Skip to main content

Woburn, MA – August 20, 2019 – A new report from Kaspersky finds employees of healthcare organizations in the U.S. and Canada are lacking cybersecurity education and awareness in three main areas including regulation, policy and training. Of these key areas, the most alarming statistic found that nearly a third of respondents in North America (32%) said that they had never received cybersecurity training from their workplace, but think they should have.

The report, “Cyber Pulse: The State of Cybersecurity in Healthcare – Part 2,” uncovers several key findings that directly correlate to the increasing number of hacking and IT related incidents occurring in healthcare organizations across North America.

When surveying respondents on healthcare regulations, the main findings concluded that there is an obvious lack of awareness of federal regulations in both the U.S. and Canada in place to keep patient information safe and secure. According to the report, nearly a fifth of U.S. respondents (18%) reported they did not know what the HIPAA security rule meant. In Canada, nearly half of respondents (49%) said they didn’t know if Canadian PHI needed to stay in Canada.

“The results of the survey show that knowledge of regulatory requirements is missing or too low,” said Matthew Fisher, chair of Health Law Group and partner for Mirick O’Connell. “In working with many clients and talking with others across the healthcare industry, the results are not surprising given the number of erroneous statements made about regulatory requirements and the misuse of regulations as the reason not to engage in an action that is actually permissible. The lack of awareness creates unnecessary risks.”

In addition to gaining insights on regulations, healthcare policy proved to be an area where healthcare professionals are also lacking in awareness as well as education. Over a fifth of respondents (21%) in North America admitted that they were not aware of the cybersecurity policy at their workplace. When breaking down the results by region, just over a third (34%) of respondents in the U.S. and just over a quarter (27%) of respondents in Canada said they were aware of the cybersecurity policy at their workplace, but have only reviewed it once.

Since the majority of healthcare organizations store patient information electronically, it is of paramount importance that healthcare practitioners know how their IT devices are being protected. 40% of all North American respondents were not at all aware of cybersecurity measures in place at their organization to protect IT devices. When examining if the size of an organization had an effect, a lack of awareness of device security increased with size with small business reporting 53%, medium businesses 39% and enterprise businesses at 36%.

The survey also evaluated respondents on the level of cybersecurity training they received in their workplace. According to the findings, there is a dramatic need and desire from employees for increased cybersecurity training in their organizations. Nearly 1 in 5 respondents (19%) said there needed to be more cybersecurity training by their organization. When comparing the results by region, over 24% of respondents in the U.S. noted they had never received cybersecurity training but should have, compared to 41% of respondents in Canada when asked the same question.

“In addition to regulation and policy awareness, training remains an essential part in keeping healthcare organizations safe from potential breaches,” said Rob Cataldo, vice president of U.S. enterprise sales at Kaspersky. “Ongoing trainings must be implemented for employees so they have a better understanding of what to look for and the actions to take should they find something suspicious. Cybersecurity awareness training is key to promoting an employee culture of vigilance where employees take pride and do their part to protect their patients and overall organization.”

As the results conclude, it is imperative for healthcare organizations to prioritize cybersecurity in their industry to better serve their patients and keep their private healthcare information safe. Security experts from Kaspersky suggest hiring a skilled IT team who understand the healthcare industry’s unique security risks to put the proper protections in place. Additionally, it will be important for IT teams to establish a clear cybersecurity policy and effectively communicate that policy to employees on an ongoing basis for increased awareness. Increased training for employees should also remain an area of focus as employees are on the frontlines of potential cybersecurity attacks each day.

This quantitative study was conducted by research firm Opinion Matters via an online survey targeting 1,758 employees in a variety of roles ranging from doctors and surgeons, to admin and IT staff working at healthcare organizations in North America.

For more information and to download the full report, please visit Kaspersky Daily.

About Kaspersky

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at

Media Contact:

Cassandra Faro

Kaspersky Report Finds Nearly a Third of Healthcare Employees Never Received Cybersecurity Training

Kaspersky Releases Survey Data on the State of Cybersecurity in North America’s Healthcare Industry
Kaspersky Logo