Healthcare Employee Cybersecurity Training is Lacking, Report Finds

September 27, 2021 - Thorough and frequent employee cybersecurity training can ensure enterprise-wide security and prevent cyberattacks, while poor and infrequent training can leave an organization’s network extremely vulnerable to cybercriminals. For healthcare in particular, the latter seems to be the norm, indicating a major need for more healthcare employee cybersecurity training.

A new report conducted by Osterman Research on behalf of KnowBe4 found that employee cybersecurity training leaves significant room for improvement across multiple sectors, including healthcare. Researchers surveyed a random sampling of 1,000 US employees across a variety of industries on how much cybersecurity training they have received and how that knowledge impacts overall security and data privacy.

Less than half of respondents reported believing that it is likely that clicking on a suspicious email link or attachment could infect their mobile device with malware. In addition, 45 percent of respondents reported believing that they do not need to implement additional cybersecurity safeguards because they do not work in an IT department.

About half of respondents underwent continuous cybersecurity and data privacy training throughout the COVID-19 pandemic. But a quarter of respondents reported that their training stopped when lockdowns began.

Behind government, the healthcare sector provided the most continuous cybersecurity training to its employees throughout 2020. Over 55 percent of respondents who worked in healthcare reported that their employer never stopped providing security and privacy training. However, 24 percent of respondents in healthcare said that their employer has never provided security and privacy training.

In addition, the report found that employees were unsure about whether their employer was required to comply with major privacy regulations.

While 61 percent of respondents knew that HIPAA compliance was required for their organization, 19 percent were unsure. The remaining 20 percent knew, or at least believed, that their organization was not a covered entity under HIPAA.

When asked about other privacy regulations including GDPR, the Family Educational Rights and Privacy Act (FERPA), and the California Privacy Rights Act (CPRA), roughly half of respondents were unsure whether the regulations applied to their organizations.

“That’s a problem. As with cybersecurity, employees are the last line in addressing privacy issues, and so they must know that privacy protections must be applied to the customer data they handle,” the study stated.

“The fact that such a large proportion of employees is simply not sure whether their employer is subject to various privacy regulations does not bode well for organizations’ ability to adequately process information that is subject to privacy regulations.”

The report found that government and healthcare employees lag behind other industries in having confidence to address key security issues. Only 22 percent of healthcare employees reported feeling confident that they could describe the negative impacts posed by cybersecurity risks to senior management. In comparison, almost half of technology and finance employees said they felt confident speaking about the issue to senior management.

Employees in the healthcare sector were also the least aware of social engineering threats, including phishing, vishing, and business email compromise. Only 16 percent of healthcare employee survey respondents reported understanding social engineering threats very well.

The findings revealed a need for frequent, engaging, and actionable security and privacy training across all industries. Employees who underwent training once per month were 34 percent more likely to believe that clicking on a suspicious email link is risky compared to employees that received training once or twice per year.

“Employees don’t need to become security and privacy experts, but their responsibilities with privacy and/or legal matters need to be made clear,” the study concluded.

“If employees know that they have a responsibility, then it becomes easier to ask the question to seek clarification. Without knowing there is an obligation to adhere to laws or regulations, we will continue to see unsafe behavior perpetrate throughout the organization.”