Healthcare Cybersecurity Knowledge Gaps Placing ePHI at Risk of Exposure

A recent report issued by Wombat Security, a provider of security awareness and training software, suggests healthcare employees have gaps in their cybersecurity knowledge which could pose a serious risk to ePHI.

Knowledge of the dangers of oversharing on social media, the unsafe use of Wi-Fi, secure data disposal, secure passwords, and phishing was found to be lacking. This undoubtedly would lead to individuals engaging in risky behaviors.

For the study, Wombat analyzed the responses to over 20 million questions and answers that were designed to evaluate how proficient end users were at identifying and managing security threats. Respondents came from a wide range of industries, including healthcare.

The study revealed that the main problem area was the safe use of social media. In the question-based assessments of cybersecurity knowledge, 31% of questions on safe social media use were missed. The report pointed out that only 55% of companies conduct assessments on safe social media use. The second biggest cause for concern was safe data disposal, with 30% of questions missed.

Healthcare employees are required to receive training on Health Insurance Portability and Accountability Act (HIPAA) Regulations covering the privacy and security of protected health information. It is therefore unsurprising that the industry had the highest assessment percentage on protecting confidential data, yet 31% of questions were still missed by employees from the industry, which was 5 percentage points below the average for all industries.

Healthcare employees fared badly at protecting data on mobile devices, ranking in the bottom three industries with 25% of questions missed. Healthcare employees came bottom – along with professional services – on the assessments on the use of secure passwords.

Healthcare employees fared slightly better when assessed on their knowledge of phishing, although 31% of questions were missed. Phishing simulation exercises conducted by Wombat resulted in 13% of healthcare employees clicking on the messages. This clearly shows that healthcare organizations need to do more to ensure their employees understand the risks of phishing, and that they have their knowledge put to the test with phishing simulation exercises.

According to Wombat President and CEO Joe Ferrara, “To reduce cyber risk in organizations, security education programs must teach and assess end users across many topic areas, like oversharing on social media and proper data handling. Many of these risky behaviors exacerbate the phishing problem.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.