Healthcare Report: An End-User Cybersecurity Check-Up

From phishing attempts to ransomware attacks, it’s no secret that the healthcare industry is a prime target for cybercriminals. And risky end-user behaviors are only adding to the seriousness of that threat.

Our new State of Security Education: Healthcare report can help healthcare organizations gain a better understanding of the end-user knowledge gaps that are affecting their security postures and increasing risk. This report is a valuable resource for any information security professional who is planning and executing a security awareness training program within this industry.

Quantifying the Threat to Healthcare

The fast-paced healthcare field stores, manages, and shares an enormous amount of data, and the speed of doing business is taking its toll. A recent survey of US physicians by Accenture and the American Medical Association finds that 83% have experienced some form of cyberattack in their practices, with phishing as the most common vector (55%). These attacks can interrupt clinical practices and even affect patient safety.

Another major concern is the security of patient records, which have been compromised on a vast scale — and at great cost. Globally, the estimated cost of a healthcare data breach is $380 per record — more than twice the $141 average across all industries. With medical records offering a wealth of personal information (like Social Security numbers, financial data, and medical histories), it’s no wonder that cybercriminals are targeting healthcare organizations.

Healthcare-Specific Data and Analysis

Each year, we compile data across a range of industries, providing analysis about the cybersecurity topics end users struggle with, and the measures proactive organizations are taking to raise awareness and knowledge levels in an effort to manage end-user risk. This information forms the basis of our annual State of the Phish™ and Beyond the Phish® reports.

The State of Security Education: Healthcare report takes a deeper look at the healthcare-specific data we collected in 2017 and explores how medical staff and other end users in this industry are performing on cybersecurity assessments across a range of topics. In it, we analyze responses gathered via nearly 85 million questions asked and answered about 12 security topics in our Security Education Platform. We also share data culled from tens of millions of simulated phishing attacks sent over a 12-month period via our platform.

The report presents healthcare-specific data on the following security topics:

• Protecting and Disposing of Data Securely
• Protecting Mobile Devices and Information
• Protecting Confidential Information
• Identifying Phishing Threats
• Using the Internet Safely
• Common Security Issues
• Working Safely Outside the Office
• Protecting Against Physical Risks
• Using Social Media Safely
• Protecting Yourself Against Scams
• Building Safe Passwords
• Avoiding Ransomware Attacks

The report explores each of these 12 topics in detail, presenting data that reflects healthcare employees’ understanding of important cybersecurity issues.

Some Bright Spots, But Still Work to Do

According to our data, healthcare professionals are outperforming other industries on some important security topics, including use of social media platforms and ways to avoid ransomware attacks. But end users in this space fall behind many other industries in their understanding of data protection and disposal techniques, missing an average of 28% of questions about this topic. With data safeguards so necessary to overall healthcare security, this high percentage of questions missed shows room for improvement.

A Check-Up for Your Security Awareness Program

Understanding cybersecurity threats is one thing — what about reducing the risk? The report includes information on how frequently most healthcare organizations are making use of security awareness and training. What’s troubling is that half of these organizations rely on once-a-year training.

Such infrequent training might be just enough to comply with regulatory requirements, but it fails to produce satisfactory knowledge retention. Instead, healthcare organizations should focus on presenting small pieces of information with greater frequency and reinforcing these lessons over time, as we emphasize in our cyclical Continuous Training Methodology.

The good news is that effective security training does really work for the healthcare industry. We have seen with our customers that applying our cybersecurity education tools can help healthcare organizations reduce their vulnerability.