90% of healthcare breaches start with a human. Train your team before attackers do.
Healthcare is the most-breached industry in the US, and phishing emails are the most common entry point. The HIPAA Security Rule requires cybersecurity training for all workforce members who access electronic PHI. One well-trained employee who spots a phishing email can prevent a breach that costs hundreds of thousands to clean up.
Start 14-day free trialHIPAA Security Rule: 45 CFR 164.308(a)(5) requires security awareness training for all workforce members.
Who needs this training?
The HIPAA Security Rule requires security awareness training for all workforce members with access to electronic protected health information. All covered entities with ePHI access must train their workforce.
R = Required by federal regulation | S = Strongly recommended (best practice beyond federal mandate)
| Organization Type | Status | Authority / Notes |
|---|---|---|
| Telehealth Providers | R | HIPAA Security Rule - heightened risk |
| Physician Practices | R | HIPAA Security Rule - all staff accessing ePHI |
| Dental Offices | R | Dental practices are frequent ransomware targets. Digital imaging systems and practice management software create significant attack surface. |
| Urgent Care Centers | R | High staff turnover and multiple systems increase phishing risk. HIPAA Security Rule applies to all urgent care centers using electronic records. |
| Home Health Agencies | R | Field staff using mobile devices in patients' homes face unique cybersecurity risks. HIPAA Security Rule covers all ePHI access regardless of location. |
| Behavioral Health / SUD | R | Highly sensitive records create high-value targets. HIPAA Security Rule applies; 42 CFR Part 2 records require additional protections. |
| Chiropractic Offices | R | Small practices often lack dedicated IT staff, making user training the primary defense layer. |
| Physical Therapy Clinics | R | HIPAA Security Rule applies to all ePHI. PT clinics using scheduling software, billing systems, and EHRs must train staff on cybersecurity awareness. |
| Ambulatory Surgery Centers | R | Surgical systems and perioperative records contain sensitive ePHI. HIPAA Security Rule training is essential for all ASC staff. |
| Pharmacies | R | Point-of-sale systems and prescription databases are high-value targets. HIPAA Security Rule training required for pharmacy staff handling ePHI. |
| Community Health Centers (FQHCs) | R | Government-funded systems face sophisticated threat actors. HIPAA Security Rule and federal grant requirements apply. |
| Mental Health Practices | R | Sensitive mental health records are high-value targets. HIPAA Security Rule applies; many mental health practices use telehealth platforms with additional risk. |
Proposed changes to the HIPAA Security Rule (expected 2026) may expand cybersecurity training requirements. Organizations that complete this training now will be ahead of any new mandate.
Common questions about healthcare cybersecurity training
Why is healthcare a top target for cyberattacks?
Healthcare records are worth 10-20x more than credit card data, and healthcare systems often run legacy software that is difficult to patch. Electronic health records contain Social Security numbers, insurance details, and medical histories. Ransomware groups target healthcare because downtime creates life-safety pressure to pay quickly. The HHS Office for Civil Rights reported over 700 large breaches in 2023, and 90% of breaches involve a human element - a phishing click or weak password.
Does the HIPAA Security Rule require cybersecurity training?
Yes. The HIPAA Security Rule (45 CFR 164.308(a)(5)) requires covered entities and business associates to implement security awareness training for all workforce members. This includes training on malicious software, log-in monitoring, and password management. OCR has consistently cited inadequate training in enforcement actions. Proposed changes to the HIPAA Security Rule (Final Rule expected May 2026) may make these requirements more specific and stringent.
What are the most common cybersecurity threats for healthcare staff?
Phishing emails are the most common entry point for healthcare breaches, followed by stolen credentials and ransomware. Healthcare-specific phishing tactics include fake EHR login pages, spoofed insurance portal messages, and fake invoice emails targeting billing staff. Business email compromise (BEC) attacks impersonate executives to authorize fraudulent wire transfers. Staff who know what to look for - urgent language, mismatched domains, unexpected requests for credentials - prevent the majority of these attacks.
What do proposed HIPAA Security Rule changes mean for cybersecurity training?
The HIPAA Security Rule NPRM (proposed 2024, final action expected 2026) proposes more specific cybersecurity requirements that would affect training obligations. Proposed changes include mandatory anti-phishing training, specific password and MFA requirements, annual workforce training requirements, and enhanced incident response procedures. Organizations that build solid cybersecurity training now will be better positioned for compliance regardless of how the final rule is written. The NIST Cybersecurity Framework provides current guidance aligned with what the NPRM proposes.
Protect your practice from the inside out
Set up takes about 5 minutes. Start your 14-day free trial now.
Start 14-day free trialRegulatory Disclaimer
Training requirements vary by organization type, size, state, payer mix, and accreditation. This guide reflects common federal and state requirements as of April 2026 and is not legal advice. Consult your compliance officer or legal counsel for requirements specific to your organization. State-specific modules currently cover CA, TX, FL, NY, and IL. Additional states may have requirements not listed here. Last reviewed: April 2026.