Survey Finds Healthcare Employees Lack Cybersecurity Education

A new report from Kaspersky finds employees of healthcareorganizations in the U.S. and Canada are lacking cybersecurity education andawareness in three main areas including regulation, policy and training. Ofthese key areas, the most alarming statistic found that nearly a third ofrespondents in North America (32 percent) said that they had never receivedcybersecurity training from their workplace, but think they should have.

The report, “Cyber Pulse: The State of Cybersecurity inHealthcare – Part 2,” uncovers several key findings that directly correlate tothe increasing number of hacking and IT related incidents occurring inhealthcare organizations across North America. The quantitative study wasconducted by research firm Opinion Matters via an online survey targeting 1,758employees in a variety of roles ranging from doctors and surgeons, to admin andIT staff working at healthcare organizations in North America.

When surveying respondents on healthcare regulations, themain findings concluded that there is a lack of awareness of federalregulations in both the U.S. and Canada in place to keep patient informationsafe and secure. According to the report, nearly a fifth of U.S. respondents(18 percent) reported they did not know what the HIPAA security rule meant. InCanada, nearly half of respondents (49 percent) said they didn’t know ifCanadian PHI needed to stay in Canada.

“The results of the survey show that knowledge of regulatoryrequirements is missing or too low,” said Matthew Fisher, chair of Health LawGroup and partner for Mirick O’Connell. “In working with many clients andtalking with others across the healthcare industry, the results are notsurprising given the number of erroneous statements made about regulatoryrequirements and the misuse of regulations as the reason not to engage in anaction that is actually permissible. The lack of awareness creates unnecessaryrisks.”

In addition to gaining insights on regulations, healthcarepolicy proved to be an area where healthcare professionals are also lacking inawareness as well as education. Over a fifth of respondents (21 percent) inNorth America admitted that they were not aware of the cybersecurity policy attheir workplace. When breaking down the results by region, just over a third(34 percent) of respondents in the U.S. and just over a quarter (27 percent) ofrespondents in Canada said they were aware of the cybersecurity policy at theirworkplace, but have only reviewed it once.

Since the majority of healthcare organizations store patientinformation electronically, it is of paramount importance that healthcarepractitioners know how their IT devices are being protected. Forty percent ofall North American respondents were not aware of cybersecurity measures inplace at their organization to protect IT devices. When examining if the sizeof an organization had an effect, a lack of awareness of device securityincreased with size with small business reporting 53 percent, medium businesses39 percent, and enterprise businesses at 36 percent.

The survey also evaluated respondents on the level ofcybersecurity training they received in their workplace. According to thefindings, there is a dramatic need and desire from employees for increasedcybersecurity training in their organizations. Nearly 1 in 5 respondents (19percent) said there needed to be more cybersecurity training by theirorganization. When comparing the results by region, over 24 percent ofrespondents in the U.S. noted they had never received cybersecurity trainingbut should have, compared to 41 percent of respondents in Canada when asked thesame question.

“In addition to regulation and policy awareness, trainingremains an essential part in keeping healthcare organizations safe frompotential breaches,” said Rob Cataldo, vice president of U.S. enterprise salesat Kaspersky. “Ongoing trainings must be implemented for employees so they havea better understanding of what to look for and the actions to take should theyfind something suspicious. Cybersecurity awareness training is key to promotingan employee culture of vigilance where employees take pride and do their partto protect their patients and overall organization.”

As the results conclude, it is imperative for healthcareorganizations to prioritize cybersecurity in their industry to better servetheir patients and keep their private healthcare information safe. Securityexperts from Kaspersky suggest hiring a skilled IT team who understand thehealthcare industry’s unique security risks to put the proper protections inplace. Additionally, it will be important for IT teams to establish a clearcybersecurity policy and effectively communicate that policy to employees on anongoing basis for increased awareness. Increased training for employees shouldalso remain an area of focus as employees are on the frontlines of potentialcybersecurity attacks each day.