Survey Shows 24% of Healthcare Workers Did Not Have Any Security Awareness Training

Entities governed by the Health Insurance Portability and Accountability Act (HIPAA) have to give their employees security awareness training, however, a new report indicates that training is missing at a lot of HIPAA-governed entities.

KnowBe4, a platform provider of security awareness training and phishing simulation, commissioned Osterman Research to perform a survey on 1,000 U.S. workers to find out how much they know about security threats and the level of training they were provided. The KnowBe4 2021 State of Privacy and Security Awareness Report shares the results of the survey.

The survey showed that employees commonly feel confident regarding password guidelines but not in other aspects of cybersecurity, for example, determining social engineering attacks. Just a fraction understood threats like phishing, even if phishing is a common tactic used by hackers to get access to business sites and corporate information.

Worryingly, under 50% of survey participants believe clicking on a hyperlink in an email message or opening a file attachment can cause the infection of their mobile device with malware, and 45% of survey participants believe there is no need to employ further cybersecurity safety measures since they are not with the IT department.

Transforming that mindset is one of the objectives of the National Cybersecurity Awareness Month. This year’s theme is “Do Your Part. BeCyberSmart.” The goal of this project is to enable people and companies to accept their part in securing their piece of cyberspace, and which means all people are involved and not just those with the IT department.

Security awareness training programs must clarify cybersecurity guidelines and train employees in the practice of proper cyber hygiene so as to do away with risky actions. It is additionally important to educate employees on how to recognize and steer clear of phishing emails, and what to do in case of receiving suspicious emails. By means of training, it’s possible to minimize vulnerability to malware attacks and phishing emails and build a security culture in a company; nevertheless, that can only be realized by giving regular training to the workforce.

The healthcare sector is the second-highest when it comes to giving regular security awareness training in 2020. The survey shows 59% of healthcare companies continued to give security awareness training all through 2020; while 24% of healthcare companies did not provide any training on security awareness.

Among all fields of industry, healthcare workers were the least knowledgeable of social engineering threats like phishing attacks and business email compromise (BEC), as only 16% of healthcare workers reported understanding those threats perfectly.

When sufficient training is not given, employees are unable to identify and keep away from threats and HIPAA-governed entities will have a greater risk of experiencing expensive data breaches. In case of a data breach investigation or an audit, when training is identified to be inadequate, OCR may issue sizeable financial penalties. The inability to give any security awareness training clearly violates the HIPAA Security Rule. This violation was mentioned in OCR’s enforcement action versus West Georgia Ambulance in 2019.

Routine security awareness training is going to make sure that employees possess the abilities required to determine and stay away from cyber threats. KnowBe4 states that when workers are given monthly training, they are 34% more probable to think clicking a link in an email message is a dangerous action compared to workers that only get training once or two times per year.

The survey additionally revealed there are significant misunderstandings regarding the requirement for HIPAA compliance. 61% of survey participants in healthcare were aware that their company was expected to be compliant with HIPAA, while 19% stated they were not sure. 20% stated they understood or believed their company wasn’t a HIPAA-governed entity. There was additionally uncertainty regarding the requirement to comply with other privacy and security rules, with about 50% of respondents uncertain whether their company had to be compliant with the Family Educational Rights and Privacy Act (FERPA), California Privacy Rights Act, and the EU’s General Data Protection Regulation (GDPR).

Workers are the last to deal with privacy concerns, therefore they need to know that privacy protections should be implemented on the customer information they manage. The reality that a big number of employees is not certain if their company is governed by different privacy rules indicates the company’s inability to properly process data that is governed by privacy rules.

About Christine Garcia 1303 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at