Insufficient Employee Security Awareness Training Exposes Healthcare Organizations to the Risk of Cyberattacks


Ponemon Institute conducted a study on behalf of Merlin International involving 627 healthcare executives in the United States and found that healthcare organizations are failing to train their employees on security awareness.  About 52% of respondents confirm that lack of security awareness is the top reason why healthcare organizations are slow in improving their security posture.

The findings of the study were published in the Merlin International report 2018 Impact of Cyber Insecurity on Healthcare Organizations. According to the report, 62% of respondents had a cyberattack in their organizations in the last 12 months. Half of the breaches resulted to the loss of PHI. The top contributing factor to those breaches is poor security awareness.

When asked about the biggest concern on breaches, 63% and 64% of respondents answered external attacks by hackers and internal breaches brought about by errors or employee negligence, respectively. There were three main threats to the confidentiality, integrity and availability of PHI, namely unsecured medical devices, BYOD and insecure mobile devices.

Regarding the use of cloud, mobile and IoT technologies, 57% of respondents felt it has increased the vulnerabilities that hackers can exploit to access healthcare data. 55% of respondents admitted that they were not including medical devices in their cybersecurity strategy. 58% of respondents also said that the use of legacy systems was a security issue.

Though 62% of healthcare organizations experienced a data breach in the past 12 months, only 49% of organizations comply with HIPAA requirements to develop an incident response program for rapidly responding and remediating breaches. Staffing is a big roadblock to the improvement of the healthcare organizations’ security posture. 74% of respondents agree to this statement. 60% of respondents doubt whether they’ve got the right in-house cybersecurity qualifications. Only 51% of organizations had a CISO appointed.

Director of Healthcare Strategy at Merlin International, Brian Wells encouraged healthcare organizations to get serious about cybersecurity because they can’t provide essential care if they lose control or access to personal information and systems. Threat actors have multiple ways to bypass healthcare organizations’ security defenses. Phishing is a major technique used by hackers to fool employees to respond to phishing emails and share their login details or install malware. 91% of cyberattacks begin with phishing according to a Cofense research study.  So, security awareness training of employees is very important. The failure to provide employees with sufficient training on recognizing phishing emails and responding properly leaves the organization at risk of cyberattack.