- Many people have heard the adage that humans are not perfect. But, when it comes to patient information, human imperfections can lead to serious healthcare data security issues.
In a recent survey from Experian Data Breach Resolution and Ponemon Institute, researchers discovered that 55 percent of respondents at companies across industries have experienced a security incident or data breach because of a malicious or negligent employee.
Furthermore, 66 percent of survey participants reported that employees were the biggest challenge to developing and implementing robust data security postures.
“Among the many security issues facing companies today, the study emphasizes that the risk of a data breach caused by a simple employee mistake or act of negligence is driving many breaches,” said Experian Data Breach Resolution Vice President Michael Bruemmer. “Unfortunately, companies continue to experience the consequences of employees either falling victim to cyberattacks or exposing information inadvertently.”
Bruemmer added that companies should change the culture of security within their organization, which would help employees be prepared to secure company data.
Researchers found that most companies are aware of how employees can risk data security. Participants acknowledged that malicious or negligent employees are more likely to disclose sensitive information, fall victim to phishing scams, employ unapproved cloud or mobile services for business purposes, and download malware from insecure websites or devices.
Despite understanding the risks, only 35 percent of respondents stated that their organization’s leaders prioritize increasing employee knowledgeability about data security.
Sixty percent of participants reported that employees are not knowledgeable or have no knowledge of the organization’s security risks because C-level executives do not prioritize employee training.
As a result, employee education programs fall short of substantially addressing data security risks and motivating employees to change their behaviors.
While all respondents declared that their organization provided some employee training on data security, only half agreed or strongly agreed that these programs decreased noncompliant behaviors.
Forty-three percent of participants disclosed that only one basic course was provided to employees. Only some of the respondents said that the training program discussed top threats, such as phishing and social engineering attacks (49 percent), mobile device security (38 percent), and secure use of cloud services (29 percent).
Additionally, researchers reported that less than half of the companies require data security training for all employees. CEOs and C-level executives were the least likely to attend a course with only 29 percent of companies requiring higher level executives to participate.
Even after a reported incident, 60 percent of respondents stated that their organizations do not mandate that employees retake security training programs.
The survey also discovered that employees are less likely to change noncompliant behaviors because companies do not punish or reward workers for data security incidents nor do companies inform workers of risky behaviors in reviews.
About one-third of participants claimed that there are no consequences for negligent behavior and only 19 percent reported that noncompliant behavior was discussed in performance reviews.
Unfortunately, employee error is still a major barrier to implementing strong healthcare data security measures. A recent Verizon study found that most healthcare data breaches in 2015 were caused by human errors, including stolen or lost devices, privilege abuse, and employee mistakes.
Healthcare organizations face unique challenges with data security policies because patient information is highly regulated through HIPAA Rules and providing timely, quality care can sometimes trump adhering to security measures. However, employees must comply with HIPAA regulations or risk losing their jobs and jeopardizing healthcare data security.
For example, a recent potential healthcare data breach affecting 91,000 Medicare beneficiaries in Washington was caused by two employees insecurely exchanging patient information from Apple Health. One employee claimed to be helping another worker with a spreadsheet issue when the incident occurred.
To prevent employee mistakes from exposing PHI, healthcare organizations are advised to implement and monitor HIPAA administrative safeguards. These healthcare data security measures are designed to protect ePHI and manage an organization’s workflow with electronic patient data.
A major part of implementing administrative safeguards is to assign appropriate access to ePHI and other sensitive information, including terminating former employee access. Workers should only have access to what they need to perform their job, which may not always involve patient information.
Employee training and awareness also falls under HIPAA administrative safeguards. Not only does the rule advise covered entities to provide healthcare data security programs, but organizations should remind workers of policies and risks, especially as threats become more sophisticated.
Many healthcare workers are already overwhelmed with providing care to numerous patients, but HIPAA administrative safeguards were created to help workers navigate complicated patient privacy and healthcare data security regulations. By providing more data security training and incentive programs, perhaps healthcare employees can more easily integrate compliant behaviors into their daily care routines.