Third of Healthcare Employees Have Received No Cybersecurity Training

A new Kaspersky Lab study has shed light on why healthcare organizations are so susceptible to data breaches.

For the study, Kaspersky Lab researchers surveyed 1,758 healthcare professionals in the United States and Canada to determine the state of cybersecurity in healthcare. One of the main aims of the study was to ascertain why the healthcare industry is experiencing so many data breaches.

At the time of the study, more than 200 data breaches of more than 500 records had been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). If data breaches continue to be reported at the current rate, 2019 will be yet another record-breaking year.

Healthcare data breaches are now being reported at a rate of more than one a day. Even though the risk of a cyberattack is higher than ever, healthcare organizations are failing in one of the most basic elements of cybersecurity: Providing cybersecurity training to employees.

Healthcare employees cannot be expected to be security conscious and know how to identify threats such as ransomware and phishing attacks. They need to be made aware of the threats they are likely to encounter and need to be trained how to identify malicious emails and websites. Security awareness training is so important that HIPAA demands that healthcare employees receive regular security awareness training.

Based on the responses to the survey it appears that many healthcare organizations are not providing staff with a sufficient level of training, if training is provided at all. 32% of healthcare employees said they had received no cybersecurity training and 11% said they had only received training when they joined the company. A further 19% said they had been provided with cybersecurity training but felt that it was not enough.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Given the frequency of attacks and the constantly changing tactics, a once-a-year cybersecurity training session is no longer enough. Training should be provided much more frequently to make sure employees are aware of the latest threats. 38% of employees said they only receive training once a year.

32% of healthcare employees had been provided with a copy of their employer’s cybersecurity policy but only read it on one occasion and, alarmingly, 10% of healthcare managers were not even sure if their company had a cybersecurity policy.

Knowledge of HIPAA was also found to be lacking. 18% of respondents did not know what the HIPAA Security Rule meant and only 29% of surveyed employees were able to identify the correct meaning of the HIPAA Security Rule.

If healthcare organizations fail to train their employees how to recognize threats, when one arrives in an inbox it is likely to result in a costly data breach. If OCR investigates and discovers employees have not been trained, a major financial penalty could also be issued.

Kaspersky Lab recommends hiring a skilled IT security teams that understands the risks faced by healthcare organizations and has knowledge of the tools that need to be implemented to prevent data breaches. Healthcare organizations also need to make sure they check their cyber pulse regularly to make sure that security standards are maintained and vulnerabilities are identified and addressed before they are exploited.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: