses and doctors. The technical jargon was meaningless to clinical staff, meaning this was the wrong type of message for the audience. “That's the challenge for me. Making sure the right message is getting the right people at the right time.”

Targeting was crucial. “We want to talk to 70 people, not 7000 people at once, because that's just noise for them,” he says. “We needed a better way to communicate than email.”

quote

customer-quote1-2

User education is one of the top things you've got to get right to protect yourself.

John - Service Operations Manager

Major UK healthcare provider

A Campaign Approach to User Education

John's IT team were instrumental in introducing SnapComms. The multi-channel platform provided the right communications mix to effectively reach their staff, along with built-in features to improve cut-through.

It would soon prove essential to staff education campaigns around cyber security awareness. A typical Information Security campaign might run for three weeks with two or three messages per week.

Pop-up desktop notifications reminded staff of best practice and informed them of how to stay safe online. Targeting capabilities increased readership by sending relevant content to staff. Tracking and reporting made results available in real-time.

And the outcome? “More people got the message. We have confirmation that people had seen that. When we have an event or need to get out a message quickly, now it's being read.”

 

uk-cyber-security-alert

 

Finding a Cure for Phishing and Compliance

The IT team also found SnapComms invaluable for two key components of cybersecurity: phishing attacks and compliance.

“We did a simulated phishing attack,“ John explains. The results were a major cause of concern for him and his team. But using SnapComms, they were able to target messages to only those employees who clicked the link to engage them in further education and training.

The organization also needed to comply with stringent data security requirements from the Department of Health. Checks were made to ensure the hospital was taking responsibility around patient data and business data. “If we don't meet the criteria, there are fairly serious consequences,” he says.

The exhaustive list of checks included examples of cyber security events, how they were managed, and evidence of a robust education provided to staff around cyber security. SnapComms Compliance messaging and tracking helped enormously.

“You've got to demonstrate that you have an effective communication strategy and have some evidence that messages are getting through,” he explains. “So that kind of reporting from an audit point of view is very useful. We could tick the box about user education, and we could demonstrate for audit purposes that people read the messages. That was key for us.”

 

Despite the ongoing risk of cyber-crime, the Service Operations Manager and his team are well-equipped to meet the threat. Their formidable technical protections are now enhanced with a communication platform to improve user education. SnapComms is proud to be helping this essential organization with its cyber security risk mitigation program.

quote

customer-quote1-2

The best thing about SnapComms is that it's quick and easy. You know the message has got to your user base. You get that instant feedback.

John - Service Operations Manager

Major UK healthcare provider

Want to See SnapComms Internal Communications Tools for Yourself?

Send a brief description of your communication requirements, and we'll get back to you with a guide price!

Get a Quote