Almost one in five (18%) employees in the healthcare industry in the United States and Canada said that they would be willing to give access to confidential medical data about patients to an unauthorized outsider for financial gain, a survey for Accenture has revealed.
They would expect no more than $500 to $1,000 for their login credentials or for deliberately installing tracking software or downloading the data to a portable drive.
The remaining 82% said that no amount of money would make them sell the records, according to the survey, called Losing the Cyber Culture War in Healthcare: Accenture 2018 Healthcare Workforce Survey on Cybersecurity.
The problem was particularly acute among provider organizations, as opposed to payer organizations (21% vs. 12%). Also, and perhaps counterintuitively, staff with more frequent cybersecurity training were more inclined to such practices.
In addition, this way of compromising patient data is not a purely hypothetical phenomenon. Roughly one in four (24%) respondents said that they were actually aware of a co-worker who had made a profit by providing a third party with access to such information.
Accenture noted that such conduct contributes to the fact that healthcare organizations in seven countries spent an estimated $12.5 million each, on average, dealing with impacts of cybercrime in 2017. The figure comes from the firm’s report called 2017 Cost of Cyber Crime Study.
Meanwhile, there was an almost universal (99%) sense of responsibility among the respondents for data security. Nearly all (97%) also claimed that they understand the data security and privacy standards of their organization. And yet there is some disconnect, as one in five (21%) of healthcare workforce admitted to writing down their login credentials near their computers.
A total of 912 employees of provider and payer organizations in the US and Canada were polled for the survey, which was conducted online in November. All of the respondents have access to electronic health data such as personally identifiable information (PII), payment card information (PCI), and protected health information (PHI).
In another study by Accenture in 2017, 88% of patients in the US said that they trust their physicians or other healthcare providers to ensure security for their electronic medical data. A quarter said that they had experienced a breach of such data.
Author Tomáš Foltýn, ESET