More on Strategic Planning

Close to one-third of healthcare employees have never received cybersecurity training, report shows

There is an apparent lack of awareness of federal regulations in both the U.S. and Canada to keep patient information secure.

Jeff Lagasse, Associate Editor

Employees of healthcare organizations in the U.S. and Canada are lacking cybersecurity education and awareness in three main areas, including regulation, policy and training. That's according to a new report from Kaspersky, "Cyber Pulse: The State of Cybersecurity in Healthcare Part 2."

The report reveals several key findings that directly correlate to the increasing number of hacking and IT-related incidents occurring in healthcare organizations across North America.

When surveying respondents on healthcare regulations, the main findings concluded that there is an obvious lack of awareness of federal regulations in both the U.S. and Canada to keep patient information safe and secure.

Nearly a fifth of U.S. respondents (18%) reported they didn't know what the HIPAA security rule meant. In Canada, nearly half of respondents (49%) said they didn't know if Canadian PHI needed to stay in Canada.


In addition to gaining insights on regulations, healthcare policy proved to be another area in which healthcare professionals are lacking in awareness and education. More than one-fifth of respondents (21%) in North America admitted that they were not aware of the cybersecurity policy at their workplace. When breaking down the results by region, just over a third (34%) of respondents in the U.S. and just over a quarter (27%) of respondents in Canada said they were aware of the cybersecurity policy at their workplace, but have only reviewed it once.

Since the majority of healthcare organizations store patient information electronically, it's of prime importance that practitioners know how their IT devices are being protected. Forty percent of all North American respondents were not at all aware of cybersecurity measures in place at their organization to protect IT devices.

When examining if the size of an organization had an effect, a lack of awareness of device security increased with size, with small business reporting 53%, medium businesses 39% and enterprise businesses at 36%.

The survey also evaluated respondents on the level of cybersecurity training they received in their workplace. According to the findings, there's a dramatic need and desire from employees for increased cybersecurity training in their organizations.

Nearly one in five respondents (19%) said there needed to be more cybersecurity training by their organization. When comparing the results by region, more than 24% of respondents in the U.S. said they had never received cybersecurity training but should have, compared to 41% of respondents in Canada when asked the same question.

The bottom line: It's imperative for healthcare organizations to prioritize cybersecurity in their industry to better serve their patients and keep their private healthcare information safe.

Security experts from Kaspersky suggest hiring a skilled IT team who understand the healthcare industry's unique security risks to put the proper protections in place. It will also be important for IT teams to establish a clear cybersecurity policy, and effectively communicate that policy to employees on an ongoing basis for increased awareness. Increased training for employees should also remain an area of focus as employees are on the frontlines of potential cybersecurity attacks each day.


"The results of the survey show that knowledge of regulatory requirements is missing or too low," said Matthew Fisher, chair of Health Law Group and partner for Mirick O'Connell. "In working with many clients and talking with others across the healthcare industry, the results are not surprising given the number of erroneous statements made about regulatory requirements and the misuse of regulations as the reason not to engage in an action that is actually permissible. The lack of awareness creates unnecessary risks."

"In addition to regulation and policy awareness, training remains an essential part in keeping healthcare organizations safe from potential breaches," said Rob Cataldo, vice president of U.S. enterprise sales at Kaspersky. "Ongoing trainings must be implemented for employees so they have a better understanding of what to look for and the actions to take should they find something suspicious. Cybersecurity awareness training is key to promoting an employee culture of vigilance where employees take pride and do their part to protect their patients and overall organization."


Cyber attacks can have a profound impact on the finances of hospitals and insurers. Lisa Rivera,  a partner at Bass, Berry and Sims who focuses on healthcare security, told Healthcare Finance News in July that some estimates place cyber attacks at $5 billion in cost to the healthcare system.

Beyond the cost to find a solution to fix breaches and to settle any civil complaints are fines from the Department of Health and Human Services Office of Civil Rights. In 2018, OCR issued 10 resolutions that totalled $28 million.

Twitter: @JELagasse

Email the writer:

Focus on Securing Healthcare

In August, Healthcare IT News, along with our sister sites, MobiHealthNews and Healthcare Finance, will focus on the many ways the industry is succeeding – and the places it's falling short – when it comes to the all-important task of enterprise-wide security.