Assessments are a great way to measure the effectiveness of a security awareness program and identify specific areas of concern. Our 2018 State of Security Education: Healthcare report explores how medical staff and other end users in this industry are performing on cybersecurity assessments across a range of topics. In it, we analyze their responses to questions asked and answered about 12 security topics in our Security Education Platform.
Our data indicates that healthcare professionals fall behind many other industries in their understanding of data protection and disposal techniques, missing an average of 28% of questions about the data lifecycle and the handling of personally identifiable information (PII) in general.
Users also missed an average of 26% of questions about protecting confidential information, which should raise concern among healthcare organizations, given their need to safeguard protected health information (PHI) and PII. Questions asked in this category related specifically to the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), and the General Data Protection Regulation (GDPR).
Security Awareness Training in Healthcare
HIMSS notes that “[m]any healthcare organizations struggle with problems stemming from a lack of security awareness” and recommends several ways in which the industry should improve its cybersecurity programs, from increasing personnel and funding to standardizing security frameworks and threat intelligence.
While the report does indicate that most healthcare organizations conduct security awareness training, nearly 52% of respondents said they rely on annual training — a practice we’ve cautioned against because it does not support effective knowledge retention and lasting behavior change. More concerning, however, is that more than 12% of respondents either don’t have a security awareness training program in place or don’t know how frequently cybersecurity education is conducted.
With healthcare organizations facing increasingly sophisticated cyberattacks — and with many of those attacks coming via email — infosec teams in this industry need to prioritize end-user risk management. HIMSS stresses that ongoing cybersecurity education is a better option than infrequent or inconsistent security awareness training initiatives, and we couldn’t agree more. As Baker noted in her article, “[w]ith healthcare staff rushed off their feet, their behavior needs to be conditioned so they can identify phishing emails based on a range of factors (for example, by checking that URLs and attachments are legitimate, in addition to looking at the sender). Proper authentication, threat intelligence, and cybersecurity training tools can help prevent successful phishing attacks.”