KnowBe4 Urges Healthcare Organizations to Implement IT Security Training as New Studies Reveal Patient Record Breaches on the Rise

Share Article

Cybercrime Expert Stu Sjouwerman Asserts Internet Security Awareness Training (ISAT) Can Help Prevent Data Breaches of Protected Healthcare Information (PHI)

News Image
The Ponemon Institute survey indicated that criminal attacks were responsible for 30% of data breaches, and 43% of respondents stated that “lack of trained staff and end users” was among the primary reasons for data breaches.

Recent research reports show an increase in protected healthcare information (PHI) breaches, prompting Internet Security Awareness Training (ISAT) firm KnowBe4 to reach out to healthcare IT professionals concerning the need for employee education.

According to Redspin’s latest PHI breach report(1), more than 19 million patient health records have been breached since August 2009, when the breach notification rule went into effect as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Redspin found that PHI breaches increased 97% between 2010 and 2011, with an average of 49,396 health records compromised during each breach. The report also noted that the five most populous states – California, Texas, New York, Florida and Illinois – had the highest number of breach incidents.

A separate study published by the Ponemon Institute(2) on behalf of ID Experts also found an increase in PHI data breaches, with 96% of healthcare providers reporting at least one breach in the past two years. Based on the survey findings, researchers calculated that the average economic impact of each breach was $2,243,700 – an increase of 10% over 2010. Other repercussions cited by respondents included time and productivity loss (81%), brand or reputation diminishment (78%) and loss of patient goodwill (75%).

While PHI data breaches often result from the theft or loss of computers, laptops and other devices, many incidents are perpetrated by hackers who gain access to company systems through phishing tactics. The Ponemon Institute survey indicated that criminal attacks were responsible for 30% of data breaches, and 43% of respondents stated that “lack of trained staff and end users” was among the primary reasons for data breaches.

“Few healthcare employees could tell you what corporate IT security policies are in place; it is even rarer to find security awareness training programs,” noted the authors of the Redspin report. They concluded that “there is no better vaccination against a data breach than improving the security awareness of healthcare workers.”

Both reports validate the advice of KnowBe4 founder and CEO Stu Sjouwerman (pronounced “shower-man”), who recommends providing Internet security training to all employees as a way to defend against the phishing attacks that can lead to network breaches. “It’s critical for anyone working with patient healthcare records to understand the importance of protecting that information and safeguarding the devices that store those details. However, even the best-intentioned employees can inadvertently leave their company’s network vulnerable to cybercriminals because they simply haven’t been trained on how to identify and avoid phishing tactics and other social engineering techniques,” he explained.

Sjouwerman cites the recent breach of approximately 2,000 patient health records at Metro Community Provider Network (MCPN) in Colorado.(3) According to the public notice published by MCPN, the incident was the result of a phishing scam in which the perpetrator sent several employees an email that claimed to be from a trusted source. The email instructed the recipients to click on a link and provide login information, which was subsequently used to gain access to confidential information.

“While MCPN performed a phishing security test after the incident and has committed to provide training to staff, the best time to implement Internet Security Awareness Training is before a data breach occurs,” said Sjouwerman. “By investing in ISAT programs now, organizations can potentially avoid the high costs and penalties associated with a health information breach as well as the possible loss of customers.”

KnowBe4 offers a number of cybercrime prevention resources to help organizations determine their susceptibility to cyber attacks, including a free phishing security test and a free email exposure check (EEC), which reveals publicly available company email addresses that cybercriminals can use to target staff.

Healthcare organizations that are ready to implement training can take advantage of KnowBe4’s First2Know™ product, which offers next-generation, cloud-based training for employees of any size company. Sjouwerman notes that while traditional security training programs are often static and only get updated once a year, First2Know uses proprietary Dynamic Content Updates (DCU™) technology to update users with the latest threat information on a daily basis. KnowBe4’s ISAT offering also provides before-and-after reports that show the results of employee training.

To learn more about KnowBe4, as well as its cybercrime prevention resources and Internet security training services, visit

About Stu Sjouwerman and KnowBe4
Stu Sjouwerman is the founder and CEO of KnowBe4, LLC, which provides web-based Internet Security Awareness Training (ISAT) to small and medium enterprises. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Sunbelt Software, an award-winning anti-malware software company that he and his partner sold to GFI Software in 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help entrepreneurs tackle cybercrime tactics through advanced Internet security awareness training. He and his colleagues work with companies in many different industries, including highly regulated field such as healthcare, finance and insurance. Sjouwerman is the author of four books; his latest is Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008.

1 Redspin. Breach Report 2011: Protected Healthcare Information. February 2012.

2 Ponemon Institute. Second Annual Benchmark Study on Patient Privacy & Data Security. Study sponsored by ID Experts. December 2011.

3 Metro Community Provider Network (MCPN). “Notice of Personal Health Information Breach.” Notification posted on MCPN website; February 1, 2012.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Karla Jo Helms
Visit website