News Feature | March 17, 2014

3 Of 4 Providers Say Employees Are Security Concern

Katie Wike

By Katie Wike, contributing writer

Healthcare Employees Security Concern

Cybercrime and breaches are common in a world of BYOD and snooping employees, can providers do anything strengthen mobile security?

Can providers trust their employees to adhere to HIPAA privacy rules and keep mobile devices secure? Apparently not, according to a number of new studies. Security breaches aren’t only coming from hackers in faraway countries; many happen behind reception desks and nurses’ stations.

The 2013 HIMSS Security Survey found the greatest motivation behind a cyber-attack was snooping employees, followed by financial and medical identity theft.

Three of four providers said employees are a top security concern in the latest Benchmark Study on Patient Privacy and Data Security from Ponemon. In 2010, 20 percent of breaches were attributed to criminal activity while the other 80 percent were the result of negligent employees. In this year’s study, researchers found the number of criminal breaches had doubled to account for 40 percent of all attacks.

Ninety percent of healthcare organizations in the study had at least one data breach in the past two years. The good news is, only 38 percent report that they have had more than five incidents, a decline from last year’s reporting of 45 percent of organizations experiencing more than five. Ponemon suggests this means providers are doing a better job of securing patient information, a statement backed by reports most providers (78 percent) use multiple security methods on mobile devices.

Although hospital devices are secure, employee devices are not and Ponemon found some other worrisome statistics. For example, 88 percent of respondents said they already allow employees to have access to patient records on the network via their own devices. According to mHealth News, 38 percent of those employees don’t secure their devices and providers are not confident BYOD devices are secure.

The report explains, “Fifty-five percent of organizations agree they have the policies and procedures that effectively prevent or quickly detect unauthorized patient data access, loss or theft. Unfortunately, the budget, technologies and resources needed to safeguard patient information from a data breach are not as available. Further, less than half (46 percent) of organizations have personnel who are knowledgeable about HITECH and states’ data breach notification laws.”