Survey: Healthcare Organizations Underestimate Importance of Security Awareness Training

March 11, 2020
Researchers noted that employee training is key element of a comprehensive cyber resilience program – one that is often overlooked

Ninety percent of health organizations experienced an email-borne security threat in the past year according to a new survey, and researchers believe that employee security awareness training is not properly prioritized within cyber resilience programs. 

The survey, from HIMSS Media and mail and data security company Mimecast Limited, included 101 respondents who have significant involvement with email security initiatives at U.S. hospitals and health systems, according to officials.

Of those organizations who experienced an email-borne attack in the last year, 25 percent of respondents stating these attacks were very or extremely disruptive. According to the research, the top attack types targeting healthcare organizations’ email are malicious URLs and broad phishing attacks.

Even though about three in four organizations reported having or are in the process of rolling out a comprehensive cyber resilience program, only half of respondents disclosed high levels of confidence with their current email security deployment.

To this end,  the data showed that 72 percent of organizations experienced downtime as a result of an attack, with productivity (55 percent), data (34 percent) and financial (17 percent) being the three most common types of losses. Healthcare organizations experiencing the most disruptions over the course of the last 12 months were hit more frequently by attacks impersonating trusted vendors or partners (61 percent) and credential harvesting focused phishing attacks (57 percent) in comparison to other kinds of email-borne attacks.

Researchers noted that employee training is key element of a comprehensive cyber resilience program – one that is often overlooked. Seventy-seven percent of respondents agreed that employee-focused security awareness training is essential to protecting their organization against email-borne attacks, yet 40 percent indicated that their organization provides security training less than once per quarter. Notably, 11 percent admitted to only offering trainings during onboarding or ad hoc after a negative incident had occurred.

Matthew Gardiner, director of enterprise security at Mimecast, stated, “The popularity of email as a communications channel makes it one of the top attack vectors used to target healthcare organizations. All the reasons it is effective for legitimate use, makes it a key path for threat actors to use maliciously, often with minimal efforts and a high return on investment.

He advised, “Organizations are better off doing five minutes of training once a month, instead of 15 minutes of training once a quarter,” said Gardiner. “Even though it’s the same amount of time, it’s better to do the training more often so the information stays top of mind.”

Sponsored Recommendations

How Digital Co-Pilots for patients help navigate care journeys to lower costs, increase profits, and improve patient outcomes

Discover how digital care journey platforms act as 'co-pilots' for patients, improving outcomes and reducing costs, while boosting profitability and patient satisfaction in this...

5 Strategies to Enhance Population Health with the ACG System

Explore five key ACG System features designed to amplify your population health program. Learn how to apply insights for targeted, effective care, improve overall health outcomes...

A 4-step plan for denial prevention

Denial prevention is a top priority in today’s revenue cycle. It’s also one area where most organizations fall behind. The good news? The technology and tactics to prevent denials...

Healthcare Industry Predictions 2024 and Beyond

The next five years are all about mastering generative AI — is the healthcare industry ready?