According to Security Magazine, a 2024 report by ISACA indicated that 49% of organizations identify inadequate or insufficient training as a primary cause of privacy failures, including data breaches. In support of this, a study, Assessing staff awareness and effectiveness of educational training on IT security and privacy in a large healthcare organization, conducted within a large healthcare organization in Western Canada assessed the impact of educational modules on IT security and privacy among both clinical and non-clinical staff. The findings revealed that staff who completed the training were 4.2 times more likely to correctly respond to spam emails compared to those who hadn't undergone the training. However, the study also identified knowledge gaps, such as a minority of staff knowing how to encrypt emails, stressing areas needing further emphasis. Notably, shorter training modules (20 minutes) were found to be more effective than longer ones (60 minutes), suggesting that concise sessions may enhance knowledge retention.
These insights reinforce the need for organizations to implement targeted, efficient training programs to empower staff in recognizing and preventing data breaches.
“Understanding initial points of compromise is key to identifying vulnerabilities and strengthening defenses since they often serve as gateways for attackers. Addressing these weaknesses can significantly reduce the risk of breaches and improve security posture,” writes the 2024 HIMSS Healthcare Cybersecurity Survey. “As shown in Figure 11 below (see survey report), we asked respondents to identify initial points of compromise for significant security incidents in the past year. General email phishing (63%), SMS phishing and targeted spear-phishing (each 34%), business email compromise (31%), phishing websites (21%), malicious ads (20%), social media phishing (19%), vishing (voice phishing) (17%), and whaling (also known as executive impersonation)(16%), deepfake images (6%), audio deepfakes (4%), video deepfakes (3%), distributed denial of service (DDoS) attacks (3%), and privacy breaches (3%) were reported. Eight percent did not know. Eighteen percent reported no significant security incidents.”
These tactics largely target human users, not systems, making employee awareness and preparedness important. Without proper training, staff may unknowingly fall victim to phishing websites, malicious ads, or even more sophisticated attacks like voice phishing (vishing), deepfakes, and executive impersonation (whaling). Addressing these vulnerabilities through targeted staff training can significantly reduce the likelihood of breaches and strengthen an organization's overall security posture.
A notable study titled Evidence-Based Staff Training: A Guide for Practitioners provides a structured approach to staff training known as Behavioral Skills Training (BST). This method emphasizes performance- and competency-based strategies to ensure effective learning and skill acquisition.
To truly protect an organization from data breaches, it's not enough to simply train staff; organizations must also evaluate whether that training works. According to Rickhard Alén's study, Measuring the Effectiveness of Information-Security Education,Training, and Awareness (SETA), programs require a structured, multi-layered approach.
Alén proposes a model that assesses training effectiveness across three key dimensions:
This measures whether participants remember the information shared during training sessions. Techniques such as pre- and post-training quizzes, knowledge checks, and simulations help identify gains in understanding. For example, participants might be tested on their ability to recognize phishing emails before and after completing a module.
It's one thing to know what to do; it's another to actually do it. Alén emphasizes observing changes in real-world behavior after training. This could include monitoring whether employees report suspicious emails, follow data-handling procedures, or use secure communication channels. Behavioral audits and simulated phishing tests are commonly used here.
See also: Using behavioral analytics in HIPAA compliant email marketing
Finally, training must show a measurable impact on the organization's security posture. Metrics might include a reduction in security incidents, fewer helpdesk calls related to breaches, or improved compliance scores. Alén stresses aligning training objectives with broader organizational goals to justify investment and demonstrate return.
Feedback loops are also important. Evaluating what worked (or didn’t) allows for continuous improvement of the training content, delivery methods, and frequency. Combining employee feedback with performance metrics gives a well-rounded picture of training effectiveness.
Alén’s framework reminds us that awareness is just the first step, what matters most is whether that awareness translates into action that reduces real risk.
In healthcare, effective security training does more than just reduce data breach risks, it directly supports compliance with the Health Insurance Portability and Accountability Act (HIPAA). HIPAA’s Security Rule requires covered entities and business associates to implement administrative safeguards, which include workforce training and awareness initiatives. By educating employees on recognizing phishing attempts, handling protected health information (PHI) securely, and responding to potential security incidents, organizations are actively fulfilling these legal obligations.
For example, teaching staff how to properly encrypt emails or securely access patient data aligns with HIPAA’s requirement to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI). Moreover, ongoing training and reinforcement help build a culture of compliance where staff are not only aware of HIPAA regulations but are equipped to act accordingly. This proactive approach not only helps avoid costly violations and audits but also fosters patient trust by demonstrating a commitment to safeguarding sensitive health information.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
Common types of cyberattacks in healthcare include phishing (email and SMS), spear-phishing (targeted attacks), business email compromise, malware attacks, and social engineering tactics like vishing and whaling. These attacks often exploit human vulnerabilities, which is why employee training is critical in recognizing and responding to them.
Security training enhances HIPAA compliance by ensuring that employees understand how to securely handle protected health information (PHI). Training helps staff follow HIPAA guidelines, such as encrypting emails, using secure communication channels, and recognizing potential security incidents. This reduces the risk of HIPAA violations and strengthens an organization's ability to protect patient data.
A comprehensive security training program can include:
The training should also emphasize practical skills, such as how to securely send emails and report suspicious activities.
Read more: HIPAA training courses and programs