Healthcare cyberattacks are on the rise with nearly 32 million patient records breached in 2019—double all of 2018.
Even so, nearly a third of healthcare employees (32%) said they had never received cybersecurity training from their workplace, according to a Kaspersky report.
Nearly 1 in 5 respondents (19%) said there needed to be more cybersecurity training by their organization. When comparing the results by region, more than 24% of respondents in the U.S. noted they had never received cybersecurity training but should have, compared to 41% of respondents in Canada when asked the same question.
Kaspersky, a cybersecurity company, worked with research firm Opinion Matters to survey 1,758 employees in a variety of roles ranging from doctors and surgeons to admin and IT staff working at healthcare organizations in North America.
The survey results point to an alarming lack of awareness of federal privacy regulations in both the U.S. and Canada.
Nearly a fifth of U.S. respondents (18%) reported they did not know what the HIPAA security rule meant. In Canada, nearly half of healthcare employees surveyed (49%) said they didn’t know whether Canada-protected health information needed to stay in Canada.
“The results of the survey show that knowledge of regulatory requirements is missing or too low,” Matthew Fisher, chair of Health Law Group and partner for Mirick O’Connell, said in a statement.
The survey results are not surprising, Fisher said, based on his work with healthcare clients and talking with cybersecurity experts in the industry. Healthcare organizations often misunderstand regulatory requirements and misuse the regulations as a reason not to engage in an action that is actually permissible, Fisher said.
"The lack of awareness creates unnecessary risks," he said.
Insiders were responsible for breaching more than 3 million patient records and 20% of total breaches so far in 2019, according to a Protenus report. Data breaches also come with a hefty price tag—to the tune of $6.45 million on average.
Healthcare employees also lack awareness about healthcare cybersecurity policy, the survey found. More than a fifth of respondents (21%) in North America admitted that they were not aware of the cybersecurity policy at their workplace. When breaking down the results by region, just over a third (34%) of respondents in the U.S. and just over a quarter (27%) of Canadian respondents said they were aware of the cybersecurity policy at their workplace, but have only reviewed it once.
Since the majority of healthcare organizations store patient information electronically, it is of paramount importance that healthcare practitioners know how their IT devices are being protected. Two in five healthcare workers (40%) in North America reported having no knowledge about their organizations' cybersecurity measures to protect IT devices.
When examining if the size of an organization had an effect, a lack of awareness of device security increased with size—53% of employees at small businesses were aware of their organization's device security and that dropped to 36% of employees at enterprise businesses.
“In addition to regulation and policy awareness, training remains an essential part in keeping healthcare organizations safe from potential breaches,” Rob Cataldo, vice president of U.S. enterprise sales at Kaspersky, said. “Ongoing training must be implemented for employees so they have a better understanding of what to look for and the actions to take should they find something suspicious."
Along with beefing up employee cybersecurity training, the report recommends several steps healthcare organizations can take to address these gaps in education and awareness such as hiring a skilled IT team that understands healthcare's unique security risks to put the proper protections in place.
IT teams need to establish a clear cybersecurity policy and effectively communicate that policy to employees on an ongoing basis for increased awareness, the report said.