News Feature | November 13, 2015

Healthcare Employees Often Complacent About Security

Christine Kern

By Christine Kern, contributing writer


Non-technical healthcare employees are too complacent about the possibility of a data breach and few are aware that it has happened to their organization, according to a recent Trustwave survey of employees at large and mid-sized healthcare organizations. The 2015 Security Health Check Report, based on a survey of 398 full-time healthcare professionals, found that while 91 percent of respondents believe cyber criminals are increasingly targeting healthcare organizations, only 10 percent or less of their overall IT budget is allocated for cybersecurity and the protection of highly sensitive patient data.

The findings also reveal employee complacency could actually be putting healthcare data at risk. In the past two years, hackers have stolen data from 81 percent of hospitals and health insurance companies, according to a report released by KPMG.

“Today’s healthcare industry is under attack. From hospitals to physicians to urgent care clinics, healthcare organizations are swimming in private data and must make security a priority in order to protect it,” said Steve Kelley, senior vice president of product and corporate at Trustwave Holdings. “Security challenges are nothing new for any business but the level of distress exponentially increases when someone’s life may actually depend on the protection of sensitive data.”

“There’s a typical ‘it can’t happen to me’ phenomenon,” Kelley told CIO Magazine, adding there is a huge vulnerability gap for healthcare organizations. “It has either already happened to you, or will happen to you — or you’re not just aware of it yet,” said Kelley.

Despite the reality of cyber threats, the study found only 14 percent of non-technical employees and 23 percent of technical employees thought their organizations had experienced a breach. Further, 65 percent of non-technical respondents said external threats posed greater risks than insider threats. And while 23 percent of technical respondents reported their organization had experienced a breach, studies have shown the rate is actually significantly higher indicating a lack of awareness of security issues.

“The average non-technical person has no idea of how insecure the environment is,” Kelley told CIO Magazine. “But every single worker on the front line with customers needs to be educated on these issues.”

Given the rising challenges of cybersecurity, it is surprising only 38 percent of these employees get security training at least twice a year, 49 percent get training once a year, 7 percent only when they are first hired, and 6 percent received no security awareness training at all. “There’s a gap between how sensitive this information is, and how prepared they actually are,” said Kelley.