Risk Management Tools & Resources


Strengthening the Frontline: Cybersecurity Training for Healthcare Workers

Laura M. Cascella, MA, CPHRM


In today’s connected world, the need to protect proprietary and sensitive information is increasingly challenging. As technology continues to expand and evolve, cybersecurity has become a preeminent concern for many industries, including healthcare. Complex networks and data exchanges, cloud-based services, social media, online portals, the Internet of Things, and other technologies have introduced opportunities and efficiencies but also potential threats.

For healthcare organizations of all types and sizes, devising actionable and well-defined cybersecurity strategies is imperative as cyberattacks against the healthcare industry continue to grow. Atop the list of strategies — perhaps at the pinnacle — is developing and executing a robust cybersecurity training program for staff members. Although staff training might seem more nebulous than a concrete process, such as installing a firewall or patching software, its benefits should not be underestimated.

The Importance of Cybersecurity Training

Staff members are a frontline resource in preventing cyberattacks, but they also can represent a significant vulnerability for organizations. Verizon’s 2022 Data Breach Investigation Report notes that, “Healthcare is the industry where the internal actor has figured prominently in breaches.”1 Most internal threats in healthcare are unintentional, and “Many physicians, providers, and employees unknowingly engage in risky behavior on their home and work computers.”2

A survey of more than 600 healthcare professionals conducted by Merlin International and the Ponemon Institute revealed that about half of the participants felt that “lack of employee awareness and training affects their ability to achieve a strong security posture;” almost three-fourths of participants “cited insufficient staffing as the biggest obstacle to maintaining a fully effective security posture.”3

Staff awareness of best practices related to cybersecurity and data protection as well as a thorough understanding of organizational security protocols are the basis of a solid training program and crucial to each organization’s cybersecurity plan.

Developing a Robust Training Program

Healthcare organizations vary in size, location, patient population, clinical staff, systems, and so on. Because each organization is unique, a one-size-fits-all training approach for cybersecurity is unrealistic; however, it is likely that many organizations face similar threats and will want to educate staff on similar topics. When devising educational outreach related to cybersecurity, consider the following topics for inclusion:

  • Common ways that breaches occur, such as lost or stolen laptops, data sharing over unsecured networks, inappropriate access to systems, and careless security practices
  • Common cybersecurity threats — such as ransomware, phishing, spyware, distributed-denial-of-service attacks, Trojan horses, worms, and pretexting — and how they are executed
  • Best practices for preventing data breaches and cyberattacks, including:
    • Implementing technical safeguards such as data encryption, two-factor or multi-factor authentication, strong passwords or passphrases, and system lockouts
    • Sharing confidential or sensitive information via approved, secure communication channels
    • Avoiding accessing confidential or sensitive information on public computers or over public or unsecure wireless connections
    • Being aware of red flags for cyberattacks, such as suspicious URLs or domain names, unsolicited emails requesting personal information, offers that seem too good to be true, emails containing odd messaging or typos/grammatical issues, requests for money, and messages containing threats
    • Avoiding risky online behaviors, such as bypassing virus protection alerts, clicking on pop-up ads, visiting sites with security issues, using the same password for multiple sites, opening email attachments from unknown sources, and failing to sign out of shared computers
    • Being aware of how cybercriminals might access social media to glean key information that will allow them to crack passwords and breach accounts
    • Taking physical precautions to prevent inadvertently disclosing protected information, such as using privacy screens, avoiding writing down or sharing passwords, logging out of systems after use, and following policies related to taking mobile devices or hardcopy data outside organizational premises
  • Possible consequences of cybersecurity lapses, including loss of systems, interruptions to patient care and processes, possible patient harm, financial losses, and impact to the organization’s reputation
  • Organizational policies and protocols that support a culture of security, including:
    • Compliance with state and federal privacy and security laws
    • Procedures for conducting risk assessments and gap analyses
    • Rules related to social media and use of personal electronic devices
    • Strategies for securely storing and disposing of protected information (hard copy and electronic)
    • Procedures for reporting behaviors and actions that violate the organization’s privacy and security policies as well as continued assurance of a nonpunitive environment for raising concerns
    • Disciplinary actions for deviating from established policies and protocols
    • Procedures for responding to suspected or known breaches or cyberattacks, including incident reporting protocols and staff roles and responsibilities
    • Strategies for managing loss of systems or access to electronic health records
  • Resources for continued learning about cybersecurity best practices and breach prevention protocols, such as The Office of the National Coordinator for Health Information Technology, the Federal Bureau of Investigation, and the U.S. Department of Health and Human Services4

Conducting a security risk assessment (as required by HIPAA for covered entities and business associates) can help define the specific needs of each organization so that training can be focused or customized as needed.

Other Training Considerations

Individuals in charge of developing and organizing staff education should consider various training formats and activities to keep individuals engaged and aware. For example, using simulated phishing emails can help staff learn to identify cybersecurity red flags. Reviewing actual scenarios of healthcare breaches and cyberattacks — including discussing what occurred, how it occurred, and ways to prevent similar incidents — also might be beneficial. Other options include periodic email reminders, interactive modules, posters, team discussions, and role playing.

Educators also should be mindful that staff members will have varying levels of technical knowledge and aptitude. Training sessions and materials should be clear and understandable to all participants. Focusing on need-to-know information and avoiding technical jargon can support participant understanding and retention of information.5

In Summary

Cultivating a knowledgeable and well-educated staff is one of the best ways that healthcare organizations can protect against security breaches and cyberattacks. By developing a comprehensive staff education program on cybersecurity best practices, policies, and protocols, organizations can help ensure that staff members are an asset rather than a vulnerability. For more helpful resources on this topic, see MedPro’s Risk Resources: Cybersecurity.


1 Verizon. (2022). Data breach investigations report: Executive summary. Retrieved from www.verizon.com/business/resources/reports/dbir/

2 Hood, G. A., (2017, April 25). How to prevent costly and dangerous cyberattacks. Medscape. Retrieved from https://www.medscape.com/viewarticle/878592_3

3 Merlin International. (2018, March 12). Merlin International & Ponemon Institute cybersecurity study signals dangerous diagnosis for healthcare industry. BusinessWire. Retrieved from www.businesswire.com/news/home/20180312005302/en/Merlin-International-Ponemon-Institute-Cybersecurity-Study-Signals

4 Hood, How to prevent costly and dangerous cyberattacks; Shryock, T. (2017, February 10). Top tips for protecting a practice from hackers. Medical Economics. Retrieved from www.medicaleconomics.com/medical-economics-blog/top-tips-protecting-practice-hackers; Weil, S. (2017, February 10). How 4 key practices can prevent ransomware incidents. Health Data Management. Retrieved from www.healthdatamanagement.com/opinion/how-4-key-practices-can-prevent-ransomware-incidents; Downing, K. (2017). AHIMA guidelines: The cybersecurity plan. Retrieved from www.ahima.org/

5 Snell, E. (Ed.) (2017). Training employees to avoid healthcare data security threats. HealthIT Security. Retrieved from https://healthitsecurity.com/features/training-employees-to-avoid-healthcare-data-security-threats

MedPro Twitter


View more on Twitter