Training staff on recognizing and preventing data breaches

According to Security Magazine, a 2024 report by ISACA indicated that 49% of organizations identify inadequate or insufficient training as a primary cause of privacy failures, including data breaches. In support of this, a study, Assessing staff awareness and effectiveness of educational training on IT security and privacy in a large healthcare organization, conducted within a large healthcare organization in Western Canada assessed the impact of educational modules on IT security and privacy among both clinical and non-clinical staff. The findings revealed that staff who completed the training were 4.2 times more likely to correctly respond to spam emails compared to those who hadn't undergone the training. However, the study also identified knowledge gaps, such as a minority of staff knowing how to encrypt emails, stressing areas needing further emphasis. Notably, shorter training modules (20 minutes) were found to be more effective than longer ones (60 minutes), suggesting that concise sessions may enhance knowledge retention. 

These insights reinforce the need for organizations to implement targeted, efficient training programs to empower staff in recognizing and preventing data breaches.

Why training staff matters

“Understanding initial points of compromise is key to identifying vulnerabilities and strengthening defenses since they often serve as gateways for attackers. Addressing these weaknesses can significantly reduce the risk of breaches and improve security posture,” writes the 2024 HIMSS Healthcare Cybersecurity Survey. “As shown in Figure 11 below (see survey report), we asked respondents to identify initial points of compromise for significant security incidents in the past year. General email phishing (63%), SMS phishing and targeted spear-phishing (each 34%), business email compromise (31%), phishing websites (21%), malicious ads (20%), social media phishing (19%), vishing (voice phishing) (17%), and whaling (also known as executive impersonation)(16%), deepfake images (6%), audio deepfakes (4%), video deepfakes (3%), distributed denial of service (DDoS) attacks (3%), and privacy breaches (3%) were reported. Eight percent did not know. Eighteen percent reported no significant security incidents.”

These tactics largely target human users, not systems, making employee awareness and preparedness important. Without proper training, staff may unknowingly fall victim to phishing websites, malicious ads, or even more sophisticated attacks like voice phishing (vishing), deepfakes, and executive impersonation (whaling). Addressing these vulnerabilities through targeted staff training can significantly reduce the likelihood of breaches and strengthen an organization's overall security posture.

Training staff

A notable study titled Evidence-Based Staff Training: A Guide for Practitioners provides a structured approach to staff training known as Behavioral Skills Training (BST). This method emphasizes performance- and competency-based strategies to ensure effective learning and skill acquisition.​

Key components of Behavioral Skills Training (BST)

• Instruction: Training begins with clear, concise instructions. This isn’t just about listing rules—it's about helping staff understand why the skill matters. For example, if you're teaching how to spot phishing emails, explain the potential consequences of a successful phishing attack (e.g., data breaches, financial loss, patient trust erosion). Use simple, jargon-free language and, where possible, tie the skill back to real-life examples relevant to the employee’s role. This context helps learners see the value of what they're being taught, increasing engagement and retention.
• Modeling: After explaining the skill, trainers must demonstrate it. This is where modeling comes in. Think of it as a "see it to believe it" approach. Trainers or supervisors perform the skill exactly as it should be done, whether that’s recognizing a spoofed email address, properly handling patient data, or using secure communication tools. Visual aids like videos or live role-plays can make this step more dynamic. The key is to offer a clear and correct example that employees can imitate.
• Practice (rehearsal): You wouldn’t expect someone to become a good driver just by watching others. The same logic applies to data security practices. After modeling, give staff a chance to practice the skill in a safe, controlled setting. Whether it’s identifying phishing simulations or role-playing a privacy breach scenario, rehearsal helps bridge the gap between theory and action. It builds muscle memory and confidence which is important in real-world application when the stakes are higher.
• Feedback: Once practice begins, feedback becomes essential. But not all feedback is created equal. Good training includes immediate, specific, and constructive feedback. Praise what’s done well, and gently correct what’s missed. For example: “Great job noticing the strange email address. Next time, also check the link before clicking—hover over it to reveal where it really leads.” This kind of guidance helps fine-tune understanding and encourages continuous improvement without discouraging learners.
• Mastery criteria: One-time success doesn’t mean a skill is mastered. BST recommends repeated practice and feedback until the learner meets a clear mastery standard—like correctly identifying phishing emails in 90% of simulations. This ensures that training “sticks” and that employees are truly ready to apply what they’ve learned independently. Building in mastery criteria also sets a benchmark for training quality and helps assess readiness before real-world application.
• On-the-job training: The final and most often overlooked step is taking the training into the real world. Skills that are practiced in a classroom or workshop may fade unless they’re reinforced on the job. Supervisors should check in periodically, observe performance, and continue to offer encouragement and feedback. This could include brief refreshers, mini-drills, or spontaneous phishing tests. Ongoing reinforcement ensures the training becomes part of the organization's everyday culture—not just a one-off event.

