8 data security risks that healthcare employees take
Healthcare organizations have a lot at stake in protecting their information from getting into the wrong hands. Sadly, a recent survey finds that providers’ security posture is in jeopardy because their employees are not as aware or trained as they should be to protect data.

Media Pro surveyed 1,009 healthcare employees and compared their overall security posture with a broader sample of employees in other industries comprising a control group. Media Pro, which offers information security educational services to change behavior and build a risk-adverse culture, published a report in 2017 assessing the risk culture across multiple industries. Below are the findings.
Employee Risks Feb. 2 AdobeStock_142688354 A.jpeg
Incident report form and a wooden stamp on grunge background
Lack of incident reporting
Employees don’t take threats seriously enough, researchers conclude. Overall, 23 percent of providers failed to report a variety of potential security or privacy incidents, including unsecured personnel files and potentially malware-infected computers, compared with 19 percent for the control group.
Employee Risks Feb. 2 AdobeStock_175334579 B.jpeg
Inability to identify personal information
Some 21 percent of provider employees failed to recognize some forms of personally identifiable information. Physicians and other care providers showed riskier behaviors than the control group, in which 19 percent did not recognize PII.
Employee Risks Feb. 2 AdobeStock_132774886 C.jpeg
Happy businesswoman receiving a package sitting on a desk at office
Negligence in physical security
Some 30 percent of provider employees said they would take unnecessary risks in scenarios related to giving others access to their office buildings. About 25 percent of provider employees said they would simply hold their office door open for a maintenance worker asking for access to a building, rather than telling him to wait while his identity was confirmed. Twenty four percent of the control group would have acted the same way.
Employee Risks Feb. 2 AdobeStock_92627697 D.jpeg
Inability to ferret out phishing attempts
While 18 percent of providers identified phishing emails as legitimate emails, only 8 percent of the control group did the same. The most misidentified email of the four examples presented was an email originating from a suspicious “from” address containing an image attachment. Doctors were three times worse at identifying phishing emails than their non-physician counterparts.
Employee Risks Feb. 2 AdobeStock_159926885 E.jpeg
Ransomware alert message on a laptop screen - man at work
Lack of familiarity with malware warning signs
Almost a quarter of provider employees failed to recognize common signs of malware-infected computers. For example, 19 percent failed to recognize that their Internet browser repeatedly was sending them to the same site, no matter which URL was entered, which likely is a sign of malware.
Employee Risks Feb.2 AdobeStock_137779779 F.jpeg
business woman Checking info of business. She works outside the office
Unawareness of risks faced by remote workers
Some 24 percent of provider employees chose risky options when asked about mobile computing or working remotely. For example, many chose to log on to an unprotected public Wi-Fi network to complete work tasks despite the danger it presents. Only 19 percent of the control group did the same.
Employee Risks Feb.2 AdobeStock_33475819 G.jpeg
A Virtual Machine moves from a cloud Server Rack to the other
Ignorance of cloud computing risks
Some 24 percent of provider employees chose risky actions when presented with scenarios involving storing company data or files on personal cloud-based storage, or sending work documents via personal email, compared with 11 percent of employees for the control group.
Employee Risks Feb. 2 AdobeStock_163162756 H.jpeg
blue devices top view blog 3d rendering. Some elements furnished by Nasa
Misunderstanding the risks in using social media
Some 30 percent of provider employees said they would take potentially risky actions related to their organization on social media, such as re-posting a co-worker’s inappropriate social media post about a competitor. More information on Media Pro is available here.