Health care industry’s top security concern is negligent employees

According to Ponemon Institute’s Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, 69% of health care companies in the US ”believe they are at greater risk for a data breach than other industries.” In the last two years, 89% of health care organizations had at least one security incident causing the loss of patient data, and 45% of these organizations had more than five data breaches.

Why do they feel more vulnerable?

  • They fail to be vigilant in ensuring that partners and third parties protect patient information (51% of respondents).
  • They do not employ enough skilled IT security practitioners (44%).
  • There is a lack of investment in technology to mitigate data breaches (41%).

But employee negligence is their top concern

69% of respondents identified negligent or careless employees as the type of security threat that worries them the most. Although 62% of respondents were not aware of any medical identity theft affecting their patients, of the remaining 38% that were aware of such incidents, the most frequently cited cause was unintentional employee action (48% of respondents).

Staff security awareness is the key

Together with processes and technology, people are one of the components of a strong cybersecurity strategy. It’s possibly the trickiest part to get right, because it’s often beyond the organization’s control: What people – in this case, employees – do or don’t do is very unpredictable. Although it is difficult to control people’s behaviour, making them aware of best practices can help to avoid unnecessary risks.

Health care companies invest in employee education to reduce security risk

Among the actions taken by health care companies to reduce the risk of data breaches, employee training (52%) seemed to be the obvious choice to make staff more vigilant, and attentive to data protection and security matters.

Through induction and refresher training, employees can build knowledge about cybersecurity, and keep up to date with the latest best practices as well as the company’s policies and procedures. It’s even better if the training comes in the form of elearning: There are no travel costs, less disruption to routines and operations, and no need to gather the whole staff together, among other benefits.

Visit the IT Governance website to discover our full range of elearning courses.

Topics covered include information security, ISO 27001, the PCI DSS, and phishing.