Nearly a third of healthcare employees never received cybersecurity training

Aug. 23, 2019
Survey indicates lack of awareness of federal regulations in place to keep patient information safe and secure.

A report from Kaspersky finds employees of healthcare organizations in the U.S. and Canada are lacking cybersecurity education and awareness in three main areas including regulation, policy and training, announced the company in a news summary.  Of these key areas, Kaspersky says the most alarming statistic found that nearly a third of respondents in North America (32 percent) said that they had never received cybersecurity training from their workplace but think they should have.

The report, “Cyber Pulse: The State of Cybersecurity in Healthcare – Part 2,” uncovers several key findings that directly correlate to the increasing number of hacking and IT related incidents occurring in healthcare organizations.

When surveying respondents on healthcare regulations, the main findings concluded that there is an obvious lack of awareness of federal regulations in both the U.S. and Canada in place to keep patient information safe and secure. According to the report, nearly a fifth of U.S. respondents (18 percent) reported they did not know what the HIPAA security rule meant. In Canada, nearly half of respondents (49 percent) said they didn’t know if Canadian PHI needed to stay in Canada.

In addition to gaining insights on regulations, healthcare policy proved to be an area where healthcare professionals are also lacking in awareness as well as education. Over a fifth of respondents (21 percent) in North America admitted that they were not aware of the cybersecurity policy at their workplace. When breaking down the results by region, just over a third (34 percent) of respondents in the U.S. and just over a quarter (27 percent) of respondents in Canada said they were aware of the cybersecurity policy at their workplace but have only reviewed it once.

Since the majority of healthcare organizations store patient information electronically, it is of paramount importance that healthcare practitioners know how their IT devices are being protected. Some 40 percent of respondents were not at all aware of cybersecurity measures in place at their organization to protect IT devices. When examining if the size of an organization had an effect, a lack of awareness of device security increased with size with small business reporting 53 percent, medium businesses 39 percent and enterprise businesses at 36 percent.

The survey also evaluated respondents on the level of cybersecurity training they received in their workplace. According to the findings, there is a dramatic need and desire from employees for increased cybersecurity training in their organizations. Nearly 1 in 5 respondents (19 percent) said there needed to be more cybersecurity training by their organization. When comparing the results by region, over 24 percent of respondents in the U.S. noted they had never received cybersecurity training but should have, compared to 41 percent of respondents in Canada when asked the same question.

“In addition to regulation and policy awareness, training remains an essential part in keeping healthcare organizations safe from potential breaches,” said Rob Cataldo, Vice President of U.S. Enterprise Sales at Kaspersky. “Ongoing trainings must be implemented for employees so they have a better understanding of what to look for and the actions to take should they find something suspicious. Cybersecurity awareness training is key to promoting an employee culture of vigilance where employees take pride and do their part to protect their patients and overall organization.”

As the results conclude, it is imperative for healthcare organizations to prioritize cybersecurity in their industry to better serve their patients and keep their private healthcare information safe. Security experts from Kaspersky suggest hiring a skilled IT team who understand the healthcare industry’s unique security risks to put the proper protections in place. Additionally, it will be important for IT teams to establish a clear cybersecurity policy and effectively communicate that policy to employees on an ongoing basis for increased awareness. Increased training for employees should also remain an area of focus as employees are on the frontlines of potential cybersecurity attacks each day.