A Kaspersky Lab survey has revealed that nearly a third of all healthcare workers do not receive any cybersecurity training from their employers.
The results are part of a survey the cybersecurity research group completed in response to the enormous spike in large data breaches seen since January 2019. Kaspersky Lab researchers surveyed 1,758 healthcare workers in the United States and Canada to ascertain how the looming threat of a cyber attack is being dealt with by healthcare organizations.
The researchers discovered that 32% of those surveyed stated that their employer failed to offer any cybersecurity training while at work.
This oversight is significant. Employees must be adequately trained to identify and respond to the vast range of threats posed by hackers. Healthcare data, in particular, has a significant black market value, so hackers often put great care into launching sophisticated attacks with a high chance of success.
If employees are not even trained in the basics of cybersecurity, there is little hope that they can adequately defend the organization against sophisticated attacks.
In addition to putting patients at risk of identity theft of fraud, organizations are violating the Health Insurance Portability and Accountability Act by failing to provide adequate training to their workforce.
Providing basic training is often not enough; employers have a responsibility to remind their workforce of cybersecurity risks continuously. Healthcare organizations often fail at this hurdle too; 11% of respondents said they were given cybersecurity training when they began work but had not received any training since. A further 38% of workers said they were given cybersecurity training every year, and nearly a fifth (19%) of healthcare employees said they had been given cybersecurity training but did not feel they had been trained adequately.
Nearly a third 32% of respondents said their managers had given them a copy of their group’s cybersecurity policy, but they had only read through the document once.
The problems are seen higher up in the organization too; 1 in 10 managers was not aware that their company had a cybersecurity policy.
Kaspersky Lab also investigated employee knowledge of one of the most important pieces of healthcare legislation in the United States, HIPAA.
The researchers identified significant gaps in employees’ knowledge of regulatory requirements. For example, 18% of respondents were unaware of what the Security Rule meant, and only 29% of respondents were able to define the correct meaning of the HIPAA Security Rule.
In their report, Kaspersky Lab experts recommend hiring a skilled IT team that understands the unique dangers faced by healthcare groups and has knowledge of the tools that are required to keep protected health information safe and secure.
They also recommended that IT security leaders in each organization must make sure that all members of the workforce receives regular cybersecurity training and is fully conscious of the obligations of HIPAA.
It is also essential to carry out regular assessments of security defences and compliance. Companies that review their cybersecurity framework regularly can identify and address flaws before hackers exploit them.
Data breaches are not only expensive but can cause irreparable reputational damage. Although the initial burden of breach mitigation is significant, it is small in comparison to dealing with the adverse consequences should a breach occur.