Assessing staff awareness and effectiveness of educational training on IT security and privacy in a large healthcare organization

Arain, Mubashir; Tarraf, Rima C.; Ahmad, Armghan

doi:10.2147/jmdh.s183275

Cited by 27 publications

(9 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Regarding the non-ICT personnel, comparing our findings ( Table 1 ) with a 2020 study in Poland [ 21 ], a 2019 study in a health region of western Finland [ 22 ], and a 2019 study in a health organization in western Canada [ 19 ], revealed the low level of cybersecurity awareness status. In Institutions A, B, and C, the 22.7% that felt sufficiently trained in security and the 23.3% that perceived the importance of the terminals’ content to hackers, appeared significantly lower next to the 51.31% of the 1200 Finnish professionals reporting bring sufficiently aware of the information and the cybersecurity matters pertaining to their job.…”

Section: Discussionmentioning

confidence: 54%

“…Cybersecurity culture denotes the combination of attitudes, behaviors, knowledge, and awareness the organization’s personnel display about common cyber risks and threats to protect the information assets [ 18 ]. Its evaluation involves the conduction of focused campaigns, which often results in the initiation of education programs, ICT infrastructure auditing, and the reassessment of current security policies to cultivate hospital personnel’s culture and sense of responsibility when processing sensitive information in daily business operations, thus preventing attacks or leakages [ 19 , 20 ]. Several endeavors towards assessing healthcare personnel’s cybersecurity culture were based on surveys.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A Cybersecurity Culture Survey Targeting Healthcare Critical Infrastructures

et al. 2022

View full text Add to dashboard Cite

Recent studies report that cybersecurity breaches noticed in hospitals are associated with low levels of personnel’s cybersecurity awareness. This work aims to assess the cybersecurity culture in healthcare institutions from middle- to low-income EU countries. The evaluation process was designed and performed via anonymous online surveys targeting individually ICT (internet and communication technology) departments and healthcare professionals. The study was conducted in 2019 for a health region in Greece, with a significant number of hospitals and health centers, a large hospital in Portugal, and a medical clinic in Romania, with 53.6% and 6.71% response rates for the ICT and healthcare professionals, respectively. Its findings indicate the necessity of establishing individual cybersecurity departments to monitor assets and attitudes while underlying the importance of continuous security awareness training programs. The analysis of our results assists in comprehending the countermeasures, which have been implemented in the healthcare institutions, and consequently enhancing cybersecurity defense, while reducing the risk surface.

show abstract

Section: Discussionmentioning

confidence: 54%

Section: Introductionmentioning

confidence: 99%

A Cybersecurity Culture Survey Targeting Healthcare Critical Infrastructures

et al. 2022

View full text Add to dashboard Cite

show abstract

“… 28 It is well known that medical staff in healthcare settings do not have time to follow extracurricular activities and courses on security training within the timelines dictated by the Management. 10 In fact, the data available from the hospital's intranet site showed that over a third of the medical staff had not performed the recent Privacy and GDRP e-training requested by the Data Protection Officer within the expected timeframe. Therefore, a phishing simulation was introduced to provide an efficient and rapid assessment of the level of risk to the hospital posed by phishing and to bring the issue to the general attention of staff and hopefully nudge staff to be more vigilant.…”

Section: The Contextmentioning

confidence: 99%

“…Despite this, there is a noticeable lack of real-work studies of phishing in organizations, where the attack is customized for a particular organization. Among healthcare organizations, hospitals are particularly vulnerable to phishing attacks as it is difficult for management to enforce a strict cybersecurity policy 10 and staff may miss the signs of a phishing email as a result of fatigue, being more focused on patient care than administration tasks, 11 or simply because phishing emails are hard to detect. If they followed a recognizable pattern – security developers would be able to write software to filter them out and would not need to rely on human intervention.…”

