With healthcare systems now a favorite target of hackers, it is alarming to note that nearly a quarter of all healthcare employees don’t receive cybersecurity training even though more digitally-connected devices have been deployed than ever before.

Mike Chapple, an IT professor at Notre Dame, wrote this for Health Tech Security:

The threat has only increased with the growing digitalization of medical records and the increasing number of Internet of Things tools in healthcare. Devices now outnumber people in healthcare settings by 3 to 1, but many of those devices lack sufficient safeguards. More than double the number of patient records were breached in the first half of 2019 than in the entire year prior.

Just as concerning, a recent poll found that 1 in 4 healthcare employees has never received cybersecurity training from their employer, and 1 in 5 saw no reason to learn about the issue at work. Such gaps should underscore the need for wider awareness among healthcare leaders and the value of educating everyone.


The purpose of your cybersecurity awareness program should be to keep important issues and vulnerabilities top of mind for everyone in your organization so that they react appropriately when making crucial decisions in their day-to-day work.

It is not a movement to make providers and other staff members aware that a security awareness program exists. As long as you’re delivering timely and effective content, you don’t need to advertise everything as a cybersecurity awareness effort. In fact, the message might be more effective without IT department branding.

As you determine the best methods of delivery, think about how your stakeholders receive other important information. Is email an effective means of communication, or do providers routinely ignore it? Ask the same questions about staff meetings, newsletters, posters and other communications tools that might support your program.

Cybersecurity awareness is a crucial undertaking for every healthcare organization. Securing the privacy and security of patient records does require strong technical controls, but the responsibility for protecting this information rests on the shoulders of all providers and staff members — all of whom should be adequately educated.