Measuring the effectiveness of training

To truly protect an organization from data breaches, it's not enough to simply train staff; organizations must also evaluate whether that training works. According to Rickhard Alén's study, Measuring the Effectiveness of Information-Security Education,Training, and Awareness (SETA), programs require a structured, multi-layered approach.

Alén proposes a model that assesses training effectiveness across three key dimensions:

Knowledge retention

This measures whether participants remember the information shared during training sessions. Techniques such as pre- and post-training quizzes, knowledge checks, and simulations help identify gains in understanding. For example, participants might be tested on their ability to recognize phishing emails before and after completing a module.

Behavioral change

It's one thing to know what to do; it's another to actually do it. Alén emphasizes observing changes in real-world behavior after training. This could include monitoring whether employees report suspicious emails, follow data-handling procedures, or use secure communication channels. Behavioral audits and simulated phishing tests are commonly used here.

See also: Using behavioral analytics in HIPAA compliant email marketing

Organizational impact

Finally, training must show a measurable impact on the organization's security posture. Metrics might include a reduction in security incidents, fewer helpdesk calls related to breaches, or improved compliance scores. Alén stresses aligning training objectives with broader organizational goals to justify investment and demonstrate return.

Feedback loops are also important. Evaluating what worked (or didn’t) allows for continuous improvement of the training content, delivery methods, and frequency. Combining employee feedback with performance metrics gives a well-rounded picture of training effectiveness.

Alén’s framework reminds us that awareness is just the first step, what matters most is whether that awareness translates into action that reduces real risk.

How security training enhances HIPAA compliance

In healthcare, effective security training does more than just reduce data breach risks, it directly supports compliance with the Health Insurance Portability and Accountability Act (HIPAA). HIPAA’s Security Rule requires covered entities and business associates to implement administrative safeguards, which include workforce training and awareness initiatives. By educating employees on recognizing phishing attempts, handling protected health information (PHI) securely, and responding to potential security incidents, organizations are actively fulfilling these legal obligations. 

For example, teaching staff how to properly encrypt emails or securely access patient data aligns with HIPAA’s requirement to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI). Moreover, ongoing training and reinforcement help build a culture of compliance where staff are not only aware of HIPAA regulations but are equipped to act accordingly. This proactive approach not only helps avoid costly violations and audits but also fosters patient trust by demonstrating a commitment to safeguarding sensitive health information.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQS

What are the most common types of cyberattacks in healthcare organizations?

Common types of cyberattacks in healthcare include phishing (email and SMS), spear-phishing (targeted attacks), business email compromise, malware attacks, and social engineering tactics like vishing and whaling. These attacks often exploit human vulnerabilities, which is why employee training is critical in recognizing and responding to them.

How does security training improve HIPAA compliance?

Security training enhances HIPAA compliance by ensuring that employees understand how to securely handle protected health information (PHI). Training helps staff follow HIPAA guidelines, such as encrypting emails, using secure communication channels, and recognizing potential security incidents. This reduces the risk of HIPAA violations and strengthens an organization's ability to protect patient data.

What should be included in a security training program?

A comprehensive security training program can include: 

• instruction on recognizing phishing attempts, 
• securing PHI, 
• understanding the consequences of data breaches, and 
• following organizational security policies. 

The training should also emphasize practical skills, such as how to securely send emails and report suspicious activities.

Read more: HIPAA training courses and programs