Survey Reveals 24% of Healthcare Employees Have Had No Security Awareness Training

Posted By Steve Alder on Oct 5, 2021

Entities regulated by the Health Insurance Portability and Accountability Act (HIPAA) are required to provide security awareness training to the workforce, but a new report suggests HIPAA training is lacking at many HIPAA-regulated entities.

The security awareness training and phishing simulation platform provider KnowBe4 commissioned Osterman Research to conduct a survey on 1,000 U.S. employees to determine their level of knowledge about security threats and how much training they have been given. The findings of the survey were published in the KnowBe4 2021 State of Privacy and Security Awareness Report.

The survey revealed employees are generally confident about password best practices but lacked confidence in other areas of cybersecurity such as identifying social engineering attacks. Only a minority understood threats such as phishing, even though phishing is one of the most common ways that hackers gain access to business networks and corporate data.

Worryingly, less than half of respondents believed clicking a link in an email or opening an attachment could result in their mobile device being infected with malware, and 45% of respondents believe they do not need to implement additional cybersecurity safeguards because they do not work in the IT department.

Changing that thinking is one of the goals National Cybersecurity Awareness Month, which this year has the theme “Do Your Part. BeCyberSmart.” The aim of this initiative is to empower individuals and organizations to own their role in protecting their part of cyberspace, and that means all individuals, not only individuals in the IT department.

Security awareness training courses should explain cybersecurity best practices and teach employees how to practice good cyber hygiene in order to eliminate risky behaviors. It is also vital to teach employees how to identify and avoid phishing emails, and the procedures to follow if suspicious emails are received. Through training it is possible to reduce susceptibility to phishing emails and malware attacks and develop a security culture in an organization; however, that will only be achieved by providing continuous HIPAA training to employees. The HIPAA Journal is the market leader in HIPAA training.

The healthcare industry ranked second highest behind government for continuous security awareness training in 2020. 59% of healthcare respondents said their employer continued to provide security awareness training throughout 2020; however, the survey revealed 24% of healthcare respondents said their employer had not provided any security awareness training.

Out of all industry sectors, healthcare employees were the least aware of social engineering threats such as phishing and business email compromise (BEC), with only 16% of healthcare employees saying they understood those threats very well.

If adequate training is not provided, employees cannot be expected to recognize and avoid threats and HIPAA-regulated entities will face a much higher risk of suffering costly data breaches. In the event of an audit or data breach investigation, if training is found to be lacking OCR may impose substantial financial penalties. The failure to provide any security awareness training is a clear violation of the HIPAA Security Rule and was one of the violations cited in OCR’s enforcement action against West Georgia Ambulance in 2019.

Regular security awareness training will ensure employees have the skills they need to identify and avoid cyber threats. KnowBe4 says when employees are provided with training once a month they are 34% more likely to believe clicking a link in an email is a risky behavior than employees that only receive training once or twice a year.

The survey also showed there is considerable confusion about the need for HIPAA compliance. 61% of respondents in healthcare knew that their organization was required to comply with HIPAA, but 19% said they were unsure. 20% said they knew or believed their organization was not a HIPAA-regulated entity. There was also uncertainty about the need to comply with other privacy and security regulations, with around half of respondents unsure if their organization had to comply with the California Privacy Rights Act, Family Educational Rights and Privacy Act (FERPA) and the EU’s General Data Protection Regulation (GDPR).

“That’s a problem. As with cybersecurity, employees are the last line in addressing privacy issues, and so they must know that privacy protections must be applied to the customer data they handle,” said KnowBe4 in the report. “The fact that such a large proportion of employees is simply not sure whether their employer is subject to various privacy regulations does not bode well for organizations’ ability to adequately process information that is subject to privacy regulation.”