Fred Donovan | September 24, 2018

Healthcare Workers Uninformed About Cybersecurity Best Practices

As seen on HealthIT Security...

Forty percent of healthcare workers would allow a colleague to use their work computer, displaying a disturbing lack of knowledge about cybersecurity best practices.

 - Forty percent of healthcare workers would allow a colleague to use their work computer, displaying a disturbing lack of knowledge about cybersecurity best practices.

Surprisingly, healthcare workers performed better than government workers, 60 percent of whom would allow a colleague to use their work computer, according to a survey of more than 400 US workers by Spanning Cloud Apps.

Other industries included in the study were banking and finance, construction, education, information technology, manufacturing, and retail.

The survey measured US workers’ risk aversion to certain behaviors, including use of online account credentials, susceptibility to phishing attacks, and potential for data loss.

More than half of US workers admitted to clicking links they didn’t recognize, and 34 percent were unable to identify an unsecure ecommerce site.

The problem is that workers would rather be nice to coworkers than secure. Across industries, 45 percent said they would allow a colleague to use their work computer, Of workers with administrative access, only 35 percent would refuse to allow a colleague to access their device.

More than 52 percent of all employees polled said they shop online from their work computer. When shown an example of an unsecure ecommerce browser window, one-third of employees who admitted to shopping online responded that they felt the site was secure.

Only 49 percent of all employees polled who indicated the site was unsecure were able to correctly identify a broken padlock as being the key indicator of an unsafe site.

Close to three-quarters of US workers surveyed were suspicious of unfamiliar URLs from popular sites like Facebook and the New York Times and had aversion towards potentially malicious links, such as bit.ly.

When presented with a visual example, only 36 percent of employees correctly identified a suspicious link as being the key indicator of a phishing email. The remainder chose the indicators that the email was not personalized and contained a “Re:” in the subject line. 

Fifty-five percent of employees admitted to clicking on links they didn’t recognize, and nearly half have downloaded a web extension to their work device. Further, 20 percent of workers reported that they shared passwords over text or email.

“The results show that even though employees know basic risks associated with strange looking emails and web pages, they lack a deeper understanding of how their online behaviors put business data at risk. For organizations in highly-targeted industries, such as government and healthcare, leadership teams must have measures in place to quickly restore data and not rely on employees to keep hackers out,” commented Spanning Principal Security Engineer Brian Rutledge.

Another study conducted earlier this year by Wombat Security found a similar lack of understanding about cybersecurity best practices among healthcare workers.

Employees in healthcare industry answered 23 percent of IT security best practice questions wrong on average, second only to the hospitality industry, which posted a 24 percent incorrect answer score.

For the study, Wombat used data from its CyberStrength knowledge assessments and interactive training modules.

The questions covered a range of security knowledge categories: avoiding ransomware attacks, building safe passwords, identifying common security issues, identifying phishing threats, protecting against physical risks, protecting and disposing of data securely, protecting confidential information, protecting mobile devices and information, defending against scams, using the internet and social media safely, and working remotely safely.

By category, healthcare customers performed worse on questions involving protecting and disposing of data securely, with an average of 28 percent incorrect answers. They were also lacking in their understanding of how to protect mobile devices and information, with a 27 percent incorrect answer score.

The clear solution for this poor understanding of cybersecurity best practices by healthcare workers is education and training. This is especially important because healthcare organizations could face hefty HIPAA fines for poor cybersecurity practices and data breaches that result.

Read this article on HealthIT Security