Healthcare Cybersecurity Starts, Ends with Employees


In 2020, the number of healthcare cyberattacks doubled, with ransomware attacks accounting for 28% of all incidents.

Personal information is at risk from criminals trying to collect healthcare data. Educating and empowering employees to share in the responsibility of protecting healthcare organizations is the most effective way to stop them.

As healthcare organizations look for ways to cut costs, improve efficiency, centralize data, and boost employee productivity, many turn to cloud-based computing services. According to some estimates, more than 83% of healthcare organizations use some form of cloud platform, and while these services do benefit employers, they also leave them vulnerable to cyberattacks.(1) In 2020, the number of healthcare cyberattacks doubled, with ransomware attacks accounting for 28% of all attacks.(2) As a result, patients and healthcare providers faced significant challenges, like inaccessible medical records, delayed treatments, and even rerouting of ambulances in emergency situations. (3)

Heather Stratford, Founder and CEO of Drip7, a cybersecurity training firm, says, “Personal information is at risk from criminals trying to collect healthcare data. Educating and empowering employees to share in the responsibility of protecting healthcare organizations is the most effective way to stop them.”

While legislation such as the Health Insurance Portability and Accountability Act (HIPAA) mandate the protection of information such as demographic data, insurance information, test results, and medical histories, and general guidelines for securing organizations that handle protected health information, the attacks keep coming.(4)As a result of breaches in 2020 impacting the healthcare sector, approximately 26 million Americans’ protected health information was compromised, leaving them open to scams and identity theft.(5)

Research suggests that up to 90% of data breaches occur as a result of employee error.(6) Despite the HIPAA requirements, 1 in every 4 healthcare employees never receives cybersecurity training, and 1 in 5 don’t see a reason to learn about common cybersecurity issues—such as password length and complexity, general privacy, WiFi weaknesses, and phishing—at work. (7) In many cases, employees simply don’t understand why companies need strong security processes, even though more employees have access to networks and critical digital systems. This lack of understanding, having to integrate inconvenient new security protocols, and a general resistance to change all factor into employees’ unwillingness to adopt new strategies to protect information. (8)

After recognizing the need for better cybersecurity training, Stratford worked with her cybersecurity experts to develop a suite of technical and security-focused training areas designed to increase employee awareness and strengthen cyber practices. (9) Her proprietary training program, Drip7, helps all employees, from physicians to administrative staff, change their cyber behaviors for good with gamified training developed by cybersecurity experts. These microlearning units engage employees with different rewards systems and team events, and may be accessed anytime, anywhere. (10)

A large healthcare system with 11 hospitals and 20,000 employees has begun training using Drip7 to empower employees with comprehensive cybersecurity training. Content for this healthcare system has been developed by cybersecurity and HIPAA experts, who are acutely aware of ever-changing requirements and shifting types of attacks. The healthcare system believes in training and education and knows that these skills will help employees, the hospital system, and the communities at large.

Training systems like Drip7 need to be applied in industries beyond healthcare, such as government and higher education. As more and more students use technology to learn remotely, the risk of cyberattacks on schools and universities, as well as personal computers, continues to rise.

As it stands now, current methods of training employees in cybersecurity practices are flawed. If training even occurs, it’s often only once or twice a year. Employees receive an “information dump” and are expected to retain what they’ve learned. But science shows that there is a forgetting curve when information is taught like that, resulting in only 20% of the information being retained after 30 days without reinforcement.(11) This leaves healthcare organizations susceptible to phishing scams or worse, even if employees have the organization’s best interests in mind.

Technologies like Drip7 differ from traditional training methods with small, customizable daily training sessions designed to develop employee skills and promote information retention. This gives everyone a leg up on criminals who may target them for cyberattacks. These training sessions are short and to the point, allowing employees to complete exercises more consistently than with other learning methods. And research shows that less is more—perceptual learning to improve task performance is more effective using short training sessions compared to longer lessons.(12)

Stratford says, “Protecting sensitive healthcare data starts when organizations recognize their own vulnerability and take steps to mitigate it. Our solution, which trains employees on common scams, methods to protect themselves, and what they should do in the event of a cyberattack, is key to achieving secure, protected data systems.”

About Drip7

Drip7 is the brainchild of cybersecurity expert and Stronger International Founder and CEO Heather Stratford as a result of a client wanting to fix a specific problem: empowering the weakest link—the human—to be better at cybersecurity. With its first few clients (a large educational institution, hospital system, and government agency), Drip7 is proving its usefulness in changing the old system of training and information retention in any workforce. Stratford explains it as, “Drip7 is a micro-learning platform that is re-inventing the way organizations train their employees and build lasting cultural change within them, especially in today’s age of remote workforces.” For more information, visit drip7.com and stronger.tech.

1.    “Cloud Computing in Healthcare: The Complete Guide.” True North ITG, 3 Dec. 2019, truenorthitg.com/cloud-computing-in-healthcare/#:

2.    Davis, Jessica. “Healthcare Cyberattacks Doubled in 2020, with 28% Tied to Ransomware.” HealthITSecurity, HealthITSecurity, 25 Feb. 2021, healthitsecurity.com/news/healthcare-cyberattacks-doubled-in-2020-with-28-tied-to-ransomware.

3.    Davis, Jessica. “560 Healthcare Providers Fell Victim to Ransomware Attacks in 2020.” HealthITSecurity, HealthITSecurity, 19 Jan. 2021, healthitsecurity.com/news/560-healthcare-providers-fell-victim-to-ransomware-attacks-in-2020.

4.    “What Is Protected Health Information?” HIPAA Journal, 10 Jan. 2018, hipaajournal.com/what-is-protected-health-information/.

5.    Ikeda, Scott. “Healthcare Cyber Attacks Rise by 55%, Over 26 Million in the U.S. Impacted.” CPO Magazine, 26 Feb. 2021, cpomagazine.com/cyber-security/healthcare-cyber-attacks-rise-by-55-over-26-million-in-the-u-s-impacted/.

6.    Spadafora, Anthony. “90 Percent of Data Breaches Are Caused by Human Error.” TechRadar, TechRadar Pro, 8 May 2019, techradar.com/news/90-percent-of-data-breaches-are-caused-by-human-error.

7.    Chapple, Mike. Why All Healthcare Workers Need Cybersecurity Training, HealthTech, 1 May 2019, healthtechmagazine.net/article/2019/10/why-all-healthcare-workers-need-cybersecurity-training.

8.    Alton, Larry. “How to Get Your Employees to Care About Cybersecurity.” ISACA, 22 Apr. 2019, isaca.org/resources/news-and-trends/isaca-now-blog/2019/how-to-get-your-employees-to-care-about-cybersecurity.

9.    “Security Awareness Training: Remote Compliance Training: Onsite Cyber Awareness: Cybersecurity Training Instruction: Stronger International Inc.” Stronger International Inc. | Cybersecurity • Consulting • Training, 26 Feb. 2020, stronger.tech/training/.

10.    “Why Drip7.” Drip7, 2021, drip7.com/.

11.    Denny, Juliette. “What Is The Forgetting Curve (And How Do You Combat It)?” ELearning Industry, 17 Apr. 2018, elearningindustry.com/forgetting-curve-combat.

12.    Molloy, Katharine, et al. “Less Is More: Latent Learning Is Maximized by Shorter Training Sessions in Auditory Perceptual Learning.” PloS One, Public Library of Science, 2012, ncbi.nlm.nih.gov/pmc/articles/PMC3351401/#:~:

Leave a Reply