Managing Healthcare Risk in a Networked World

Independently conducted by Ponemon Institute LLC  |  Sponsored by Michigan Healthcare Cybersecurity Council

Training & Awareness

KEY FINDING:  Lines of business and corporate counsel are most accountable for ensuring mandatory cybersecurity training is conducted by organizations.

Forty-seven percent of respondents say it is critical to have a comprehensive cybersecurity awareness training program that educates all technology users to recognize attack vectors and to reduce, prevent, and respond to cybersecurity incidents. However, less than half (48 percent) of respondents say their organizations require cybersecurity training for the workforce using technologies. As shown below, 42 percent say lines of business are most accountable, followed by corporate counsel/compliance (35 percent). Only 28 percent say it is information security or information technology that are most accountable.

Which functions are most accountable for ensuring mandatory cybersecurity training is conducted by your organization?

Lines of business
0%
Corporate counsel/compliance
0%
Human resources
0%
Information security
0%
Information technology
0%
Internal audit
0%
risk management
0%
Finance
0%
Privacy office
0%
No one function is most accountable
0%

KEY FINDING:  Mandatory cybersecurity training is inconsistent.

As shown below, many respondents say training is ad hoc (40 percent), only upon joining the organization (40%), or only when the organization has a security incident (32 percent).

When are employees required to take cybersecurity training?

Only upon joining the organization
0%
Every six months
0%
Once each year
0%
Only after the organization has a cybersecurity incident
0%
No set time (ad hoc)
0%
Only when the organization has a security incident
0%

KEY FINDING:  With the increase in remote work, this is the top threat covered in cybersecurity training.

The data below presents the topics typically covered in a training program for technology users. Due to concerns about a remote workforce, 60 percent of respondents say their organizations provide training on this topic. As discussed previously, credential theft and phishing are considered serious threats, and these are among the top three threats covered in a training program.

Which of the following threats does your training program cover?

Risks created by working remotely
0%
Phishing
0%
Credential theft
0%
Third party misuse of patient data
0%
Cyber extortion (ransomware)
0%
Cyber attackers
0%
Employee negligence or error
0%
Malicious insiders
0%
Insecure mobile apps (eHealth)
0%
Employee-owned mobile devices or BOYD
0%
Risks created by geographically separated employees, including overseas locations
0%
Mobile device insecurity
0%