Healthcare Needs Mandatory Cybersecurity Education and Training

Healthcare Needs Mandatory Cybersecurity Education and Training

Healthcare Needs Mandatory Cybersecurity Education and Training

When I was a medical student and resident, I learned nothing about cybersecurity.

When I was a faculty member, I neither taught nor learned anything about cybersecurity. In fact, the extent of my digital health knowledge, skills, attitudes and competencies amounted to remembering the username and passwords for 5 different EMRs in our affiliated hospitals so we could pull up records when we were on call. God forbid if we didn't know the CBC on Mrs. Anthony at morning report.

Now we have a tridemic-COVID, the flu and software viruses, malware and ransomware. The root cause of each is that people are not doing what public health and security experts have recommended to prevent, mitigate and respond to breakouts. Add measles, and there are , arguably, four viruses.The results?

A recent survey by Imperva revealed that one in 10 healthcare organizations has paid a ransom. Tens of millions of patients have had their information compromised by these cyberattacks. In June of 2019, the American Medical Collections Agency elected to file bankruptcy after exposing the records of 25 million patients. Of the 948 entities impacted by ransomware attacks in the United States, 759 were healthcare providers, at a potential cost in excess of $7.5 billion.

There have been over 10 million COVID cases in the US and surging.

The number of measles cases increased 556% from 132,490 in 2016 to 869,770 in 2019, the most reported cases since 1996. 

For healthcare organizations — from small practices to large systems — devising actionable, well-defined cybersecurity strategies is imperative as cyberattacks against the healthcare industry and their associated costs continue to grow. Atop the list of strategies, perhaps at the pinnacle, is developing and executing a robust cybersecurity training program for staff members.

A survey of more than 600 healthcare professionals (HCPs) conducted by Merlin International and the Ponemon Institute revealed that about half of the participants felt that “lack of employee awareness and training affects their ability to achieve a strong security posture;” almost three-fourths of participants “cited insufficient staffing as the biggest obstacle to maintaining a fully effective security posture.”

So, how do we close the healthcare professional cybersecurity education and training gaps?

Here is what a cybersecurity plan should include.

Here is why all students, trainees and healthcare professionals, not just CMIOs and the CIOs, need cybersecurity training.

In considering useful parameters for this assessment, the WDTG ( Workforce Development Task Group) observed that there are two “buckets” for cybersecurity education and training in the healthcare sector. The first is the cybersecurity training necessary for a healthcare professional to do their job. This falls into the category of “cybersecurity awareness” of business-side employees to take necessary administrative (non-technical) steps to protect personal identity information (PII) or protected health information (PHI), or avoid missteps such as falling for social engineering threats or practicing unsafe online activities on enterprise networks or applications. This training is not technical and there is no presumption that the recipients’ jobs are technical in nature. This falls under the “Cybersecurity is Everyone’s Job” guidebook, which is a work product of the NICE working group subgroup. The other bucket involves technical personnel whose roles involve the management of data, information technology, network and application security, and some of the newer blended information and device management roles in the healthcare field. 

Here are some suggestions on how to measure and address the gaps in knowledge, skills, abilities and competencies of your healthcare professional workforce.

Vermont Governor Phil Scott this week ordered the state Army National Guard's Combined Cyber Response Team to help in responding to a cyberattack against the University of Vermont Health Network.

Calling in the cavalry won't solve the problem. The hidden enemies are too clever. Every medical school and residency training program should require digital health education and training, including cybersecurity, as part of a mandatory healthcare professional digital health course.

That's only the first step since a software virus vaccine is a long way off. We need a cyberczar to run CARPA.

Arlen Meyers, MD, MBA is the President and CEO of the Society of Physician Entrepreneurs.

Share this article

Leave your comments

Post comment as a guest

terms and condition.
  • Luke Collins

    Hospitals should seriously consider bringing full time cyber security analysts to protect their data

  • Elliott Arnold

    Healthcare is an easy target for hackers

  • Chris Stevens

    Well said !!!

  • Jim Martin

    A lot of work needs to be done...

  • Ricky Fleming

    Cyber security is a priority !!

  • Jayne Watson

    Every medical school must do a compulsory digital cyber training.

Share this article

Arlen Meyers, MD, MBA

Former Contributor

Arlen Meyers, MD, MBA is a professor emeritus of otolaryngology, dentistry, and engineering at the University of Colorado School of Medicine and the Colorado School of Public Health and President and CEO of the Society of Physician Entrepreneurs at He has created several medical device and digital health companies. His primary research centers around biomedical and health innovation and entrepreneurship and life science technology commercialization. He consults for and speaks to companies, governments, colleges and universities around the world who need his expertise and contacts in the areas of bio entrepreneurship, bioscience, healthcare, healthcare IT, medical tourism -- nationally and internationally, new product development, product design, and financing new ventures. He is a former Harvard-Macy fellow and In 2010, he completed a Fulbright at Kings Business, the commercialization office of technology transfer at Kings College in London. He recently published "Building the Case for Biotechnology." "Optical Detection of Cancer", and " The Life Science Innovation Roadmap". He is also an associate editor of the Journal of Commercial Biotechnology and Technology Transfer and Entrepreneurship and Editor-in-Chief of Medscape. In addition, He is a faculty member at the University of Colorado Denver Graduate School where he teaches Biomedical Entrepreneurship and is an iCorps participant, trainer and industry mentor. He is the Chief Medical Officer at and and Chairman of the Board at GlobalMindED at, a non-profit at risk student success network. He is honored to be named by Modern Healthcare as one of the 50 Most Influential Physician Executives of 2011 and nominated in 2012 and Best Doctors 2013.

Cookies user prefences
We use cookies to ensure you to get the best experience on our website. If you decline the use of cookies, this website may not function as expected.
Accept all
Decline all
Read more
Tools used to analyze the data to measure the effectiveness of a website and to understand how it works.
Google Analytics