Healthcare Employees Lack Cybersecurity Education and Awareness

August 20, 2019

Employees of healthcare organizations in the U.S. and Canada are lacking cybersecurity education and awareness in three main areas including regulation, policy and training. Of these key areas, the most alarming statistic found that nearly a third of respondents in North America (32 percent) said that they had never received cybersecurity training from their workplace, but think they should have.

The report, “Cyber Pulse: The State of Cybersecurity in Healthcare – Part 2,” from Kaspersky, uncovers several findings that directly correlate to the increasing number of hacking and IT related incidents occurring in healthcare organizations across North America.

According to the report, nearly a fifth of U.S. respondents (18 percent) reported they did not know what the HIPAA security rule meant. In Canada, nearly half of respondents (49 percent) said they didn’t know if Canadian PHI needed to stay in Canada.

In addition to gaining insights on regulations, healthcare policy proved to be an area where healthcare professionals are also lacking in awareness as well as education. Over a fifth of respondents (21 percent) in North America admitted that they were not aware of the cybersecurity policy at their workplace. When breaking down the results by region, 34 percent of respondents in the U.S. and 27 percent of respondents in Canada said they were aware of the cybersecurity policy at their workplace, but have only reviewed it once.

Since the majority of healthcare organizations store patient information electronically, it is of paramount importance that healthcare practitioners know how their IT devices are being protected. Forty percent of all North American respondents were not at all aware of cybersecurity measures in place at their organization to protect IT devices, the report says. When examining if the size of an organization had an effect, a lack of awareness of device security increased with size with small business reporting 53 percent, medium businesses 39 percent and enterprise businesses at 36 percent.

According to the report, there is a dramatic need and desire from employees for increased cybersecurity training in their organizations. Nearly 1 in 5 respondents (19 percent) said there needs to be more cybersecurity training by their organization. When comparing the results by region, more than 24 percent of respondents in the U.S. noted they had never received cybersecurity training but should have, compared to 41 percent of respondents in Canada when asked the same question.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.