A new study suggests that while most healthcare employees aren’t very aware of privacy and security threats, doctors may be further behind.
According to the Verizon Enterprises Data Breach Investigations Report, 78% of healthcare employees were less than prepared for such risks. Given the threat environment out there, that’s bad enough. Other aspects of the survey found that 24% of healthcare employees had trouble identifying some common signs of malware, as compared with 12% of respondents in the general population.
However, physicians appear to be even less prepared than their healthcare peers. For example, 24% of physicians and other types of direct healthcare providers showed a lack of awareness of phishing emails, a deficit which could cause big problems. (Their rate of identifying phishing emails was three times worse than their non-physician counterparts.) Half of the physicians studied scored in the overall “risk” category, which meant that their actions could impose a privacy or security threat.
Looking again at the healthcare industry as a whole, 23% of respondents failed to report a variety of potential security or privacy incidents such as unsecured personnel files and potentially malware-infected computers. Twenty-one percent of survey respondents didn’t recognize some forms of personally identifiable information, but perhaps more alarmingly, more clinicians exhibited risky behaviors in this category than their non-clinician peers.
In wrapping up the report, the authors make the important point that educating healthcare workers and clinicians on HIPAA rules is far from enough to help organizations protect themselves cyberattackers. “Keeping within HIPAA regulations, while vital, does not educate users on how to spot a phishing attack,” they wrote. “[And] mere compliance does not equate to a fully security-aware culture.”
Ultimately, the study makes a point that can’t be made too often. When security education occurs in silos, be they HIPAA compliance, abating risks of internal malfeasance and errors or training employees to catch sneak attacks such as phishing emails, no one of these strategies is enough to protect organizations from cyber-intrusions.
The key, as the authors rightly point out, is to cultivate a risk-aware culture across the healthcare organization’s entire population, including (perhaps most particularly) clinicians who make the closest use of the data.