The rapidly changing role of technology in healthcare can make building an effective security awareness program challenging, with more and more connected devices sending and receiving endless amounts of healthcare data. According to a recent report from SecurityScorecard, 75 percent of healthcare organizations were hit by a malware attack in 2016. To complicate things, the industry ranks 15th out of 18 in social engineering, a common cause of security breach in which users are manipulated into revealing confidential information.

While many large breaches involves hackers, HealthITSecurity reports that the most costly healthcare breaches of 2015 originated from misconduct, including lost/stolen devices and mishandled data. Due to the explosion of wearables and BYOD in the healthcare industry, health information technology leaders must focus on building end-to-end security programs that, like patient experiences, are focused on people.

Building an effective, employee-centered security awareness program should focus on four points:


Many employees might not be aware of the cybersecurity risk for their organization. Employees should be regularly informed and reminded of the risks and vulnerabilities they face from the perspective of patient safety, financial losses and damage to reputation. They need to understand organizational policies and procedures, as well as their roles and responsibilities in keeping their business and patient data safe.

Targeted Training

Security training should be tailored to each employee’s role. Staff members should be provided with the tools and resources to minimize risk and taught to be aware of vulnerabilities. This might involve additional training on existing devices, software or even basic security protocols around BYOD policies and device use.

Enterprise security starts with education.

White Paper

Learn how to boost mobile security by putting employees first. Download Now

Ongoing Education

Data security training should be ongoing. From clinicians to workers in patient financial services, healthcare staff are busy, and learning the latest regulations and laws may have been put on the back burner. Your employees will likely need retraining on HIPAA and HITECH standards, and ongoing education on how to handle new threats that they’re particularly vulnerable to as healthcare workers, such as phishing and other scams.

Professional Development

Encourage your employees to be accountable for security in their department and to keep up with developments in the industry as part of their growth as healthcare professionals. HIMSS provides multiple resources for professional development that range from education to certification.

To get a start on protecting your healthcare organization against social engineering hackers, keep your security team and staff aware of these common criminal techniques:

  • Entering facilities and impersonating healthcare staff

  • Manipulating healthcare staff to reveal information over the phone

  • Stealing unsupervised mobile devices from facilities

  • Digging through dumpsters for sensitive documents

While new technology in the healthcare industry poses challenges for healthcare IT leaders, taking the above steps to create an employee-centered security awareness program will go a long way in ensuring the safety of company and patient data.

The Internet of Things is posing cybersecurity risks to both public and private systems.

Posts By

Megan Williams

Megan Williams is a consultant and writer who specializes in healthcare technology. She has over a decade’s experience in hospital revenue cycle consulting and holds an MBA with a focus on international business, as well as a degree in hospital administration. She works with growing and established healthcare B2B companies in creating work that is in touch with the latest developments in healthcare, and maintains her work at

View more posts by Megan Williams