Survey: Employees are a weak link in healthcare cybersecurity defenses
Remember the urban legend about the baby sitter who gets repeated phone calls from a stranger telling her to check the children? Petrified, she calls the police. They trace the calls to discover that they’re coming from inside the house. Cue the creepy music. Sure, this story is ridiculous and clearly antiquated, but it taps into a primal fear in all of us: the horror of threats existing in places where we think we are—or should be—safe.
I was reminded of this idea as I reviewed the results of our 2018 Healthcare Workforce Survey on Cybersecurity, an online survey of about 900 employees of healthcare providers and payers in the United States and Canada. The data show that employees are a significant weak link in healthcare organizations’ cyber defenses. Some are behaving badly intentionally. Others are simply not complying with policies, even though many say they understand them.
The harsh reality is that healthcare employees are willing to put patients’ medical data at risk. This is despite the fact that 99 percent said they feel responsible for the security of this data. We learned that 21 percent of healthcare employees write down their user names and passwords near their computer. And a jaw-dropping 18 percent are willing to sell confidential patient data to an unauthorized outsider! This could be in the form of selling their login credentials or downloading sensitive data onto a portable device, for example. Those who would sell their access most commonly expect to be paid between $500 and $1,000. And perhaps most shocking of all: About a quarter of employees know someone in their organization who has already done this! The most striking irony here is that consumers trust healthcare organizations to protect their digital data.
Of course, healthcare organizations take cyber threats very seriously, given the impact they have. Last year alone, payers and providers on average spent $12.5 million each responding to cyber crime. When it comes to addressing employee-related cyber vulnerabilities, many might say that training is the first line of defense. Not so fast: While training is essential, it’s no silver bullet and not adequate to protect patients’ digital data. Seventeen percent of healthcare employees who received training still write down their user names and passwords, and 19 percent of trained employees are willing to profit by selling their credentials or access to an unauthorized third party. Surprisingly, these numbers actually go up for employees who have had more frequent training.
So how can payers and providers root out that "stranger hiding in the attic?" First: culture, culture, culture. At the end of the day, this issue is tied to human nature and all of its messy imperfections. This is why taking deliberate steps to cultivate a security mindset within the organization is so critical. Considering that 70 percent of executives across industries think they have already embedded cybersecurity into their cultures, there is much work to do here. The good news, however, is that bad actors are the exception, not the rule. Most healthcare employees do take their healthcare data protection responsibilities very seriously. This is the first step to winning the cyber war inside your four walls.
Second, to address what a strong cybersecurity culture can’t, use multiple techniques to protect data, such as encryption, tokenization, micro-segmentation, privilege and digital rights management, selective redaction and data scrambling. And third, monitor continuously and vigorously not just for unauthorized access but also for undiscovered threats and suspicious user behavior. This trifecta approach—a strong cybersecurity culture, multiple data protection techniques and continuous monitoring—can go a long way to address the horror of threats existing in places where we think we are safe.