Strengthening the Frontline: Cybersecurity Training for Healthcare Workers

Laura M. Cascella, MA, CPHRM

In today’s connected world, the need to protect proprietary and sensitive information is increasingly challenging. As technology continues to expand and evolve, cybersecurity has become a preeminent concern for many industries, including healthcare. Complex networks and data exchanges, cloud-based services, social media, online portals, the Internet of Things, artificial intelligence (AI), and other technologies have introduced opportunities and efficiencies but also potential threats.

For healthcare organizations of all types and sizes, devising actionable and well-defined cybersecurity strategies is imperative as cyberattacks against the healthcare industry continue to proliferate. Atop the list of strategies — perhaps at the pinnacle — is developing and executing a robust cybersecurity training program for healthcare workers. Although employee training might seem more nebulous than a concrete process, such as installing a firewall or patching software, organizations should not underestimate its benefits.

The Importance of Cybersecurity Training

Healthcare workers are a frontline resource in preventing cyberattacks, but they also can represent a significant vulnerability for organizations. Over the years, Verizon’s Data Breach Investigation Reports have noted the threat from internal sources in the healthcare industry. Although the balance between internal and external threats has shifted, internal sources are still responsible for 30 percent of breaches in healthcare.¹ Although these lapses often are unintentional, “Many physicians, providers, and employees unknowingly engage in risky behavior on their home and work computers.”²

A Ponemon Institute survey on cybersecurity in healthcare revealed that only slightly more than half (57 percent) of the organizations that participated offered regular cybersecurity training and awareness programs. Additionally, fewer than half of the organizations (43 percent) performed audits and assessments of areas most vulnerable to employees’ lack of awareness.³

Staff knowledge of cybersecurity and data protection best practices as well as a thorough understanding of organizational security protocols are the basis of a solid training program and crucial to each organization’s cybersecurity plan.

Development of Robust Training

Healthcare organizations vary in size, location, patient population, clinical staff, systems, and so on. Because each organization is unique, a one-size-fits-all training approach for cybersecurity is unrealistic. However, it is likely that many organizations face similar threats and will want to educate staff on similar topics. When devising educational outreach related to cybersecurity, consider the following topics for inclusion:

• Common ways that breaches occur, such as lost or stolen laptops, data sharing over unsecured networks, inappropriate access to systems, and careless security practices
• Common cybersecurity threats — such as malware, ransomware, phishing, spoofing, supply chain attacks, and distributed-denial-of-service attacks — and how they are executed
• How AI is making cyberattacks more sophisticated (e.g., using deepfakes) and the need for heightened vigilance
• Best practices for preventing data breaches and cyberattacks, including:
  • Implementing technical safeguards such as data encryption, two-factor or multifactor authentication, strong passwords or passphrases, and system lockouts
  • Sharing confidential or sensitive information via approved, secure communication channels
  • Avoiding accessing confidential or sensitive information on public computers or over public or unsecure wireless connections
  • Being aware of red flags for cyberattacks, such as suspicious URLs or domain names, unsolicited emails requesting personal information, offers that seem too good to be true, emails containing odd messaging or typos/grammatical issues, requests for money, and messages containing threats
  • Avoiding risky online behaviors, such as bypassing virus protection alerts, clicking on pop-up ads, visiting sites with security issues, using the same password for multiple sites, opening email attachments from unknown sources, and failing to sign out of shared computers
  • Being aware of how cybercriminals might access social media to glean key information that will allow them to crack passwords and breach accounts
  • Taking physical precautions to prevent inadvertently disclosing protected information, such as using privacy screens, avoiding writing down or sharing passwords, logging out of systems after use, and following policies related to taking mobile devices or hardcopy data outside organizational premises
• Possible consequences of cybersecurity lapses, including loss of systems, interruptions to patient care and processes, possible patient harm, financial losses, and impact to the organization’s reputation
• Organizational policies and protocols that support a culture of security, including:
  • Compliance with state and federal privacy and security laws
  • Procedures for conducting risk assessments and gap analyses
  • Rules related to social media and use of personal electronic devices
  • Strategies for securely storing and disposing of protected information (hard copy and electronic)
  • Procedures for reporting behaviors and actions that violate the organization’s privacy and security policies as well as continued assurance of a nonpunitive environment for raising concerns
  • Disciplinary actions for knowingly deviating from established policies and protocols
  • Procedures for responding to suspected or known breaches or cyberattacks, including incident reporting protocols and staff roles and responsibilities
  • Strategies for managing loss of systems or access to electronic health records
• Resources for continued learning about cybersecurity best practices and breach prevention protocols, such as The Office of the National Coordinator for Health Information Technology, the Federal Bureau of Investigation, and the U.S. Department of Health and Human Services⁴

Conducting a security risk assessment (as required by HIPAA for covered entities and business associates) can help define the specific needs of each organization so that training can be focused or customized as necessary.

Other Training Considerations

Individuals in charge of developing and organizing staff education should consider various training formats and activities to keep individuals engaged and aware. For example, using simulated phishing emails can help staff learn to identify cybersecurity red flags. Reviewing actual scenarios of healthcare breaches and cyberattacks — including discussing what occurred, how it occurred, and ways to prevent similar incidents — also might be beneficial. Other options include periodic email reminders, interactive modules, posters, team discussions, and role playing.

Educators also should be mindful that staff members will have varying levels of technical knowledge and aptitude. Training sessions and materials should be clear and understandable to all participants. Focusing on need-to-know information and avoiding technical jargon can support participant understanding and retention of information.⁵

In Summary

Cultivating a knowledgeable and well-educated staff is one of the best ways that healthcare organizations can protect against security breaches and cyberattacks. By developing a comprehensive staff education program on cybersecurity best practices, policies, and protocols, organizations can help ensure that workers are an asset rather than a vulnerability. For more helpful resources on this topic, see MedPro’s Risk Resources: Cybersecurity.

Endnotes

¹ Verizon. (2025). Data breach investigations report: Executive summary. Retrieved from www.verizon.com/business/resources/reports/dbir/

² Hood, G. A., (2017, April 25). How to prevent costly and dangerous cyberattacks. Medscape. Retrieved from https://www.medscape.com/viewarticle/878592_3

³ Ponemon Institute. (2023). Cyber insecurity in healthcare: The cost and impact on patient safety and care. Retrieved from www.proofpoint.com/us/cyber-insecurity-in-healthcare

⁴ Hood, How to prevent costly and dangerous cyberattacks; U.S. Department of Health and Human Services. (2023). Health industry cybersecurity practices: Managing threats and protecting patients. Retrieved from https://405d.hhs.gov/Documents/HICP-Main-508.pdf; Shryock, T. (2017, February 10). Top tips for protecting a practice from hackers. Medical Economics. Retrieved from www.medicaleconomics.com/view/top-tips-protecting-practice-hackers; Weil, S. (2017, February 10). How 4 key practices can prevent ransomware incidents. Health Data Management. Retrieved from www.healthdatamanagement.com/opinion/how-4-key-practices-can-prevent-ransomware-incidents; Downing, K. (2017). AHIMA guidelines: The cybersecurity plan. Retrieved from www.ahima.org/

⁵ Snell, E. (Ed.) (2017). Training employees to avoid healthcare data security threats. HealthIT Security. Retrieved from https://healthitsecurity.com/features/training-employees-to-avoid-healthcare-data-security-threats

---

Prevention & Education Center home