- Covered entities must ensure that staff members at all levels receive regular and comprehensive healthcare cybersecurity employee training. This is a HIPAA requirement but is also critical to keeping the workforce up to date on evolving IT security threats.
Recent studies continue to show that the human factor can have a great impact on an organization’s healthcare cybersecurity measures. A lack of training could create defensive weaknesses, either through employees purposely compromising data or through inadvertent data exposure.
Eighteen percent of healthcare employees are willing to sell confidential data to unauthorized parties for as little as between $500 and $1,000, according to an Accenture survey. This includes selling login credentials or opting to install tracking software and downloading data to a portable drive, researchers found.
Accenture interviewed 912 employees of provider and payer organizations in the US and Canada.
Respondents at provider organizations were nearly twice as likely to be willing to sell confidential information. Twenty-one percent of provider respondents said they would sell sensitive data, while 12 percent of payer respondents said the same.
Ninety-nine percent of respondents did say that they felt responsible for the security of data, with 97 percent adding that they understand their organization’s explanation of data security and privacy.
Eighty-eight percent of those surveyed said that they did receive security training. However, of those respondents, 17 percent said they still write down their user name and passwords. Additionally, 19 percent said they would be willing to sell confidential data.
Twenty-four percent of employees who said they received quarterly training reported that they still write down user names and passwords. Nearly one-third (28 percent) of staff members with quarterly training said they are willing to sell confidential data.
This indicates that healthcare entities may need to foster a better healthcare cybersecurity culture, researchers explained. Employees must receive quality training, not just frequent training.
“Employees have a key role in the healthcare industry’s battle with cyber criminals,” Accenture Health & Public Service Security North America Practice Lead John Schoew said in a statement.
“As payers and providers invest in digital to transform productivity, cut costs and improve quality, they need a multi-pronged approach to data security that involves consistent and relevant training, multiple security techniques to protect data and continuous monitoring for anomalous behavior.”
A KPMG survey also found that healthcare leaders admit that standard operating procedures for cybersecurity response can improve.
Fifty-one percent of 154 healthcare and life sciences leaders said written operating procedures about cyberattack response either don't exist or they are unaware of what those standards are for responding to varying types of cybersecurity issues.
Twenty-nine percent of those surveyed said a lack of training was the biggest cybersecurity defensive weakness, with 20 percent saying that dealing with third parties was the greatest weakness.
"Healthcare IT leaders need communicate more effectively and frequently about the tremendous risks and potential ramifications tied to cyber incidents, and that includes training,” KPMG Healthcare Cyber Leader Michael Ebert said in a statement. “If you look at cyber strategy as needing people, processes and technology, many organizations are falling short on the process."
Ebert stressed the importance of communication at healthcare organizations, with entities needing to know proper cyber attack protocols and response plans.
Approximately one-third of respondents said they did not know what steps their organization took following a data breach or cybersecurity attack. Fifteen percent said that technology upgrades occurred, while 14 percent reported that training was improved.
Seventeen percent stated that a cybersecurity incident lead to a staffing or leadership change, with 24 percent reporting that they did not have a data breach.
The survey also found that 25 percent of respondents stated cybersecurity attack data compromises were resolved within a day. Fifteeen percent of those surveyed said issues were resolved within “a few days,” while 16 percent reported it could take more than one week to resolve problems.
Training employees in the latest healthcare cybersecurity threats is especially critical with malware and phishing attacks consistently listed as top pain points.
A late 2017 study from Accenture and the American Medical Association (AMA) found that 55 percent of US physicians had experienced a healthcare phishing attack. Overall, 83 percent of respondents were the victims of a cybersecurity attack.
Half of those surveyed added that receiving tips on good cyber hygiene practice would help them stay confident in their organization’s security. Simplifying the legal language of HIPAA (47 percent) and having an easily digestible HIPAA summary (44 percent) were also cited as key tools for improving cybersecurity.
Healthcare organizations must evolve their cybersecurity defense, which includes having regular and comprehensive employee training. Staff members at all levels should understand how their role impacts the overall organizational security.