HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Lack of Security Awareness Training Leaves Healthcare Organizations Exposed to Cyberattacks

A recent study conducted by the Ponemon Institute on behalf of Merlin International has revealed healthcare organizations are failing to provide sufficient security awareness training to their employees, which is hampering efforts to improve their security posture.

Phishing is a major security threat and the healthcare industry is being heavily targeted. Phishing offers threat actors an easy way to bypass healthcare organizations’ security defenses. Threat actors are now using sophisticated tactics to evade detection by security solutions and get their emails delivered. Social engineering techniques are used to fool employees into responding to phishing emails and disclose their login credentials or install malware.

Phishing is used in a high percentage of cyberattacks on healthcare organizations. Research conducted by Cofense (formerly PhishMe) suggests as many as 91% of cyberattacks start with a phishing email. While security solutions can be implemented to block the majority of phishing emails from being delivered to end users’ inboxes, it is not possible to block 100% of malicious emails. Security awareness training is therefore essential.

In addition to HIPAA training, healthcare employees should be trained how to recognize phishing emails and how to respond when potentially malicious messages are received. Training should be provided to help eliminate risky behaviors and teach cybersecurity best practices. The failure to provide sufficient training leaves healthcare organizations at risk of attack.

The Ponemon/Merlin International study on 627 healthcare executives in the United States suggests healthcare organizations are not doing enough to improve security awareness and develop a security culture.  More than half of respondents (52%) said the lack of security awareness was affecting their organization’s security posture.

The Merlin International report, 2018 Impact of Cyber Insecurity on Healthcare Organizations, revealed 62% of respondents have experienced a cyberattack in the past 12 months, with half of those incidents resulting in the loss of healthcare data. Poor security awareness is contributing to a high percentage of those breaches.

When asked about the biggest concerns, there was an equal split between external attacks by hackers and internal breaches due to errors and employee negligence – 63% and 64% respectively.

The main threats to the confidentiality, integrity, and availability of healthcare data were perceived to be unsecured medical devices (78%), BYOD (76%) and insecure mobile devices (72%).

57% of respondents felt use of the cloud, mobile, and IoT technologies has increased the number of vulnerabilities that could be exploited to gain access to healthcare data. 55% of respondents said medical devices were not included in their cybersecurity strategy and the continued use of legacy systems was seen to be a security issue by 58% of respondents.

Even though 62% of organizations have experienced a data breach in the last year and it is a requirement for HIPAA compliance, 51% of organizations have not developed an incident response program that allows them to rapidly respond and remediate breaches.

Staffing was seen to be the biggest roadblock preventing organizations from improving their security posture. 74% believed a lack of suitable staff was a major issue hampering efforts to improve cybersecurity. 60% of respondents do not believe they have the right cybersecurity qualifications in house and only 51% of surveyed organizations have appointed a CISO.

“Healthcare organizations must get even more serious about cybersecurity to protect themselves and their patients from losing access to or control of the proprietary and personal information and systems the industry depends on to provide essential care,” said Brian Wells, Director of Healthcare Strategy at Merlin International.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.