A Quarter Of US Health Employees Aren’t Trained For Cybersecurity – Does That Include Your Staff?
A significant portion of the country’s healthcare workforce doesn’t know how to contribute to their practice’s cybersecurity. Are your staff members putting you at risk?
A majority of cybersecurity technologies offered today include the best in vital software, from firewalls to anti-malware to data encryption and more. However, as important as this technology is, on its own, it simply isn’t enough.
The key to truly comprehensive cybersecurity is simple, yet often overlooked: the user.
The best cybersecurity technology and practices in the world can be undone by one staff member who doesn’t understand how to use them, or how to protect the data they work with.
And in the healthcare industry, this is a big problem…
The State Of Healthcare Cybersecurity
According to a new report from Kapersky, up to 24% of healthcare workers in the US have not received any cybersecurity training. North of the border that number soars to 41%.
That doesn’t mean the other 76% of your staff is totally secure in their practices either – 11% of them would likely state that the only cybersecurity training they ever received was during their hiring process. In the end, only 38% of employees from the 1,700 surveyed healthcare organizations reported that they received cybersecurity training on an annual basis.
The fact is that cybersecurity in healthcare IT is more difficult than other sectors – poorly trained workers only makes this problem worse.
The modern healthcare workplace requires a lot of data sharing with a lot of different people, more so than in other sectors. It exists on more different devices in more dispersed settings. The complexity and breadth of health IT systems have increased.
At its core, healthcare cybersecurity comes down to the HIPAA Security Rule.
The Security Rule sets standards for the handling of electronic Protected Health Information (ePHI), which is the specific type of data the HIPAA Privacy Rule covers. This rule establishes national standards for properly securing patient data that is stored or transmitted electronically.
The rule requires that three different types of safeguards are put in place:
The purpose of these safeguards is to ensure the security of ePHI as it is transported, maintained, or received. Essentially, the Security Rule is meant to allow for new technology to be integrated into your operations uninterrupted while still keeping private patient data protected.
By law, the Security Rule applies to health plans, healthcare clearinghouses, and any other healthcare provider that handles any sort of health information electronically. Any provider or entity that comes in contact with ePHI must comply with the HIPAA Security Rule – if that includes you, then make sure you follow it.
How Do I Train My Employees For Cybersecurity?
A comprehensive cybersecurity training program will teach your medical staff how to handle a range of potential situations:
- How to identify and address suspicious emails, phishing attempts, social engineering tactics, and more.
- How to use business technology without exposing data and other assets to external threats by accident.
- How to respond when you suspect that an attack is occurring or has occurred.
Your staff can have a significant effect on your cybersecurity – either they know enough to keep your assets secure, or they don’t, and therefore present a serious threat to your security.
So, which is it? Do your employees and volunteers have the knowledge they need to spot cybercrime scams, avoid common pitfalls and keep your data secure?
If you’re not sure, then they may need training…
Security awareness training helps your employees and volunteers know how to recognize and avoid being victimized by phishing emails and scam websites.
They learn how to handle security incidents when they occur. If your employees and volunteers are informed about what to watch for, how to block attempts and where they can turn for help, this alone is worth the investment.