Healthcare Industry Scores Poorly on Employee Security Awareness
A recent report published by security awareness training company MediaPro has revealed there is still a lack of preparedness to deal with common cyberattack scenarios and privacy and security threats are still not fully understood by healthcare professionals.
For MediaPro’s 2017 State of Privacy and Security Awareness Report, the firm surveyed 1,009 US healthcare industry employees to assess their level of security awareness. Respondents were asked questions about common privacy and security threats and were asked to provide answers on several different threat scenarios to determine how they would respond to real world threats.
Based on the responses, MediaPro assigned respondents to one of three categories. Heroes were individuals who scored highly and displayed a thorough understanding of privacy and security threats by answering 93.5%-100% of questions correctly. Novices showed a reasonable understanding of threats, answering between 77.4% and 90.3% of answers correctly. The lowest category of ‘Risks’ was assigned to individuals with poor security awareness, who scored 74.2% or lower on the tests. Those individuals were deemed to pose a significant risk to their organization and the privacy of sensitive data.
Overall, 78% of healthcare employees were classified as risks or novices. The percentage of individuals rated in these two categories across all industry sectors was 70%, showing the healthcare industry still lags behind other industry sectors on security awareness and privacy and security best practices.
The survey revealed physicians’ understanding of privacy and security threats was particularly poor. Half of physicians who took part in the study were classified as risks, meaning their actions were a serious security threat to their organization. Awareness of the common identifiers of phishing emails was particularly poor, with 24% of physicians displaying a lack of understanding of phishing, compared with 8% of office workers and non-provider counterparts.
One of the main areas where security awareness was lacking was the identification of the common signs of a malware infection. 24% of healthcare employees had difficulty identifying the signs of a malware infection compared to 12% of the general population.
Healthcare employees scored worse than the general population in eight areas assessed by MediaPro: Incident reporting, identifying personal information, physical security, identifying phishing attempts, identifying the signs of malware infections, working remotely, cloud computing, and acceptable use of social media.
MediaPro points out that the 2017 Data Breach Investigations Report from Verizon showed human error accounted for more than 80% of healthcare data breaches last year, emphasizing the need for improved security awareness training for healthcare employees. Further, cybercriminals have been increasing their efforts to gain access to healthcare networks and sensitive patient information.
“The results of our survey show that more work needs to be done,” MediaPro explains in the report. “HIPAA courses often do not include information on how to stay cyber-secure in an increasingly interconnected world. Keeping within HIPAA regulations, while vital, does not educate users on how to spot a phishing attack, for example.”
If the security awareness of healthcare employees is not improved, the healthcare industry is likely to continue to be plagued by data breaches, irrespective of the level of maturity of their security defenses.