- Improved data privacy and security employee training programs will greatly benefit healthcare organizations as they work to keep pace against evolving cybersecurity threats, according to recent research.
Seventy percent of employees in numerous industries lack awareness to stop preventable cybersecurity attacks, MediaPro found in its 2017 State of Privacy and Security Awareness Report. However, 78 percent of healthcare employees showed some lack of preparedness with common privacy and security threat scenarios.
Researchers used the survey that underpinned the 2017 general report, and interviewed 1,009 US healthcare employees.
Approximately one-quarter of physicians and other types of direct healthcare providers showed a lack of phishing email awareness. Eight percent of non-provider employees, including office workers, showed the same lack of awareness.
Twenty-four percent of healthcare employees had trouble identifying a handful of common signs of malware, which is twice the amount of respondents in the general population survey.
“Beyond training geared toward HIPAA compliance, healthcare employees need a comprehensive approach to awareness education that includes security and privacy awareness,” researchers explained. “Keeping within HIPAA regulations, while vital, does not educate users on how to spot a phishing attack, for example. Additionally, mere compliance does not equate to a fully security-aware culture.”
Researchers also divided healthcare employees into three types of risk profiles: Risk, Novice, and Hero.
Individuals in the Risk category “put their organizations at serious risk for a privacy or security incident.” Novices have a good understanding but could improve, while Heroes can “identify and properly dispose of personal information, recognize phishing attempts and malware, and keep information safe while working remotely.”
Only 22 percent of healthcare employees fell into the Hero category, with 41 percent qualifying as Novices, and 37 percent put in the Risk profile.
With phishing specifically, 18 percent of healthcare employees identified phishing emails as legitimate ones, compared to 8 percent of the general population.
“The most mis-identified email of the four examples presented was an email from a suspicious ‘from’ address containing an image attachment,” the report stated. “Doctors were three times worse at identifying phishing emails than their non-physician counterparts.”
Healthcare employees were also more unaware than the general population with regard to physical security awareness. One-third of healthcare workers took unnecessary risks in scenarios related to allowing others access to their office buildings.
Twenty-three percent of healthcare employees failed to report numerous potential data privacy or security incidents. This included unsecured personnel files and computers possibly containing malware.
Eighteen percent of healthcare employees also took more risk when presented with scenarios on cloud computing, such as sending work documents via personal email. Eleven percent of respondents in the general population chose the same type of risky actions with the cloud.
Healthcare employees also showed a lack of risk awareness with mobile computing and working remotely. Twenty-six percent of surveyed healthcare workers opted to log on to an unsecured, public WiFi network to complete work tasks, the survey showed.
“Organizations of all types are best served when their whole employee population knows the importance of sound security principles,” the research tea concluded. “Such a state comes from multifaceted and integrated awareness programs, not just training.”
Phishing attacks are not going to cease anytime soon, with other reports showing the need for improved prevention, detection, and mitigation strategies for all sectors.
Wombat’s 2018 State of the Phish Report found that nearly 75 percent of organizations experienced phishing attacks in 2017, with nearly half of surveyed information security professionals added that the rate of attacks increased from 2016.
Fifty-three percent of companies reported they experienced a targeted attack, or spear phishing.
Email/spam filters (97 percent), advanced malware analysis (47 percent), outbound proxy protection (44 percent), and URL wrapping (31 percent) were the most common technologies to combat phishing attacks.
"Social attacks take advantage of employees trying to be helpful so it stands to reason that social awareness of attack methods plays a critical role in protecting against phishing," 451 Research Senior Security Analyst Eric Ogren said in a statement. "Enterprises with corporate phishing education programs empower employees to help protect themselves and the business."