Third of Healthcare Employees Have Received No Cybersecurity Training

A new Kaspersky Lab study has shed light on why healthcare organizations are so susceptible to data breaches.

For the study, Kaspersky Lab researchers surveyed 1,758 healthcare professionals in the United States and Canada to determine the state of cybersecurity in healthcare. One of the main aims of the study was to ascertain why the healthcare industry is experiencing so many data breaches.

At the time of the study, more than 200 data breaches of more than 500 records had been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). If data breaches continue to be reported at the current rate, 2019 will be yet another record-breaking year.

Healthcare data breaches are now being reported at a rate of more than one a day. Even though the risk of a cyberattack is higher than ever, healthcare organizations are failing in one of the most basic elements of cybersecurity: Providing cybersecurity training to employees.

Healthcare employees cannot be expected to be security conscious and know how to identify threats such as ransomware and phishing attacks. They need to be made aware of the threats they are likely to encounter and need to be trained how to identify malicious emails and websites. Security awareness training is so important that HIPAA demands that healthcare employees receive regular security awareness training.

Based on the responses to the survey it appears that many healthcare organizations are not providing staff with a sufficient level of training, if training is provided at all. 32% of healthcare employees said they had received no cybersecurity training and 11% said they had only received training when they joined the company. A further 19% said they had been provided with cybersecurity training but felt that it was not enough.

Given the frequency of attacks and the constantly changing tactics, a once-a-year cybersecurity training session is no longer enough. Training should be provided much more frequently to make sure employees are aware of the latest threats. 38% of employees said they only receive training once a year.

32% of healthcare employees had been provided with a copy of their employer’s cybersecurity policy but only read it on one occasion and, alarmingly, 10% of healthcare managers were not even sure if their company had a cybersecurity policy.

Knowledge of HIPAA was also found to be lacking. 18% of respondents did not know what the HIPAA Security Rule meant and only 29% of surveyed employees were able to identify the correct meaning of the HIPAA Security Rule.

If healthcare organizations fail to train their employees how to recognize threats, when one arrives in an inbox it is likely to result in a costly data breach. If OCR investigates and discovers employees have not been trained, a major financial penalty could also be issued.

Kaspersky Lab recommends hiring a skilled IT security teams that understands the risks faced by healthcare organizations and has knowledge of the tools that need to be implemented to prevent data breaches. Healthcare organizations also need to make sure they check their cyber pulse regularly to make sure that security standards are maintained and vulnerabilities are identified and addressed before they are exploited.