How Your Employees are Unknowingly Putting Data at Risk

Like most criminals, the shady characters who are out to steal your data will be much more likely to succeed if they have an accomplice on the inside. Unfortunately, there’s a good chance they’ll find more than a few accomplices on your staff.

Of course, the employee who ultimately opens the safe and green-lights the thieves probably won’t do it deliberately. He or she probably won’t realize how it happened, but the damage will be just as complete as if the employee were in on the caper.


Inviting target

To the would-be data thief, healthcare is fertile territory. Policies are often lax or loosely enforced. Employees are often overconfident and/or naive. And the number of entry points that can lead to breaches is disconcertingly high.

One survey found that healthcare ranked 15th of 18 industries in regard to the security risk known as “social engineering” — the buzz phrase describing vulnerability to schemes that manipulate employees into divulging confidential or personal information. The survey “show[s] that security awareness and employee training are likely not sufficient,” says Alex Heid, Chief Research Officer at SecurityScorecard, which monitors security risks. “Security is only as strong as the weakest link,” he adds.


Epidemic of infections

Those weak links — unwitting employees — have played a part in 52% of all data breaches, a CompTIA study finds. And the relative ease with which nefarious actors have managed to hack healthcare facilities has reduced the unscathed to a small minority. According to the 2016 Healthcare Industry Cybersecurity Report, more than 75% of the entire healthcare industry had been infected with malware during the previous year.

How do unwitting employees get taken for a ride? Here are just some of the ways:

  • Phishing (or spear-phishing) scams. Phishing attacks are increasing and evolving. In 2016, one of every 131 emails contained malware. Some are obvious. Some are less so. Either way, once a targeted recipient takes the bait and opens a malicious attachment, malware installs on the system and the attacker can begin to move toward his objective. “Employees are often the lowest-hanging fruit when it comes to phishing, spear-phishing and other social-engineering attacks,” says Mr. Heid. “For a hacker, it only takes one piece of information … to exploit an employee into divulging sensitive information, or to provide an access point into that organization’s network.”
  • Personal devices. Smartphones, laptops and USB drives can be security nightmares. People visit questionable sites, download unverified applications and fail to lock their devices with passwords. If they then shift into work mode, they can expose their employers to the malware or spyware they’ve unknowingly brought with them.
  • Weak Passwords. Believe it or not, a 2016 study of 10-million passwords found that one in six people were using “123456.” Worse yet, the list of the top 25 most popular passwords, which accounted for more than half of all passwords overall, included such ridiculously easy-to-crack variations as “111111,” “password,” and “654321.”
  • Questionable browsing. Websites that let users download movies or music are especially risky, say experts. As are (and should probably go without saying) adult websites.
  • Social media. Cyber-attackers are on the lookout for information they can use to help launch phishing attacks — a photo of an office setting or excessive information about one’s job, for example. Harmful links and downloads abound on social media, as well.
  • Unsecured wireless connections. Most people either don’t know or underestimate the dangers involved in using public Wi-Fi. A recent survey found that 87% of American consumers had used it at one time or another, and more than 60% assumed it was safe.
  • Free software. Conscientious employees may be tempted by programs that provide simple services, such as converting word files into PDFs, for free. But a free program may be more likely to contain malicious code.

Don’t just educate

Many facilities are recognizing how vulnerable they are, and wisely employing technology to protect coveted data. But unless they make sure employees clearly understand the dos, the don’ts and the dangers surrounding data security, thieves will continue to see healthcare as an easy and profitable mark.

How can you beef up your defenses where employees are concerned? Ongoing education and training are essential, but don’t settle for a classroom Q&A, says security expert Marc van Zadelhoff, writing for the Harvard Business Review: “User awareness programs are the key to educating insiders. Train your people, test them, and then try to trick them with fake exercises.”

Doing so requires work and perseverance, he says, but the extra effort will have a disproportionate positive impact on the safety of your data.

Michael Murphy, MD
Dr. Michael Murphy is co-founder and Chief Executive Officer of ScribeAmerica, LLC. He co-founded ScribeAmerica in 2004, and it is now the country’s largest and most successful medical scribe company with a staff exceeding 7200 employees operating in over 46 states nationwide. Today, ScribeAmerica is the recognized leader of the medical scribe industry and remains at the forefront of professional scribe education, training, and program management nationally. Dr. Murphy served as an Army Ranger for the 1st Ranger Battalion in Savannah, Georgia, which allowed him to gain various leadership skills along with the ability to develop standard operating procedures. He applies this to his daily duties for ScribeAmerica. Dr. Murphy has been a leader on multiple issues including scribe policy, hospital throughput, electronic medical record implementation and optimization of provider to patient ratios. His goals are to continue making all medical practice locations an environment built for an exceptional patient experience that allows providers to focus solely on patient care. Dr. Murphy received his Doctor of Medicine from St. George's University and completed his residency training in Emergency Medicine at the University of Medicine and Dentistry of New Jersey in Newark. He has co-authored one textbook and is involved in 3 peer review articles.
Posted In: Compliance, Future of Healthcare, General, Quality, Efficiency, Utilization On: Tuesday, 17 April, 2018

Leave A Comment


Copyright © 2004-2019. Scribe America. All Rights Reserved.