One-fourth of healthcare workforce lacks cybersecurity training, study finds
One in four U.S. healthcare workers have never received cybersecurity training from their employer, according to a new report by Kaspersky, a cybersecurity firm. Another 19% believe there is no reason to receive cybersecurity training at work.
The report’s findings uncover a stunning lack of cybersecurity training among healthcare workers, leaving healthcare information technology (IT) systems—and electronic protected health information (ePHI)—vulnerable at a time when the healthcare sector leads all other industries in cybersecurity breaches.
In addition to lack of training, the results suggest insufficient awareness of institutional cybersecurity policies. According to the report, 34% of U.S. healthcare workers are unaware of their company’s cybersecurity policy while 14% are aware of their company’s policy but never read it.
“Understanding your company’s security policies, procedures and incident reporting channels is crucial to protecting not only the company’s infrastructure, but also patient data,” Brian Bartholomew, principal senior security researcher at Kaspersky, said in the report. “In addition, security awareness training aids an employee in understanding how an attacker thinks, what they’re targeting, how to recognize attacks and what to do in the event one may occur.”
Many U.S. healthcare workers are also unfamiliar with federal security standards that govern ePHI. According to the report, about one in five healthcare workers do not know what the HIPAA Security Rule, which requires covered entities to protect ePHI and ensure compliance by their employees, means. Less than one-third of respondents were able to identify the correct meaning of HIPAA.
“The results of the survey show that knowledge of regulatory requirements is missing or too low,” Matthew Fisher, chair of Health Law Group and partner for Mirick O’Connell, said in the report. “The lack of awareness creates unnecessary risks.”
The report recommends that healthcare organizations create a skilled IT security team, implement ongoing cybersecurity training for every employee regardless of job title, and communicate a straightforward cybersecurity policy.