1 in 5 Health Workers Willing To Sell Patient Information


Your patient data may be less safe than you originally thought. A new report from Accenture shows that 1 in 5 healthcare workers would be willing to sell patient information for as little as $500 – $1000.

Based on a survey of 912 healthcare employees in the U.S. and Canada, the report indicates that the healthcare industry’s cybersecurity defenses are being undermined by its own workforce. 24 percent of workers admitted to knowing someone in their organization who has sold their credentials or access to an unauthorized user.

Even if an individual doesn’t opt to sell patient data, it also seems relatively easy to steal it. Nearly all workers said they were given at least basic cybersecurity training as part of their employee training, however, 21 percent who said they keep their username and password written down next to their computer. In that instance, all it takes is someone walking by the right empty desk at the right time and patient data is exposed. Responses in the report also show that if individuals are required to take security training frequently they are even more likely to write down usernames and passwords and leave them next to their computers.

The type of healthcare organization also impacts employee willingness to sell data. Respondents from provider organizations were significantly more likely than those in payer organizations to say they would sell confidential data – 21 percent vs. 12 percent. This includes selling login credentials, installing tracking software and downloading data to a portable drive, among other actions. Payer organizations can be insurers, financial companies or other organizations that pay for treatments. Provider organizations can include doctors offices, urgent care centers or hospitals. Employees at provider organizations often have more detailed information that could include specific treatments or medical histories.

Healthcare data breaches are becoming more common as cyber adversaries find few obstacles barring them from gaining access to patient information. Earlier this month, Partners Healthcare, whose hospitals include large and high profile campuses like Massachusetts General and Brigham and Women’s Hospital notified patients that malware led to the exposure of names, addresses and other patient information. Thousands of patient records were compromised over the course of 2017, according to research from Becker’s Hospital Review.

As CivSource has previously reported, health professionals have also left medical devices open to attack by failing to change administrative passwords from what is put on the device by the manufacturer. In that case, adversaries could have access to sensitive medical devices with something as basic as an admin/admin login, allowing them to change the frequency of monitoring or treatments, potentially endangering lives.

“Health organizations are in the throes of a cyber war that is being undermined by their own workforce,” said John Schoew, who leads Accenture’s Health & Public Service Security practice in North America. “With sensitive data a part of the job for millions of health workers, organizations must foster a cyber culture that addresses these deeply rooted issues so that employees become part of the fight, not a weak link.”