This week, the news broke that a data breach at the neurology department at Massachusetts General Hospital had exposed private health information on nearly 10,000 people. According to a story appearing in the Boston Globe, an authorized third party got to data stored in software used by MGH researchers.
What’s most remarkable about incidents like this is how….well…unremarkable they are of late. Since January of this year, there have been more than 200 hacking or IT-related incidents affecting 500 or more individuals, according to HHS. And that’s just the incidents we heard about because they crossed the 500-individuals threshold.
Given the extent of this threat, I was surprised to learn that many healthcare organizations aren’t putting major resources into cybersecurity training for their employees. And according to a new North American survey released by security vendor Kaspersky, this has left far too many healthcare employees ill-prepared.
For one thing, nearly a third of survey respondents told the vendor that they’d never gotten cybersecurity training from the workplace, and 19% said that they think their organization should offer more cybersecurity training. Thirty-eight percent said they get cybersecurity training at work at least once a year.
Just 29% of U.S. respondents were able to identify the correct meaning of the HIPAA Security Rule, and 18% reported that they didn’t know what the HIPAA Security Rule was.
Forty percent of healthcare workers in North America weren’t aware of cybersecurity measures their organization had put in place to protect IT devices. Meanwhile, 10% of employees in management positions said they were not aware of a cybersecurity policy was in place in their organization.
In addition, 32% of healthcare IT respondents said they were aware of their organization’s cybersecurity policy but had only read it once, and 15% said that while they were aware of the existence of a cybersecurity policy, they’d never read it.
To close these gaps, Kaspersky recommends that providers establish a specialized IT security team which addresses their unique cybersecurity risks and deploys security tools which specifically address these threats.
Another important step health IT departments can take is to have security leaders implement ongoing cybersecurity training for employees at all levels, focusing on the most common threats they might face.
Also, healthcare organizations should communicate proactively with employees about their cybersecurity policy. As the policy is updated over time (a process which should definitely be ongoing) they need to keep employees up to date, researchers said.
As things stand, however, it seems that many healthcare organizations may underestimate their exposure to cyberthreats. For example, a survey published early this year found that just two years after WannaCry ripped through IT departments, 92% of respondents said they were confident that their organization was prepared for future cyberattacks.