Doctors and healthcare professionals are obliged to provide information on the health of their patients. Under GDPR regulations, such data are subject to strict protection. For this reason, a person sharing medical or patient data with a third party is obliged to verify the authority of the person requesting access to that information. Both the identity of the requesting person and whether he or she is authorised to access the data should be verified. A survey conducted among doctors and medical students at selected universities in Poland showed that more than 80% of doctors provide information about their patients' health to third parties. However, the problem identified during the survey was the failure to properly verify the authorisation or identity of the person requesting access to the data. 75% of the doctors surveyed declared that they are not always sure if the persons requesting access to information are who they say they are. The remaining 25% said they are never sure if the identity of the requester is genuine. There were no doctors among the surveyed group who declared that they had no doubts about who they were giving information to. This shows how important the problem of not properly protecting access to medical data is. Therefore, the authors conducted a study to verify the extent and genesis of the problem and attempted to diagnose it. In addition, the authors undertook to assess whether the introduction into the medical curriculum of an additional course on cyber security could have a positive impact on the level of protection of medical data.

To this end, a general hypothesis was put forward: Additional training on medical data protection is necessary to improve the security level of such data. In order to verify it, three working hypotheses were set and verified:
H1. A significant number of medicine students and healthcare workers are not aware of the rules of personal data protection.
H2. The present training on medical data protection is not sufficient
H3. Healthcare workers are gaining knowledge and experience in medical data protection area during their work by learning from mistakes.

In the course of the work leading to the verification of the hypotheses, it was found that more than 16% of the respondents declare ignorance of medical data protection regulations and 63% of them say they have problems understanding them. In addition, none of the doctors surveyed correctly verified the identity of the persons to whom they provided medical information. This is despite the training provided by employers and universities. Healthcare workers learn security rules from their own mistakes, often without being aware that they are making them, or by ignoring data security rules due to lack of understanding and insufficient training. As all interviewees confirmed the necessity of data security training and pointed out the added value of providing instruction in this area in the course of their studies, this allowed us to confirm the hypothesis. Introducing an additional course on data security into the medical curriculum will have a positive impact on the level of protection of personal data and medical data in the healthcare sector.

Keywords: Cybersecurity, healthcare, GDPR, data security.