Healthcare organizations invest heavily in firewalls, encryption, and endpoint detection tools. Yet approximately 60% of cybersecurity risk walks through the door every morning—doctors, staff, and administrators who, despite the best intentions, click malicious links, open dangerous attachments, or inadvertently provide credentials to attackers.
This isn't a technology problem. It's a human problem. And it can't be solved with a one-time training session.
"This isn't a training problem that can be solved once; it's an ongoing human factor that requires continuous attention," explains Gary Salman, CEO of Black Talon Security. Yet most healthcare organizations treat security awareness training as a checkbox exercise—an annual requirement completed and forgotten until next year's compliance deadline.
The consequences of this approach are playing out across the healthcare industry. Class action lawsuits following cyber events have become an "almost 100% certainty," with attorneys warning victims on day one to prepare for litigation. Behind most of these breaches? An employee who made a split-second decision to click on what appeared to be a legitimate email.
The challenge intensifies as healthcare practices grow through mergers and acquisitions. When new practices or facilities are acquired, staff should receive cybersecurity training within the first few days as part of the onboarding process—not after months of integration when they've already had countless opportunities to introduce risk into the network.
Effective security training must be actionable, trackable, and testable. Organizations should implement simulated phishing campaigns to verify that training is actually working, not just completed. These simulations provide concrete data: Are employees recognizing and reporting suspicious emails? Are click rates decreasing over time? Which departments or roles need additional support?
The expansion of telehealth and remote work has amplified this human risk factor. Remote employees, third-party billing companies, and virtual assistants often work from inadequately secured environments, yet maintain access to sensitive healthcare networks. These distributed workers need the same continuous security awareness training as on-site staff—perhaps more, given their increased exposure to threats.
The 60% problem requires a fundamental shift in perspective. Security awareness isn't an annual training requirement—it's an ongoing cultural practice that must be reinforced, measured, and continuously improved. Healthcare organizations that treat their people as the first line of defense, rather than the weakest link, build resilient security cultures that can adapt as threats evolve.
Your technology stack might be impressive. Your policies might be comprehensive. But if your biggest security risk shows up for work every day without continuous training and testing, you're leaving your practice vulnerable to the threats that matter most.
Schedule a demo of our EAGLEi™ Continuous Threat Exposure Management platform to see how Black Talon can help your organization lessen the human factors of cyber risk.