Study Reveals Large Gaps in Healthcare Security Awareness Training

healthcare cybersecurity

The number of healthcare data breaches being reported by HIPAA regulated entities has reached record levels. As of today, 507 data breaches of 500 or more records have been reported to the HHS’ Office for Civil Rights. Those data breaches have affected 35,120,969 individuals.

Hacking incidents have dominated the breach reports in 2021 and one of the most common ways that hackers gain access to healthcare data is through phishing. Phishing emails are sent to healthcare employees that use social engineering techniques to trick them into installing malware or disclosing sensitive information such as their login credentials.

HIPAA regulated entities are required to provide security awareness training to the workforce, which involves teaching cybersecurity best practices to eradicate risky behaviors and raise awareness of cyber threats employees are likely to encounter, including how to recognize and avoid phishing and social engineering attacks.

A new report published by the security awareness training company KnowBe4 suggests security awareness training is lacking at many HIPAA regulated entities, which leaves them at risk of cyberattacks and data breaches. The report is based on a survey conducted on 1,000 randomly selected U.S. employees from a range of different industries that sought to identify the level of cybersecurity training that is being provided by employers.

The survey revealed COVID-19 had an impact on security awareness training. Around half of respondents said they were provided with continuous cybersecurity and data privacy training, but a quarter of respondents said training stopped due to COVID-19 lockdowns.

The healthcare industry was second highest behind government for providing the most continuous cybersecurity training to employees in 2020, with over 55% of respondents from the healthcare sector saying cybersecurity training continued throughout the lockdowns. Worryingly, 24% of respondents from the healthcare sector said privacy and security training had never been provided by their employer, even though this is a requirement for HIPAA compliance.

The survey also revealed there was confusion about whether HIPAA compliance was necessary. 61% of healthcare employees knew their organization was required to comply with HIPAA, but 19% were not sure. 20% said they knew or believed that their employer was not a HIPAA covered entity. There was also confusion about whether other privacy and security regulations applied, with around half of respondents unaware if their organization was required to comply with the California Privacy Rights Act (CPRA), EU General Data Protection Regulation (GDPR), and the Family Educational Rights and Privacy Act (FERPA).

“The fact that such a large proportion of employees is simply not sure whether their employer is subject to various privacy regulations does not bode well for organizations’ ability to adequately process information that is subject to privacy regulations,” explained KnowBe4.

The survey also found that employees in the healthcare industry were the least aware of social engineering threats such as phishing, with only 16% of healthcare employees saying they understood these threats very well.

Providing security awareness training reduces susceptibility to cyberattacks and data breaches. Data show employees that are provided with training once a month are 34% less likely to click on suspicious links in emails than employees that receive security awareness training once or twice a year.

The report shows the healthcare industry needs to improve security awareness training. Doing so will reduce the risk of data breaches and fines for noncompliance with HIPAA training requirements.