Regarding data breaches, it’s been said that an organization’s greatest liability is its employees. This is especially true for hospitals and healthcare providers. Often, the actions of staff inadvertently cause major HIPAA violations by sharing patient data, and it’s crucial for hospitals to get this behavior under control.
The results of a new survey from computer manufacturer Dell demonstrate just how careless some healthcare professionals can be with patients’ protected health information (PHI) and other critical data.
Sharing confidential information
To find out exactly how well employees handled sensitive data such as PHI, Dell surveyed over 2,600 professionals at various companies with 250 or more employees.
Out of all participants, 72% are willing to share confidential, sensitive or regulated company information. When looking at healthcare specifically, 68% of employees are willing to divulge these details.
The situations under which staff would release this information vary, and many of them are relevant to a hospital’s normal operations: 43% would relay these details if directed by management, and 37% would share them with a person who’s authorized to receive the information.
However, some circumstances are less justifiable. In 23% of cases, employees decide to share confidential information if they believe the risk to their company is very low compared to the potential benefits of releasing data. Employees are also more willing to discuss confidential information if they feel it’ll help themselves (22%) or the recipient (13%) do their jobs more effectively.
Although it’s likely that most employees will use their best judgment in these cases, this may still cause the information to fall into the wrong hands – especially since many employees will share this data using methods of communication that aren’t totally secure.
It’s one thing to use a secure messaging system or encrypted email account to send PHI to authorized professionals, but many workers don’t take these precautions across the board. Nearly half (46%) of those surveyed connect to public, unsecured Wi-Fi to access and transmit confidential information. And even more people (49%) admit to using their personal email accounts for work purposes.
Statistics are even worse for more highly regulated organizations like healthcare and finance: 48% of these employees connected to public Wi-Fi and accessed confidential data, and 52% sent work-related messages from their personal email accounts.
Since everyone’s on the go nowadays, providers and other employees are taking company-issued laptops and smartphones with them, using these devices to connect to unsecured networks while they’re offsite.
But there’s also another significant danger with this practice: If these devices are lost or stolen, it can create a huge headache for hospitals – especially if the information saved on the device isn’t encrypted.
Nearly equal percentages of those in regular small to mid-size organizations (22%) and highly-regulated industries (21%) admitted to losing a company-issued work device.
Key steps for hospitals
To prevent these problems and decrease the likelihood of costly data breaches, certain issues need to be specifically addressed in your IT policies, including:
- Information sharing. Hospitals need to have rules in place that clearly indicate the circumstances when it’s acceptable to share PHI and other confidential patient data. This includes the people who are allowed to receive this information and the methods in which it can be shared.
- Security. Work closely with your IT department to create security policies that recognize the convenience of on-the-go data sharing, but also create protocols to keep information safe and secure as it’s being transmitted among staff.
- Training. Staff should be regularly trained on the importance of adhering to best security practices when sharing PHI electronically. Discourage them from using unsecured Wi-Fi or unencrypted personal email accounts/devices when discussing patient care.