When Accenture surveyed over 900 health care provider and payer organizations across the U.S. and Canada, they found some surprising results: 18% of respondents said they would be willing to sell confidential data for as little as $500 — and 24% knew someone in their organization who already had.
Employees who sell information commonly do so by providing their login credentials, forwarding information to personal email addresses in large attachments or downloading information onto portable devices. Most employees who steal data do so for monetary gain, but disgruntled employees are also a threat to organizations, as they can easily access and then sell or leak information that is potentially damaging to the organization. But no matter the motivation involved, organizations can take three specific steps to prevent employees from selling confidential data.
1. Educate Employees
As an initial line of defense, organizations should take a proactive stance on education. This means teaching employees the laws relevant to your industry, why those laws exist and who they protect, and the consequences of breaking those laws.
When it comes to prevention, education isn’t a fool-proof method, but explaining the consequences of selling confidential data can certainly deter some employees from the get-go. The fact is, if an employee sells data to someone, it’s a crime. They’ll face the prospect of jail time and even civil action if their former employer decides to seek monetary compensation for the data breach. The $500 that Accenture’s survey respondents say they’d sell data for certainly isn’t worth ending up in prison or being sued.
2. Review and Restrict Excessive Rights
A big way organizations can prevent employees from selling confidential data is to limit access to only what each employee actually needs to perform their job.
Typically, when a new employee starts, they’re given access at an appropriate level, but over time, they often take on more responsibilities or even change roles within the organization. Yet instead of reviewing what the employee needs access to, organizations often simply grant the additional access rights without removing the ones the employee no longer uses or needs. These excessive rights make it easier and potentially more lucrative for employees to sell their login credentials and other valuable data.
To formally combat this, organizations should put two processes into place. The first process should require managers to review an employee’s access rights when they change positions or gain new responsibilities, and then work with IT to determine the new, appropriate level of access.
The second process should require the organization as a whole to review and revalidate every employee’s access rights on an annual basis. IT should provide each business or data owner with a list of who has access to that data, and the owner should review it to determine who still needs access and who can be restricted. Then IT can implement their changes, further protecting the organization’s data and helping lower the risk of a data breach.
3. Look for What’s Out of the Ordinary
Internal monitoring can help organizations both prevent and identify data breaches. This includes monitoring system audit logs for inappropriate activity and using third-party tools that look for abnormal activity. These tools capture the normal work profile of each employee, including what folders they normally access and what time of day they normally work, and track suspicious activity, such as if they’re forwarding emails with large attachments to their personal email address. Looking for what’s out of the ordinary can help catch employees before they actually sell the data.
Monitoring also helps prevent disgruntled employees from selling or leaking data. Organizations must be diligent and recognize employees who could pose this type of threat, with managers taking responsibility for bringing individual employees to attention. Monitoring letters of reprimand, problematic behavior and troubling trends in their work can help identify who may steal data or introduce a virus into the network. Organizations should continue monitoring their behavior and activity until it has determined either the employee no longer poses that type of threat or they need to be fired.
While 99% of Accenture’s survey respondents said they feel responsible for data security, a full 18% were still willing to sell confidential data.1 It’s up to organizations to take the measures they can to protect their patients (or customers), their data and their reputation.
If you would like to learn more about how your organization can safeguard your data, contact the cybersecurity and risk advisory specialists at Wipfli.
 “1 in 5 health employees willing to sell confidential data: 7 survey insights,” Julie Spitzer, Becker’s Hospital Review, March 2, 2018, https://www.beckershospitalreview.com/cybersecurity/1-in-5-health-employees-willing-to-sell-confidential-data-7-survey-insights.html, accessed April 30, 2018