A recent Accenture survey has revealed that 18% of health care employees said that they would be willing to sell confidential data to unauthorized parties. Furthermore, those who would be willing to sell data would do so for as little as $500-$1000. What’s more shocking is that 24% of those surveyed admitted to knowing someone within their organization who has already sold credentials or other confidential information to unauthorized parties.
In a curious twist, 99% of those surveyed said that they felt responsible for the security of patient data. Despite this, 21% admitted to writing down their login credentials and leaving them near their computer.
The survey targeted 912 employees from the United States and Canada from both health providers and payer organizations. All respondents had access to digital health data, which included personally identifiable information (PII), payment information, and protected healthcare information.
- 21% of those in provider organizations were likely to sell confidential data compared to 12% of those in payer organizations.
- 97% said that they understood their organization’s policy on data security and privacy.
- 88% said that their employer provided security training.
The health care industry is no stranger to cybersecurity incidents, but these harsh findings are extremely worrisome. Insider wrongdoing is harder to defend against because it is caused by employees with legitimate access to the information.
Preparing for insider misuse
It’s nearly impossible to prevent malicious actors. Almost anyone in your organization could be a risk, and if a disgruntled employee wants to cause damage badly enough, they’ll find a way. However, organizations can mitigate the risk of breaches by implementing security measures such as access controls, which limit the amount of information any one employee can view.
Employees should also be given comprehensive staff awareness training to remind them of their information security responsibilities and the organization’s regulatory and compliance requirements. It is also important that employees understand the consequences of their actions should they act inappropriately.
Making sure your employees know about these requirements can be time-consuming and costly, so we’ve created the Information Security Staff Awareness E-learning Course. It’s designed to help employees better understand information security risks, and to build awareness of policies and procedures.