Kaspersky Labs has released a report revealing significant deficiencies in the cybersecurity training provided to healthcare employees.
The study was conducted by surveying 1,758 healthcare employees in the United States and Canada. Kaspersky Lab, a vendor of cybersecurity software, instigated the study to investigate potential causes for the substantial increase in cybersecurity breaches in recent years. Since January, there have been 200 reported breaches of more than 500 records, signalling that 2019 could be another record-breaking year for healthcare data breaches.
Kaspersky Lab researchers discovered that almost a third of surveyed healthcare employees (32%) said they have never received cybersecurity training in the workplace. This figure grants valuable insight into why so many cyberattacks on healthcare are successful.
Providing a robust and thorough cybersecurity training course to employees is an essential first line of defence against cyberattacks. Employees lacking such training may struggle to recognize or defend against cyberattacks, such as phishing emails. Hackers are designing increasingly sophisticated emails that closely mimic legitimate communications from organizations. It is difficult for those unaware of such attacks to spot these emails, and as such, healthcare employees must be trained on how to identify and deal with phishing emails.
Cybersecurity awareness is so essential to data protection that the Health Insurance Portability and Accountability Act requires covered entities (CEs) to provide such training to all employees.
Kaspersky Labs found that even organizations which provide training to their employees often fail to create a thorough and complete training course. Around 11% of respondents said they received cybersecurity training when they started work but had not received any training since, despite experts recommending regular sessions. A further 38% of employees said they were given cybersecurity training each year, and a fifth (19%) of healthcare employees said they had been provided with cybersecurity training but felt it had been insufficient.
Around a third (32%) of respondents said they had been provided with a copy of their organization’s cybersecurity policy but had only read it once and 1 in 10 managers were not aware whether their company had a cybersecurity policy. Nearly 40% of healthcare workers in the United States were unaware of the cybersecurity measures protecting IT devices at their organization.
In addition to looking specifically at cybersecurity training, the researchers investigated how organizations dealt with general HIPAA training.
The report indicated ‘significant gaps’ in employees’ knowledge of regulatory requirements. For instance, 18% of respondents were unaware of what the Security Rule meant, and only 29% of respondents were able to identify the correct meaning of the HIPAA Security Rule.
To combat the inadequacies in employee knowledge, Kaspersky Lab researchers recommend hiring a skilled IT team that understands the unique risks faced by healthcare organizations and has knowledge of the tools that are required to keep protected health information safe and secure.
The report emphasized the importance of organizations tackling the data security and regulatory knowledge gaps. The organization’s IT security team must ensure that every member of the workforce receives regular cybersecurity training. Senior management must take responsibility to ensure that employees are fully aware of the requirements of HIPAA.
The report also recommended organizations conduct regular assessments of security defences and compliance. Companies that regularly check their cybersecurity framework can identify and address vulnerabilities before hackers exploit them.