Implementing effective HIPAA cybersecurity measures is essential to safeguarding protected health information (PHI). However, according to a recent study conducted by Brigham Women’s Hospital and Harvard Medical School, many healthcare organization employees remain undertrained in HIPAA cybersecurity awareness.
The study authors analyzed HIPAA cybersecurity awareness by studying the results of phishing simulations ran by six healthcare institutions.
A simulated phishing test is conducted by an organization’s sending deceptive (although ultimately non-harmful) emails to its own staff, to gauge staff response to phishing and similar email attacks.
During the seven-year simulation period (2011 through 2018), the healthcare institutions ran 95 simulated phishing campaigns, resulting in production of approximately 3 million emails. The emails each contained a phishing link. Approximately 14% of these links were clicked by employees – the “scam” was successful one out of seven times.
The study authors found that phishing awareness campaigns conducted after simulations, ultimately contributed to employee awareness and therefore to lower rates of clicking in subsequent phishing simulations. The more simulations a healthcare organization ran, the lower the eventual click rate.
Experts advise that phishing simulations alone are not enough to raise HIPAA cybersecurity awareness; simulations are just one of a number of HIPAA cybersecurity tools.
Organizations also can improve HIPAA cybersecurity tool awareness measures by providing employees with instruction on how to recognize and report phishing attempts. A common HIPAA cybersecurity awareness tool is a button that employees can click if they suspect an email is a phishing attempt. When this technology is complemented by training on how to recognize and identify phishing schemes, the time it takes a user to report a suspected scheme becomes shorter – the button is clicked more quickly.
Experts advise organizations to have their employees err on the side of caution when reporting suspected phishing. Employees, instead of spending valuable time to determine whether something is “really” a phishing scheme, should, if employees are in any way in doubt, report the suspected phishing scheme.
To effectively combat and bolster HIPAA cybersecurity, phishing and, organizations must build employee awareness about cybersecurity.
To address HIPAA cybersecurity requirements, Compliancy Group works with MSP and IT partners from across the country. You can contract with these partners so that they can properly handle your HIPAA cybersecurity protection needs.