Phishing Training for Employees

Phishing training for employees is important for HIPAA compliance. It prepares employees for the threats they are most likely to encounter and provides them with the skills to be able to identify phishing emails and prevent this common cause of data breaches.

Security Awareness Training is a Requirement for HIPAA Security Rule Compliance

The HIPAA Security Rule directly mandates that HIPAA-covered entities and their business associates implement a security awareness training program. The extent to which the healthcare industry is being targeted by cybercriminals – and the number of data breaches that are now occurring – makes security awareness training more important than it ever has been.

HIPAA is light on detail when it comes to the topics that should be covered in security awareness training. At the time when the Security Rule was finalized, the threat landscape was very different. Had the HIPAA Security Rule been more specific, it would have been necessary to update the regulation multiple times over the past two decades.

The content of security awareness training should be guided by a risk assessment and training should be provided to employees on up-to-date security best practices, and current and emerging threats that target healthcare employees. The HIPAA Security Rule does not state that phishing training for employees must be provided, but it would be difficult to provide a valid argument to regulators during a compliance investigation that it was not deemed necessary, given the number of phishing-related data breaches that are being reported each year by HIPAA-regulated entities.

The HHS’ Office for Civil Rights has also explained in its cybersecurity newsletters that it is important for HIPAA-regulated entities to provide phishing training for employees since phishing is one of the most common ways that credentials are stolen, and malware is installed.

How to Provide Phishing Training for Employees

It is important to explain to employees what phishing is, why the attacks are conducted, and how cyber threat actors attempt to trick healthcare employees into disclosing credentials, installing malware, or taking other actions that benefit the attacker. Employees need to be told about the red flags in phishing emails that allow them to be identified and conditioned to always checking for these signs of phishing.

The majority of healthcare phishing attacks occur via email, so email-based attacks should feature heavily in training. It is important not to neglect other types of phishing, as these are becoming much more common. Phishing can occur over the Internet on websites and social media networks, via SMS and instant messaging services, over the telephone, or a combination of these methods. One recent phishing campaign used emails to make contact with employees and provided a telephone number to call. The phishing element took place over the telephone.

Training should include real-world examples of phishing attacks to demonstrate the tactics, techniques, and procedures used, and there should be an interactive component, where employees get practice at recognizing phishing attempts. Examples should be provided that are relevant to the employee’s position, such as the scams that target the HR department, payroll, finance and billing, and board-level phishing attacks.

The threat landscape is constantly changing, which means training materials need to be regularly updated to include current and emerging threats. The HIPAA Security Rule calls for security reminders to be issued (§ 164.308(a)(5)(ii)(A)). Consider sending cybersecurity newsletters via email as a reminder, and to advise employees about the latest threats that they may encounter.

How Often Should Phishing Training for Employees Be Provided?

The HIPAA Security Rule largely leaves this to the discretion of each HIPAA-regulated entity. Rather than providing phishing training for employees for compliance reasons, it is best to view it in terms of risk management. If you want to reduce the risk of employees falling for phishing emails, training needs to be provided regularly. A once-a-year training session is not going to be sufficient at reducing risk.

An interesting study on the effectiveness of training demonstrates the importance of frequent phishing training for employees. The study, conducted in 2020 and published by USENIX, explored how the effectiveness of training declines over time. Immediately after providing phishing training for employees, the study found that employees were much better at identifying phishing and genuine emails, and after four months the training was still effective. However, after 6 months, there was no significant difference in the ability of employees to distinguish between genuine and phishing emails than before training. Phishing training for employees, therefore, needs to be provided at least every 6 months.

The best approach to take from a risk management perspective is to provide ongoing training. Phishing training modules completed once a month will keep security fresh in the mind and will continuously reinforce the training. If those modules are short training videos or interactive sessions of no more than 10 minutes, they will be easy to fit into busy healthcare workflows.

Conduct Phishing Simulations

You can provide training and conduct quizzes after the training sessions to test understanding, but to determine whether training is being applied on a day-to-day basis requires phishing simulations. Phishing simulations are real-world phishing emails that are sent to employees to test whether they are applying their training. All responses are tracked and provide valuable information on the effectiveness of training, which employees have been fooled and would likely fall for a genuine phishing email, and they can also highlight problems with the training course. They allow HIPAA-regulated entities to give employees practice at identifying phishing emails outside of a training session.

Through the provision of phishing training for employees and regular phishing simulations, susceptibility to phishing attacks can be greatly reduced. A KnowBe4 benchmarking study found that before training, 32.5% of healthcare employees were fooled by phishing simulations. One year after starting the training program, that percentage was reduced to 4.1%.


Training employees on how to identify and avoid phishing attempts is an important part of HIPAA Security Rule compliance. You should be conducting training regularly, and no less frequently than twice a year, and should use phishing simulations to test the effectiveness of training and to identify weaknesses that can be proactively addressed, through targeted re-training or updates to the training course. Consider using a training vendor that has an extensive library of training content and a platform that can automate the provision of training and phishing simulations.