Survey: One third of health employees never get cyber training

A new report finds that as many as one-third of healthcare employees have not received cybersecurity education and awareness programs.

Even so, employees report that they believe they should be better trained, according to the report from Kaspersky, a cybersecurity firm.

In a survey on healthcare regulations, the main findings showed an obvious lack of awareness of federal regulations in the U.S. and Canada to keep patient information secure, according to the vendor.

One fifth of U.S. respondents did not know what the HIPAA security rule meant and half of respondents in Canada did not know if Canadian protected health information needed to stay in Canada.

Fisher-Matthew3-CROP.jpg
Matthew Fisher

Results of the survey show that knowledge of regulatory requirements are missing or too low, says Matthew Fisher, a partner in the health law group at the MirickO’Connell firm in the Boston area.

“In working with many clients, and talking with others across the healthcare industry, the results are not surprising given the number of erroneous statements made about regulatory requirements and the misuse of regulations as the reason to not engage in an action that is actually permissible,” he advises. “The lack of awareness creates unnecessary risks.”

Kaspersky survey data further shows that half of respondents were unaware of the need to know how their IT devices are being protected, and 40 percent were not aware at all about cyber measures in place to protect the devices.

When examining if the size of an organization had an effect, a lack of awareness of device security increased with size, with small businesses reporting 53 percent, medium-sized businesses reporting 39 percent and enterprise businesses at 36 percent.

Overall, there is a desire from employees for increased cyber training and organizations should take advantage of that, findings of the Kaspersky report show.

“Ongoing trainings must be implemented for employees so they have a better understanding of what to look for and the actions to take should they find something suspicious,” says Rob Cataldo, a vice president at Kaspersky.

Consequently, the company suggests hiring a skilled IT team that understands the healthcare industry’s unique security risks to put the proper protections in place.

The IT team also should establish a clear cybersecurity policy and effectively communicate that policy on an ongoing basis for increased awareness. And, even more training should remain a staple as employees are on the front lines of potential cyber security attacks on a daily basis, according to Cataldo.

For reprint and licensing requests for this article, click here.