Don’t ignore one of the most important aspects of healthcare data security – your people.
We have discussed previously how healthcare organizations are more at risk for data breaches as they increasingly depend on data systems and mobile devices for their operation. But there’s another side to healthcare IT, and one that in many ways is more difficult to deal with: The people. Here’s why human error – and human malice – need to be top concerns in any healthcare IT plan.
The Worst Hacking Vulnerabilities Are Employees
While vulnerabilities are changing due to mobile devices and Wi-Fi networks, employees themselves remain one of the top vulnerability for healthcare organizations. Ultimately, data security is dependent on employee actions and understanding. A simple action like writing down a password on a note by the computer allows anyone walking by to access records. A non-action like not reporting a missing mobile device can have a similar consequence.
And sometimes, employees themselves can be the hackers: In a recent case involving the St. Charles Health System of Oregon, a caregiver was discovered to have accessed the records of 2,500 different patients over more than two years, all without authorization. The access could be traced via ePHI records, but nothing was preventing this caregiver from accessing the data in any case. The “hack” was simply going into the database and looking at a file. For what it’s worth, the caregiver claimed they had no malicious intent, but that’s beside the point: This represents a tremendous failure in healthcare IT and security, and it’s not uncommon. St. Charles is not a backwater without the capability to improve security and access controls – it simply didn’t happen. And if a non-malicious employee can access supposedly secure health data almost by accident, think how much easier it is for employees with malicious intent.
Employee Education is Vital
The moral of the story isn’t just about adding better access controls to healthcare systems. Clearly, that’s a good idea, especially for organizations that don’t have rigorous controls and monitoring options that automatically pick up on unusual or unauthorized behavior. But the real problem here is a people problem, and that’s what healthcare IT strategies need to take notice: When it comes to systems protection, the most vulnerable system of all is the one made of employees.
The data backs this up. Experian research shows that 55% percent of companies have experienced a data breach due to employee error, while around 60% admit that their employees do not know company security risks. A 2017 Level 3 study reported that that lack of employee awareness and education was the top threat according to 125 health IT executives and professionals. When considering security, the problem of employees must be a priority. This presents its own challenges: Healthcare hires need to access data, sometimes private or protected data. How can it be protected from them when it’s part of their position requirements?
One of the best responses is employee education. Orientation and on-the-job training cannot be temporary actions when data safety is on the line: Without continuous training and consistent policy updates, employees with forget or stop caring about safety practices. It’s human nature, and it needs to be met with more frequent classes and reminders on why data is protected, why security is important, and what safety protocols must always be followed.
Reporting Systems Must Be Robust
In addition to education, healthcare organized should review their monitoring and reporting systems. Databases should have a clear trail that shows exactly when and how data was accessed in the past (many common, encrypted tools and server apps have these capabilities now, so there is no excuse for delaying on this). There should also be a systems of checks in place for automatic or in-person review if something goes wrong: No one should be able to illegally access medical records for two years without anyone noticing. This is the sort of action that should send red flags up in the system.
BYOD is Already a Healthcare Headache
Human behavior also loops around to BYOD and other mobile device policies. Any time data is stored or accessed on a mobile device, employee management of that data becomes a primary concern. First, data is much harder to track when it is multiple places at once, which occurs with mobile devices that do not have any type of virtualization option. Second, mobile devices are physically controlled by employees (particularly BYOD devices) and they can be lost, stolen, forgotten at home, and used inappropriately…far more easily than a desktop computer. In the push toward mobile, healthcare organizations cannot ignore the vulnerabilities this creates.
Healthcare Requires External Partners
We should also note that these employee-level concerns are not just an in-house concern. Healthcare work frequently requires partners, suppliers, referrals and other types of communication with outside organizations – introducing a new human element into the equation. At some point, you have to accept the risk when data leaves the organization en route elsewhere. But it’s an important reminder to stick to the proper channels, and vet partners carefully before passing along data.