Jeff Rowe, Editor, Future Care

Jeff Rowe is the editor of Future Care and a veteran healthcare journalist and blogger who has reported extensively on initiatives to improve the healthcare system at the local, regional and national level.

Surveys: most data security threats come from within healthcare organizations

April 21, 2017 AT 5:08 PM

Want to know who the biggest threat to patient data security is?

Go look in the mirror.

That’s the hard-to-deny takeaway from two recent surveys, one from HIMSS Analytics and one from Dell.  In the HIMSS survey, “78% of respondents identified employee security awareness/culture as the overall biggest concern in terms of security threat exposure, with nearly half of respondents ranking it as the top concern.”

Now, it’s true that that metric is somewhat generic in that it doesn’t identify “employee security awareness/culture” as the direct cause of specific data exposure events, a connection that would likely be impossible to make.  But the next finding hints at the core problem: “Slightly more respondents identified competing priorities than budget as an overall greater barrier to achieving a comprehensive security program.”

In other words, those “competing priorities” point to the fact that however important data security may be, it’s just one of several priorities healthcare professionals, and the organizations that employ them, are juggling on any given day.

The Dell survey, it seems, buttresses that point.  While this project surveyed IT professionals across a range of industries, it found that 68 percent of employees at healthcare organizations “would share sensitive, confidential or regulated information under certain circumstances. 

Some situations, such as being directed to do so by management (43 percent) or sharing with a person authorized to receive it (37 percent), would seem legitimate.

“But others, such as determining that the risk to their company is very low and the potential benefit of sharing information is high (23 percent), or feeling it will help themselves or the recipient do their jobs more effectively (22 percent and 13 percent respectively) play a bit looser with the rules.”

Once again, given the reality of dueling priorities, no small number of employees are not averse to playing the odds that their breach of security protocol won’t come back to haunt them.

“If there's any silver lining here,” our colleague writes in describing the Dell survey, “it's that employees say they want to do the right thing. Of those who engage in unsafe behavior, 24 percent of respondents said they do so to get their job done; 18 percent said they did not know they were doing something unsafe. Just 3 percent of respondents said they had malicious intentions when conducting unsafe behaviors.”

It seems fair to suggest that the 3 percent figure may be a bit low, as how many people with “malicious intentions” are actually going to reply honestly to even an anonymous survey?  But whether or not that figure is higher, one still might point out the potential destination, in data security terms, of a road lined even with good intentions.

On a practical level, perhaps one takeaway from these surveys is that while healthcare organizations should certainly continue to focus on developing sound security protocols and educating their employees concerning them, there will always be those employees who, for one reason or another, decide to look for a why around them.

Or, to adapt another, more recent aphorism, perhaps it’s best to view healthcare data security as what needs to happen while you’re making other plans.