There's a healthcare data security problem in the U.S., and news reports suggest that insiders are not getting the amount of education they need to help keep hospital data safe.

Per a new Kaspersky report, a massive number of the healthcare sector’s workforce does not receive the necessary training required to improve awareness of their organization’s policies, regulations, and rules.

Nearly a quarter (24%) of U.S. healthcare employees have not received cybersecurity training, “but felt they should have,” Health IT Security points out. Per the report, 32% of the North American healthcare workforce is not adequately trained in healthcare security protocols.

This is especially important, as insider misuse is a considerable problem for healthcare. According to Becker’s Hospital Review, 15% of security breach incidents in the healthcare industry in 2013 were caused by insider misuse.

Insider misuse is defined as an instance where employees steal property or data or commit other crimes. They typically take this information to gain access to money or to commit tax fraud.

At the same point, unintentional staff actions that compromised patient data security accounted for 12% of security incidents in the healthcare industry.

Cybersecurity training is a priority for keeping up with threats. Several reports show that many hacking attempts evade traditional security measures.

Notable in the Kaspersky report was that of those employees that did receive cybersecurity training, 11% said the training occurs only during hiring and onboarding. Only 38% of employees receive annual cybersecurity training; one in five say they needed more training.

“If healthcare employees are not effectively trained on cybersecurity regulations and procedures for their organization, how are they expected to spot a cyberattack or communicate to their internal IT department if an attack strikes?” Kaspersky researchers wrote. “Organizations of all sizes and resources must ensure that their staff can adequately recognize malicious attacks and who to report them to,” they continued.

Measuring cybersecurity awareness measure of leaders in the organization, Kaspersky found that only one in 10 employees in management positions were aware of the cybersecurity policy within their organization. 21% of all respondents said they were unaware of the policy, and 31% said they are aware of the policy, only reviewing it one time. 40% were utterly unaware of any security measures designed to protect IT devices.

Smaller organizations had employees who said they are unaware of the security used by their employer, compared to 39% of respondents from medium-sized organizations and 36% from enterprise companies.

The report also showed that 18% of employees did not know what the HIPAA security rule meant, and just 29% of respondents were able to identify the correct meaning correctly.

The report, “Cyber Pulse: The State of Cybersecurity in Healthcare,” surveyed more than 1,700 healthcare employees in a variety of roles, from doctors to admin and IT staff, throughout North America.