Are Healthcare Workers the Most Cyber-aware of All?

Aug 17, 2021
Monica White
VP of Product Marketing

Share with Your Network

A recent survey of 1,200 workers conducted by TalentLMS revealed some surprising trends in cybersecurity habits, hygiene, and awareness. Survey participants answered a simple seven-question quiz testing them on their ability to spot potential threats online and gathering intel on cyber habits and knowledge of best practices. 

Across the board, the results were dismal. Yet as TalentLMS diced its survey results by industry, one group of participants stood head and shoulders above the rest: healthcare workers. 

Compared to information services, finance, education, and software, healthcare workers scored significantly better with a passing rate of 57%.

Healthcare and social assistance Information services and data Finance and insurance Education Software
Pass 57% 17% 38% 43% 27%
Fail 43% 83% 62% 57% 73%

Source: TalentLMS Cybersecurity Survey

We’ll dive into healthcare’s unique challenges in a minute. But the survey results caused us to do a double-take. Namely, we struggled to posit why the two most tech-saturated industries scored lower than all others: information services and data had a shockingly poor passing rate of just 17%, and software companies fared little better at 27%. Could it be that tech-rich businesses are somehow more cavalier about cybersecurity in general? Ours certainly isn’t, and none of our partners are either. And yet the results are what they are. Perhaps as tech companies these users assume they have it figured out and simply can’t be tricked which, if true, is an expensive mistake to make

Finance and insurance, as well as education, each performed better than the tech businesses. They’re doing something right, or at least they’re getting more of it right. Yet one could argue a failure rate of 68% (for finance) and 57% (for education) still isn’t anything to brag about. Read on for suggestions of what all of these organizations can do to improve the way they project their data, networks, and infrastructure.

A high-risk environment demands vigilance

The reason for healthcare’s superior cyber awareness may be environmental; the uniquely high-stakes and challenging environment of healthcare demands it. Broad, interconnected attack surfaces, an uptick in remote employees, and the brisk criminal market for healthcare records have positioned healthcare entities as an attractive target for threat actors. So workers have been forced to stay vigilant and skilled at spotting threats.

But even with a passing rate of 57% there is still considerable room for improvement when it comes to cybersecurity hygiene and awareness. Historically, healthcare takes five times longer than leading industries to close half of their vulnerabilities. And from a remediation coverage standpoint, healthcare comes in dead last. 

For more on vulnerability management performance by industry, download a copy of Prioritization to Predication, Volume 3: Winning the Remediation Race

The strain on healthcare is costly

Putting even more strain on an already fatigued target, the COVID-19 pandemic overwhelmed healthcare providers both physically and in terms of cyber attacks. Stretched thin and left vulnerable, hospitals and their IT staff faced an onslaught of aggressive attacks ranging from network-server attacks, ransomware, sophisticated phishing campaigns, and more. Providers have been forced to pay historic high ransoms and recovery costs to keep their operations running and doors open during these most critical times.

In 2020 alone, threat actors capitalized on fatigued, overworked healthcare employees to the tune of $6 trillion dollars and it’s still picking up steam through 2021.

Cybersecurity (and cybersecurity training) needs an overhaul

Doing a better job of cybersecurity training of course will help healthcare employees improve how they help secure the front lines. (A recent blog outlines some key ways to help accomplish this.) And while it’s a worthwhile and necessary effort in this ongoing cyber battle, training alone isn’t the answer.

A modern, risk-based vulnerability management (RBVM) program can help shut off attack vectors, even if threat actors have successfully duped an employee to open the wrong file or visit the wrong site. By identifying and closing weaknesses in infrastructure and applications, a comprehensive RBVM program gives attackers fewer opportunities to gain a foothold in your organization. 

Compared to traditional vulnerability management, a modern RBVM approach focuses on isolating the organization’s biggest vulns using data science, predictive modeling, comprehensive threat and vulnerability intel, and context. Rather than chase thousands  of so-called “critical” vulns scored by the Common Vulnerability Scoring System (CVSS), the best RBVM solutions use the latest technologies to identify the 2-5% of all vulnerabilities that actually pose a real risk to an organization. Establishing a risk-based approach to vulnerability management will help companies optimize resources, remediate their riskiest vulnerabilities first, and streamline security operations

When a Fortune 500 medical provider went risk-based

When Quest Diagnostics decided it had enough of trying to power through its seemingly endless list of vulnerabilities using a homegrown prioritization tool, the healthcare giant decided to go risk-based. As a Fortune 500 medical provider, Quest knew it couldn’t settle for less-than-stellar vulnerability management. The company deployed Kenna.VM to effectively and efficiently prioritize its riskiest vulnerabilities.

The results were meaningful. Instead of investigating and scoring a long list of vulnerabilities, Quest was able to gain actionable insight that helped them remediate its biggest risks. A risk-based approach also helped Quest gain back significant time previously spent remediation and reporting, cutting time spent on remediation by up to 50%, and time spent reporting by up to 75%. For a closer look at Quest’s experience, check out their case study

Give attackers nowhere to go

With cyber risk growth showing no signs of slowing, and with another wave of COVID-19 disrupting return-to-work plans, the time to transition to a risk-based vulnerability management strategy is now. 

Data breaches are too costly to rely on employee training alone. The survey data proves that even the most cyber-aware workers are fallible when it comes to cybersecurity. Acknowledging this—and doing something about it—is the only effective way forward.

Learn how to meet the high-risk demands that threaten today’s healthcare and other organizations, and discover how to fix what matters most.


Read the Latest Content

Threat Intelligence

18+ Threat Intel Feeds Power Modern Vulnerability Management

You need lots of threat intelligence feeds to cover all of the threat and vulnerability data categories in the world. Learn about the threat intel feeds...
Data Science

Ask Us About Our Data Science

In vulnerability management, data deluge is a recurring problem. Learn what data science is and how it can help your company.
Risk-Based Vulnerability Management

What is Modern Vulnerability Management?

Modern vulnerability management is an orderly, systematic, and data-driven approach to enterprise vulnerability management.

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.