In 2018, the WannaCry malware epidemic knocked out more than 200,000 computers in 150 countries. In some hospitals, WannaCry encrypted the data on all devices, including medical equipment. The headlines associated with healthcare-related data breaches should make organizations implement security awareness training (SAT) programs to mitigate the risk of future attacks. Unfortunately, many organizations are responding slowly, if at all.
A recent report by the cybersecurity firm Kaspersky finds that as many of 1/3 of healthcare employees have not received cybersecurity awareness training.(1) The survey found that, by-and-large, organizations are not learning their lessons after the first attack. Seventeen (17%) percent of the respondents said they were aware of a ransomware attack in the last five years. One third of those noted that the attacks had happened more than once. As IG World has pointed out in previous articles, SAT programs provide employees with the knowledge necessary to mitigate the risk of ransomware, data-breaches and other cybersecurity related incidents. Since the primary attack approach for ransomware is phishing emails, the survey’s documentation of multiple, repeated ransomware incidents at the same healthcare organizations is clear evidence that they are not implementing effective SAT programs.
This laissez-fair attitude toward cybersecurity training is irresponsible, given the big economic cost of cyber incidents—not to mention the potential human cost. In a separate report, Kaspersky determined that the average malware attack costs large enterprises $1.2 million dollars. For small and medium-sized businesses, the average cost is $123,000. In addition to the financial impact, cyber incidents have a significant negative impact on the “brand” of the affected organizations which may result in patients seeking alternatives for their healthcare.
The findings of the Kaspersky survey are supported by another survey conducted by MediaPRO. The results of this survey were reported in the HIPAA Journal. The MediaPRO survey team contacted over 1,000 US healthcare industry employees to assess their level of security awareness.(2) The MediaPRO survey assessed eight areas of cybersecurity knowledge. Astoundingly, despite the obligations that healthcare workers must safeguard patient data in compliance with HIPAA regulations, healthcare workers scored worse than the general business population on this assessment.
The survey discovered that doctors were particularly bad at understanding privacy and security threats. Based on their answers, 50% percent of the physicians in the survey were classified as risks.
A MediaPRO survey found that 50% percent of physicians represent a cybersecurity risk. The doctors’ lack of knowledge makes them a significant security threat.
The doctors’ lack of knowledge makes them a significant security threat to the organization. Their ability to identify phishing emails was alarmingly low: 24% percent of physicians displayed a lack of understanding of phishing, compared with 8% percent of office workers.
Verizon publishes a widely-read and respected Data Breach Investigations Report every year. The 2017 report found that 80% of healthcare data breaches were the result of human error, with the most commonly successful attack being a well-crafted phishing email. Combined with the results from the Kaspersky and MediaPRO surveys, it is clear that many healthcare organizations are not providing their employees with effective Security Awareness Training.