Healthcare News & Insights

Survey: Employees steal data and don’t know they shouldn’t

Many data breaches in health care are caused by employees’ actions or negligence – and a new survey shows many workers are clueless about their organization’s security policies. 

Insider threats are a common cause in healthcare data breaches — due to both employee negligence and malicious abuse of access privileges.

Last year, for example, a hospital employee was fired after stealing patients’ protected health information and selling it to criminals who used it to forge prescriptions.

In addition to those intentional thefts, poor security habits and negligence on the part of employees are also factors in many attacks carried out by outside agents. In fact, employee mistakes were one of the root causes of 41% of healthcare data breaches in 2012, according to the Ponemon Institute.

In many cases, the breach occurred because of a lost or stolen portable computing device the employee was using, or because the employee violated the organization’s IT security policies.

In other incidents, patients violate patient privacy simply because they don’t know what they’re doing is a violation — for example, staff members may look at the records of someone whose care they aren’t involved in, as happened at one hospital last November.

Employees in all industries frequently put data at risk or steal information outright — and without knowing they aren’t supposed to do so, according to a recent study from security vendor Symantec.

For example, 62% of the 3,300 employees surveyed said it’s acceptable to transfer work-related documents to personal computers, tablets, smartphones or online file sharing applications. That’s despite the fact that most organizations have policies against doing so, especially in health care where many data breaches have occurred because unencrypted patient data was carried off an organization’s premises using a personal device.

In addition, half employees who’ve left a job in the past year say they took sensitive information with them, with most believing that doesn’t violate any security rules enforced by their employer.

What it means for health IT departments: Educating employees about what the organization’s security policies are and why they’re in place could go a long toward preventing many data breaches.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.