Over the past year, healthcare organizations have encountered a growing number of digital challenges that have occasionally impacted routine operations. In a recent report, it was noted that 92% of healthcare institutions experienced at least one incident involving unauthorized access or data-related issues, with 69% of these situations contributing to some form of service delay or administrative complication.
As technology continues to play a larger role in everyday clinical and administrative tasks, more attention is being placed on supporting staff with the knowledge and resources they need to handle sensitive information responsibly. Human Resources (HR) departments are being recognized as key contributors to this effort, as they help guide employees through best practices and ongoing learning.
Healthcare Is Being Targeted More Than Ever
Healthcare facilities have always handled sensitive information, but with everything becoming digital—from patient records to billing and prescriptions—the stakes have never been higher. Hospitals and clinics have increasingly been targeted by ransomware attacks, phishing schemes, and other cyber threats that take advantage of unsuspecting staff.
A single click on a fake email can open the door to massive system breaches, and it often takes just one employee to make that mistake. The risks extend beyond data loss; patient care can be delayed, appointments may be canceled, and trust in the institution can be damaged for years. Because of this, it’s becoming clearer that all staff, not just the IT department, must be better prepared.
HR’s New Role in Cybersecurity Efforts
In many organizations, cybersecurity used to be handled almost entirely by IT professionals but that approach is starting to shift. It’s now being recognized that HR departments are in the perfect position to influence how security awareness is built and maintained across the entire organization.
Since HR is involved from the very start of an employee’s journey—from recruitment to onboarding and training—they’re in a unique position to help set the tone. If cybersecurity is introduced early and revisited often, employees are much more likely to take it seriously; and if those lessons are built into the culture of the workplace, they’re less likely to be forgotten.
What a Strong Awareness Program Looks Like
Cybersecurity training doesn’t always stick if it’s generic or overly technical; that’s why the most effective programs are usually broken down by role. The risks faced by a front-desk receptionist are different from those of a surgeon or a billing manager, and the training should reflect that.
Many hospitals have already started using more interactive training sessions, where staff are shown what a phishing attempt looks like or are asked how they would respond in a real-world scenario. These hands-on exercises are often more memorable and help people understand the stakes involved.
Testing can also be used to reinforce good habits. Phishing simulations, for example, have been rolled out in many healthcare settings, and they’ve helped staff become more cautious about clicking unfamiliar links or opening odd attachments. When mistakes are made, they’re used as learning moments rather than punishments.
HR also plays an important role in making sure that everyone is aware of the policies in place—for instance, how to create strong passwords, report suspicious activity, or handle data on personal devices. These policies need to be communicated clearly, reviewed regularly, and made easy to follow.
Encouraging the Right Culture
It’s one thing to teach staff about cybersecurity, but it’s another to create a workplace where people genuinely care about it. That’s where HR plays a critical, but often overlooked role. IT departments typically take the lead when it comes to security protocols and responding to threats, but what’s often not talked about is that they can’t succeed without the support of people across the organization. A security-first mindset needs to be part of the everyday culture—something employees feel connected to and responsible for, not just something that “belongs to IT.”
It’s also important to remember that this cultural shift doesn’t happen overnight. It starts with how organizations onboard new hires, the tone leadership sets, and the way ongoing education is delivered. If cybersecurity training feels like just another box to check, it won’t stick; but when staff understand the real-world impact of their actions—like how one suspicious email can jeopardize patient data or how sharing a password could expose sensitive information—they’re more likely to take those responsibilities seriously.
One of the biggest factors in building a strong security culture is psychological safety. This means that people need to feel comfortable asking questions (no matter how simplistic they might be), flagging something odd, or admitting a mistake—without fear of being reprimanded or embarrassed. When an employee accidentally clicks a phishing link, the worst response an organization can have is to shame them. That doesn’t just hurt morale—it makes others less likely to speak up in the future.
Recognition also goes a long way. Whether it’s a shout-out in a team meeting or a quick thank-you email, acknowledging good cybersecurity habits reinforces their importance. HR can help make that recognition part of regular performance feedback and team culture—a quick ‘nice catch!’ or a fun team mention when someone reports something suspicious can go a long way. It keeps things light, but still reminds everyone that paying attention matters.
Another area that’s often overlooked is accessibility. If employees don’t know where to find the right form or how to report something suspicious, they’re less likely to take action. Clear, jargon-free communication is what works best in most cases—especially in high-stress environments like healthcare, where time and attention are already stretched thin.
What Comes Next
HR teams will be expected to take an even more active role in developing programs that help staff stay informed and prepared. Training will need to be updated regularly, and the importance of security will need to be reinforced across all levels of the organization.
Stronger outcomes are achieved when people, not just systems, are placed at the heart of information safety efforts. When HR teams are involved in helping staff understand their role in managing digital information, healthcare organizations benefit from a workforce that is both mindful and resilient.
Guest writer
