8 top ways that provider employees put data at risk

Published
  • February 06 2018, 4:00am EST

8 data security risks that healthcare employees take

Healthcare organizations have a lot at stake in protecting their information from getting into the wrong hands. Sadly, a recent survey finds that providers’ security posture is in jeopardy because their employees are not as aware or trained as they should be to protect data.

Media Pro surveyed 1,009 healthcare employees and compared their overall security posture with a broader sample of employees in other industries comprising a control group. Media Pro, which offers information security educational services to change behavior and build a risk-adverse culture, published a report in 2017 assessing the risk culture across multiple industries. Below are the findings.

Lack of incident reporting

Employees don’t take threats seriously enough, researchers conclude. Overall, 23 percent of providers failed to report a variety of potential security or privacy incidents, including unsecured personnel files and potentially malware-infected computers, compared with 19 percent for the control group.

Content Continues Below

Inability to identify personal information

Some 21 percent of provider employees failed to recognize some forms of personally identifiable information. Physicians and other care providers showed riskier behaviors than the control group, in which 19 percent did not recognize PII.

Negligence in physical security

Some 30 percent of provider employees said they would take unnecessary risks in scenarios related to giving others access to their office buildings. About 25 percent of provider employees said they would simply hold their office door open for a maintenance worker asking for access to a building, rather than telling him to wait while his identity was confirmed. Twenty four percent of the control group would have acted the same way.

Inability to ferret out phishing attempts

While 18 percent of providers identified phishing emails as legitimate emails, only 8 percent of the control group did the same. The most misidentified email of the four examples presented was an email originating from a suspicious “from” address containing an image attachment. Doctors were three times worse at identifying phishing emails than their non-physician counterparts.

Content Continues Below

Lack of familiarity with malware warning signs

Almost a quarter of provider employees failed to recognize common signs of malware-infected computers. For example, 19 percent failed to recognize that their Internet browser repeatedly was sending them to the same site, no matter which URL was entered, which likely is a sign of malware.

Unawareness of risks faced by remote workers

Some 24 percent of provider employees chose risky options when asked about mobile computing or working remotely. For example, many chose to log on to an unprotected public Wi-Fi network to complete work tasks despite the danger it presents. Only 19 percent of the control group did the same.

Ignorance of cloud computing risks

Some 24 percent of provider employees chose risky actions when presented with scenarios involving storing company data or files on personal cloud-based storage, or sending work documents via personal email, compared with 11 percent of employees for the control group.

Content Continues Below

Misunderstanding the risks in using social media

Some 30 percent of provider employees said they would take potentially risky actions related to their organization on social media, such as re-posting a co-worker’s inappropriate social media post about a competitor. More information on Media Pro is available here.