Healthcare security culture steadily improving, but gaps remain

March 28, 2024 - As the healthcare and pharmaceuticals sector continues to face a high volume of cyberattacks, maintaining a strong security culture remains a crucial element to maintaining a strong security posture. KnowBe4’s 2024 Security Culture Report, which assesses security culture on a global scale, found healthcare to be in the “low-moderate” range of security culture maturity, despite the heightened risks the sector faces.

KnowBe4 defines “security culture” as the “ideas, customs and social behaviors that influence an organization’s security.”

“Security culture is best understood as the collective mindset, practices and norms that shape how an organization approaches and prioritizes security,” the report stated. “This encompasses shared knowledge and thinking patterns, ingrained habits of staff and employees’ demonstrated behaviors in any setting where they carry out their professional duties.”

In order to gauge security culture, KnowBe4 created the Security Culture Maturity Model, which takes a data-driven approach to assessing security culture. Researchers evaluated culture across seven disciplines, including behaviors, communication, and compliance.

Next, researchers gave organizations scores based on its Security Culture Index, with scores ranging from “poor” to “excellent” on a scale of zero to 100.

Based on this methodology, the healthcare and pharmaceuticals sector received a score of 73, placing it in the low-moderate range. This score was consistent with last year’s results.

“While the sector’s scores in most dimensions remained consistent, there were notable enhancements in specific areas,” the report noted.

Healthcare saw single-point improvements in the categories of employee attitudes, behaviors, organizational norms, and responsibilities, as well as a two-point increase in comprehension, meaning that more employees have an understanding of security matters.

However, cognition and responsibilities remained stagnant across healthcare. KnowBe4 evaluated cognition as an employee’s understanding, knowledge, and awareness of security issues, and defined responsibilities as how employees perceive their role in sustaining or endangering the organization’s security.

Considering the patient safety and operational risks associated with healthcare data breaches and cyberattacks, healthcare is a sector that requires vigilance from all areas of its workforce when it comes to security. What’s more, employee security training and awareness is particularly crucial in this industry, where phishing remains one of the top attack vectors.

“Overall, the report suggests that employees in the healthcare and pharmaceuticals sector are moving in the right direction in terms of security awareness, but there’s still work to be done to reach a robust security culture,” KnowBe4 added.

Improving security culture in healthcare or any industry requires communication, leadership buy-in, and plans to influence behaviors on an organizational scale, the report suggested. Researchers also emphasized the importance of flexibility when fostering a security culture that is resilient amid a changing threat landscape.

“Keep in mind that cyber crime is a continually evolving threat that shows no signs of diminishing. Instead, it’s escalating with each passing day, becoming increasingly complex and pervasive,” the report continued. “You must remain vigilant, always ready to preemptively address shifts in the landscape. Flexibility is key and you should be prepared to adjust your course swiftly if the threat demands it.”