Nearly one in five healthcare workers would be willing to sell confidential data for as little as $500 — and almost a quarter know someone in their organization who already has, according to an Accenture study covered in Becker’s Hospital Review.
Accenture’s survey was completed by 912 employees of provider and payer organizations in the U.S. and Canada and covered different ways that employees can expose confidential data. For example, employees can exploit private information by selling their login credentials, forwarding data to personal accounts, installing tracking software or malware, or downloading data to portable devices, among other methods.
Most employees steal data for monetary gain, according to the survey; however, disgruntled employees are also a threat. Any unhappy employee can sell or leak damaging information.
How to protect against internal threats
No matter the motivation, organizations can take three steps to protect confidential data and prevent it from being sold or mishandled.
1. Educate employees
As a first line of defense, make sure employees understand data privacy laws and regulations that healthcare companies adhere to, including why those laws exist, who they protect and the consequences of breaking the law.
Be clear about the consequences — and not just for the organization. Selling private data is a criminal offense, punishable by jail time and/or financial penalties. Plus, the employer can pursue civil action or monetary compensation against the employee for the breach. Suddenly, $500 doesn’t sound worth it.
2. Review and restrict access
Limit employees’ privileges so they can only access applications and data they need to perform their jobs (aka privileged access).
Most organizations are good at managing access when a new employee starts. But over time, as people take on more responsibilities or change roles, their access grows. Many organizations grant additional access rights without removing privileges that are no longer needed or used. Excessive access rights make it easier (and potentially more lucrative) for employees to sell their login credentials and other valuable data.
To keep access reined in, managers should review employees’ privileges every time they change positions or gain new responsibilities. Work with the IT department to determine a new, appropriate level (or timeframe) of access.
The whole organization should undergo an annual review of every employee’s access rights. To do this, each business application or data set needs an owner. Every year, platform/data owners should revalidate the list of people who have access. Then, IT can update privileges and lower the organization’s risk of a data breach.
3. Watch for unusual activity
Information security tools can help you prevent and identify data breaches. That includes monitoring systems that audit and log activities and watch for abnormal activities, like unusually large file transfers or unusual access patterns.
Some monitoring tools capture a “normal” work profile for each employee, including files they typically access, the times of day they usually work and the location or device they use to log in. That makes it easier to spot and address suspicious activity before any data is sold or distributed.
You can also increase monitoring if an employee (or a data set) is deemed a higher risk. Among employees, that could include anyone who’s been recently been reprimanded or had other problematic behaviors in the workplace. Heightened monitoring can be turned on or off as needed.
How Wipfli can help
In the Accenture study, 99% of respondents said they feel responsible for data security. And they are. But your organization will be held accountable to patients, consumers and regulators if there’s a security incident.
Take measures to protect patient data and confidential business information. We can help you create a layered plan to safeguard sensitive data and lower your overall business risk. Contact the cybersecurity and risk advisory team at Wipfli today.
Sign up to receive additional healthcare content and information in your inbox, or continue reading on: