A new report from Kaspersky finds employees of healthcare organizations in the U.S. and Canada are lacking cybersecurity education and awareness in three main areas including regulation, policy and training. Of these key areas, the most alarming statistic found that nearly a third of respondents in North America (32 percent) said that they had never received cybersecurity training from their workplace, but think they should have.
The report, “Cyber Pulse: The State of Cybersecurity in Healthcare – Part 2,” uncovers several key findings that directly correlate to the increasing number of hacking and IT related incidents occurring in healthcare organizations across North America. The quantitative study was conducted by research firm Opinion Matters via an online survey targeting 1,758 employees in a variety of roles ranging from doctors and surgeons, to admin and IT staff working at healthcare organizations in North America.
When surveying respondents on healthcare regulations, the main findings concluded that there is a lack of awareness of federal regulations in both the U.S. and Canada in place to keep patient information safe and secure. According to the report, nearly a fifth of U.S. respondents (18 percent) reported they did not know what the HIPAA security rule meant. In Canada, nearly half of respondents (49 percent) said they didn’t know if Canadian PHI needed to stay in Canada.
“The results of the survey show that knowledge of regulatory requirements is missing or too low,” said Matthew Fisher, chair of Health Law Group and partner for Mirick O’Connell. “In working with many clients and talking with others across the healthcare industry, the results are not surprising given the number of erroneous statements made about regulatory requirements and the misuse of regulations as the reason not to engage in an action that is actually permissible. The lack of awareness creates unnecessary risks.”
In addition to gaining insights on regulations, healthcare policy proved to be an area where healthcare professionals are also lacking in awareness as well as education. Over a fifth of respondents (21 percent) in North America admitted that they were not aware of the cybersecurity policy at their workplace. When breaking down the results by region, just over a third (34 percent) of respondents in the U.S. and just over a quarter (27 percent) of respondents in Canada said they were aware of the cybersecurity policy at their workplace, but have only reviewed it once.
Since the majority of healthcare organizations store patient information electronically, it is of paramount importance that healthcare practitioners know how their IT devices are being protected. Forty percent of all North American respondents were not aware of cybersecurity measures in place at their organization to protect IT devices. When examining if the size of an organization had an effect, a lack of awareness of device security increased with size with small business reporting 53 percent, medium businesses 39 percent, and enterprise businesses at 36 percent.
The survey also evaluated respondents on the level of cybersecurity training they received in their workplace. According to the findings, there is a dramatic need and desire from employees for increased cybersecurity training in their organizations. Nearly 1 in 5 respondents (19 percent) said there needed to be more cybersecurity training by their organization. When comparing the results by region, over 24 percent of respondents in the U.S. noted they had never received cybersecurity training but should have, compared to 41 percent of respondents in Canada when asked the same question.
“In addition to regulation and policy awareness, training remains an essential part in keeping healthcare organizations safe from potential breaches,” said Rob Cataldo, vice president of U.S. enterprise sales at Kaspersky. “Ongoing trainings must be implemented for employees so they have a better understanding of what to look for and the actions to take should they find something suspicious. Cybersecurity awareness training is key to promoting an employee culture of vigilance where employees take pride and do their part to protect their patients and overall organization.”
As the results conclude, it is imperative for healthcare organizations to prioritize cybersecurity in their industry to better serve their patients and keep their private healthcare information safe. Security experts from Kaspersky suggest hiring a skilled IT team who understand the healthcare industry’s unique security risks to put the proper protections in place. Additionally, it will be important for IT teams to establish a clear cybersecurity policy and effectively communicate that policy to employees on an ongoing basis for increased awareness. Increased training for employees should also remain an area of focus as employees are on the frontlines of potential cybersecurity attacks each day.