‘State of Security Education’ Looks at End-User Risk in Healthcare

It’s no secret that the healthcare industry is increasingly under attack. As infosec teams work to implement technical safeguards to protect sensitive patient data and mission-critical systems, end-user risk management can sometimes take a back seat. Our new State of Security Education: Healthcare report highlights the end-user knowledge gaps that are impacting healthcare security postures and provides insights security managers can use in planning and executing an effective security awareness training program for employees in this industry.

About the Report

We culled the healthcare-specific data we collected for our 2016 Beyond the Phish™ Report and our 2017 State of the Phish™ Report to deliver an industry-focused resource that examines some of the most pressing cybersecurity threats in this space and how end-user knowledge gaps are exacerbating risk. With more than 100 million healthcare records reportedly compromised worldwide in 2015 alone — and the Ponemon Institute estimating the average cost of healthcare breaches at $355 per record — it’s clear that cybersecurity hygiene needs to be paramount within this industry.

The State of Security Education: Healthcare report examines the knowledge levels of healthcare workers in nine key cybersecurity areas:

• Protecting confidential information (per PCI DSS and U.S. HIPAA guidelines)
• Using social media safely
• Identifying phishing threats
• Working safely outside the office
• Protecting and disposing of data securely
• Protecting mobile devices and information
• Using the internet safely
• Building safe passwords
• Protecting against physical risks

We also discuss statistics related to the rising threat of ransomware and the general lack of awareness of these dangerous (and damaging) attacks.

How We’re Helping Healthcare Organizations Manage End-User Risk

As noted in the State of Security Education: Healthcare report, we are helping healthcare organizations and customers across all industries raise cybersecurity awareness levels and train end-users to recognize and avoid social engineering attacks and other threats. You can read about one Proof of Concept exercise that helped a regional hospital and medical center reduce its susceptibility by 86% after trialing components of our anti-phishing training.

The report also outlines the components of our Healthcare Security Awareness and Training Program, which offers a prescriptive approach for cybersecurity education. We worked with our healthcare customers to develop a program that targets some of the most persistent threats while accounting for the time and staffing challenges that are unique to this space. Some differentiators of this program include the following:

• Combines scenario-based knowledge assessments and simulated phishing attacks to give a clearer understanding of the most pressing end-user vulnerabilities.
• Enables administrators to identify the most susceptible users and automatically assign follow-up training on a range of topics, including management of protected health information (PHI), ransomware prevention, and email security. By shortening the window between assessments and education, organizations can quickly begin to close concerning knowledge gaps.
• Offers brief, interactive training modules that are available on demand — a huge plus given the pressing and varying demands of staff schedules.
• Allows employees to learn by doing, which resonates with the many practical learners in this industry.
• Provides detailed reporting tools that help administrators establish a baseline vulnerability measurement, track and share progress, analyze results, implement gamification techniques, and more.