Employee Cyber Hygiene Is Critical to Healthcare Cybersecurity

March 01, 2022 - Proper employee cyber hygiene is crucial to maintaining healthcare cybersecurity, a new report conducted by the Center for Generational Kinetics (CGK) and commissioned by Mobile Mentor suggested.

A survey of 1,500 employees across four highly regulated industries—finance, education, government, and healthcare— found that poor password hygiene and new employee onboarding left organizations vulnerable to cyber risks.

More than a third of respondents admitted to finding ways to work around their organization’s security policies, and 72 percent of respondents reported valuing their personal privacy over company security.

“Navigating trade-offs between endpoint security and employee experience has always been challenging but it has become critical in this post-pandemic world,” the report stated.

“Employers are investing in cyber security initiatives, but as the workforce becomes increasingly distributed and autonomous, employers simply aren’t keeping up.”

The popularity of remote work brought on by the pandemic means that employers must rely heavily on bring-your-own-device (BYOD) policies to maintain operations and security. But while over 60 percent of respondents reported using personal devices for work, only 31 percent said that their organizations had a secure BYOD program.

In addition, over 65 percent of respondents admitted to choosing passwords that are easy to remember, and only 31 percent of respondents said that they used a password manager. Hacking into email accounts is often an easy way for threat actors to access sensitive data, especially since many users improperly use their email accounts to store data.

The healthcare industry especially cannot afford to endure daily data breaches that cause patient care disruptions, protected health information (PHI) exposure, and costly recovery efforts. But organizations are only as secure as their weakest link, making security awareness training even more crucial.

The report found inconsistencies across all industries in terms of security awareness training. While 43 percent of remote workers received security awareness training monthly, only 25 percent of office workers did.

Across all generations and industries, the report found that workers cared much more about privacy than security. Healthcare employees felt the strongest of any industry about protecting personal information.

A recent study from (ISC)² found that the cybersecurity workforce struggled with workforce gaps and extensive burnout accelerated by the Log4j vulnerabilities.

“When a cybersecurity team is staffed appropriately, the disclosure of critical vulnerabilities and other ‘fire drills’ can be investigated and remediated in a timely manner. Investing in existing staff development is one of the many factors that contribute to higher retention,” the report noted.

“Retaining staff means the organization spends less time and resources on continuously hiring and training new staff members, which, in cybersecurity, has a positive impact on the overall cybersecurity posture.”

The combination of a burnt-out workforce and lax employee cyber hygiene has the potential to undermine even the best cybersecurity programs. Healthcare organizations must prioritize not only technical safeguards but also security awareness training and investments in the cybersecurity workforce.