More than one-quarter of employees in the U.S. never went through cybersecurity training, according to a new report.
While the healthcare industry continues to be a goldmine for hackers, many healthcare workers are still not receiving cybersecurity training.
More than 25% of employees surveyed in the U.S. said they never went through training conducted by their workplace — but think they should have, according to a new report from global cybersecurity company, Kaspersky.
“Ongoing trainings must be implemented for employees so they have a better understanding of what to look for and the actions to take should they find something suspicious,” said Rob Cataldo, vice president of U.S. enterprise sales at Kaspersky. “Cybersecurity awareness training is key to promoting an employee culture of vigilance where employees take pride and do their part to protect their patients and overall organizations.”
Employees of healthcare organizations in the U.S. and Canada lack cybersecurity and awareness in three main areas, including regulation, policy and training, the findings also revealed.
The online survey, conducted by research firm Opinion Matters, included more than 1,700 employees working at healthcare organizations in North America. Respondents included ranged from doctors and surgeons to admin and information technology (IT) staff.
Healthcare providers in the U.S. are legally obligated to protect sensitive patient healthcare information (PHI) because of the rise in industry cyberattacks. The Health Insurance Portability and Accountability Act (HIPAA) requires measures to protect the PHI of patients in the U.S.
But not all employees are aware of what the HIPAA rule means. Nearly 20% of U.S. respondents reported such negligence. Only 29% identified the correct meaning of the HIPAA security rule.
“These results bring to light the alarming amount of healthcare industry employees that do not understand the PHI laws their government puts in place to protect patient confidentiality,” Kaspersky researchers noted. “With a clear lack of knowledge about the regulations meant to keep PHI safe, healthcare workers are widening the gap for cyberattackers to breach their IT systems and exploit sensitive patient information.”
Not only do employees not know the meaning of the HIPAA rule, many are not aware of the cybersecurity policy at their own work place. In total, 34% of employees reported not being aware of their organization’s policy. Of that percentage, 17% said they should be aware if there is a policy, while 17% said there is no need for them to be aware of it.
A cybersecurity policy is meant to offer guidance to employees for securing company data and technology infrastructure and how to properly report suspicious activity.
Healthcare organizations also put measures in place to protect IT devices like computers and mobile phones.
In the U.S., 64% of respondents said they were aware of such measures.
“The results of the survey show that knowledge of regulatory requirements is missing or too low,” said Matthew Fischer, chair of Health Law Group and partner for Mirick O’Connell. “The lack of awareness creates unnecessary risks.”
Kaspersky experts suggest hiring a skilled IT team who understands the security risks in the healthcare industry. This team should implement proper protections and establish and effectively communicate to employees a clear policy to increase cybersecurity awareness.
Health system leaders should also focus on training their employees who are on the frontlines of attacks every day.
“Organizations of all sizes and resources must ensure that their staff can adequately recognize malicious attacks and who to report them to,” Kaspersky experts noted. “It is also imperative that healthcare enterprises employ IT leaders who prioritize cybersecurity trainings and regularly update employees with new strategies and policies to minimize the potential impact of a breach.”
Get the best insights in digital health directly to your inbox.