Section: Introductionmentioning

confidence: 99%

Phishing simulation exercise in a large hospital: A case study

et al. 2022

View full text Add to dashboard Cite

Background Phishing is a major threat to the data and infrastructure of healthcare organizations and many cyberattacks utilize this socially engineered pathway. Phishing simulation is used to identify weaknesses and risks in the human defences of organizations. There are many factors influencing the difficulty of detecting a phishing email including fatigue and the nature of the deceptive message. Method A major Italian Hospital with over 6000 healthcare staff performed a phishing simulation as part of its annual training and risk assessment. Three campaigns were launched at approx. 4-month intervals, to compare staff reaction to a general phishing email and a customized one. Results The results show that customization of phishing emails makes them much more likely to be acted on. In the first campaign, 64% of staff did not open the general phish, significantly more than the 38% that did not open the custom phish. A significant difference was also found for the click rate, with significantly more staff clicking on the custom phish. However, the campaigns could not be run as intended, due to issues raised within the organization. Conclusions Phishing simulation is useful but not without its limitations. It requires contextual knowledge, skill and experience to ensure that it is effective. The exercise raised many issues within the Hospital. Successful, ethical phishing simulations require coordination across the organization, precise timing and lack of staff awareness. This can be complex to coordinate. Misleading messages containing false threats or promises can cause a backlash from staff and unions. The effectiveness of the message is dependent on the personalization of the message to current, local events. The lessons learned can be useful for other hospitals.

show abstract

“…Stronger cybersecurity programs at health care facilities can raise awareness and make information security training available to professionals, both clinical and nonclinical. [34][35][36] To improve end-user adoption and buy-in of cybersecurity programs and technologies, it is important utilize a targeted bottom-up approach via personalized outreach, in-person contacts, and frequent announcements throughout the workflow (i.e., rounds). 37 As more patients go online, cybersecurity programs become especially important as clinicians consider discussing and potentially showcasing relevant and useful online resources (e.g., videos, social media channels, websites, etc.).…”

Section: Recommendationsmentioning

confidence: 99%

Information Security Awareness and Behaviors of Health Care Professionals at Public Health Care Facilities

et al. 2021

View full text Add to dashboard Cite

Objectives This study investigated information security behaviors of professionals working in the public health sector to guide policymakers toward focusing their investments in infrastructure and training on the most vulnerable segments. We sought to answer the following questions: (1) Are certain professional demographics more vulnerable to cybersecurity threats? (2) Do professionals in different institution types (i.e., hospitals vs. primary care clinics) exhibit different cybersecurity behaviors? (3) Can Internet usage behaviors by professionals be indicative of their cybersecurity awareness and the risk they introduce? Methods A cross-sectional, anonymous, paper-based survey was distributed among professionals working in public health care organizations in Kuwait. Data were collected about each professional's role, experience, work environment, cybersecurity practices, and understanding to calculate a cybersecurity score which indicates their level of compliance to good cybersecurity practices. We also asked about respondents' internet usage and used K-means cluster analysis to segment respondents into three groups based on their internet activities at work. Ordinary least squares regression assessed the association between the collected independent variables in question on the overall cybersecurity behavior. Results A total of 453/700 (64%) were responded to the survey. The results indicated that professionals with more work experience demonstrated higher compliance with good cybersecurity practices. Interestingly, nurses demonstrate higher cybersecurity aptitude relative to physicians. Professionals that were less inclined to use the internet for personal use during their work demonstrated higher cybersecurity aptitude. Conclusion Our findings provide some guidance regarding how to target health care professional training to mitigate cybersecurity risks. There is a need for ensuring that physicians receive adequate cybersecurity training, despite the opportunity costs and other issues competing for their attention. Additionally, classifying professionals based on their internet browsing patterns may identify individuals vulnerable to cybersecurity incidents better than more discrete indicators such as age or gender.

show abstract

Assessing staff awareness and effectiveness of educational training on IT security and privacy in a large healthcare organization

Cited by 27 publications

References 18 publications

A Cybersecurity Culture Survey Targeting Healthcare Critical Infrastructures

A Cybersecurity Culture Survey Targeting Healthcare Critical Infrastructures

Phishing simulation exercise in a large hospital: A case study

Information Security Awareness and Behaviors of Health Care Professionals at Public Health Care Facilities

Contact Info

Product

Resources

About