How Healthcare Organizations Are Undermining Their Data Security Efforts

by Sarah M. Worthy

The U.S. healthcare industry has been plagued with cybersecurity incidents and data breaches, which are increasing year after year. In fact, the healthcare industry experiences more data breaches than any other industry, including finance, education, manufacturing, public administration, and professional services. These breaches are not only costly but also potentially life-threatening to patients whose sensitive medical information is exposed.

Unfortunately, most healthcare organizations are inadvertently making it easier for hackers to gain access to their sensitive data through a culture that enables and, in many cases, encourages employees to bypass security protocols in favor of administrative bureaucracy.

Here are three ways in which healthcare organizations are making data breaches easier for hackers.

Requiring login and password access to physicians credentialing data on CAQH Proview and state licensing boards. Requiring employees to provide login and password information for personal accounts is a common practice in some healthcare organizations. However, this approach is flawed and sets a dangerous precedent for security culture within the organization. Not only does this increase the risk of data breaches and identity theft for clinical employees, but it also fosters a culture that deprioritizes cybersecurity and promotes password sharing and other insecure behaviors.

When people other than the clinician have access to this information, it opens up the question of data reliability. If anyone can login and edit the data as though they are the physician, they can attest to things that are not true and make claims about professional competencies they are not qualified to make, making the reliability of all clinician credentialing data within that database suspect.

By requesting personal login information from their employees, healthcare organizations send a message that cybersecurity is not a top priority, which can lead to complacency and a lack of understanding among employees about how to keep sensitive data secure. Instead, healthcare organizations should implement more secure methods of authentication and access control to ensure that only authorized personnel can access sensitive information.

Allowing and even encouraging clinicians to share logins and passwords to EMRs. Healthcare organizations may allow clinicians to share login credentials for EMRs and other systems to make it easier for them to access patient information quickly. Despite this practice being both a significant security risk and HIPAA violation, 73% of healthcare professionals admitted to using the password of another individual to access EHR records at least once, according to a study published by the Journal of American Medical Informatics Association.

This statistic is alarming and highlights the need for healthcare organizations to implement better security policies to prevent password sharing. Sharing login credentials among clinicians creates an opportunity for hackers to gain unauthorized access to sensitive patient information. Moreover, it makes it difficult to track who accessed the information, making it challenging to identify who is responsible for a potential data breach.

Despite the risks and regulations, some healthcare organizations continue to insist on having their EHR logins and passwords on file for other employees to see and use. This bad security practice is a problem that needs to be addressed to prevent future data breaches.

Failing to make regular cybersecurity training a requirement for ALL employees in the organization. Cybersecurity is everyone’s job, not just the IT or cybersecurity team’s job. Therefore, it is crucial for all employees in a healthcare organization to receive regular cybersecurity training. This training can help employees identify potential security threats and teach them best practices for avoiding them. It can also help employees understand the importance of protecting sensitive patient information and how their actions can impact the organization’s overall cybersecurity posture.

However, some healthcare organizations fail to make regular cybersecurity training a requirement for their clinical employees. This oversight can lead to employees unknowingly engaging in risky behaviors that could lead to data breaches. It is essential for healthcare organizations to make cybersecurity training a priority for all employees and to regularly update their policies and training programs to stay ahead of emerging cybersecurity threats.

Each cybersecurity incident costs a healthcare organization an average of $10.1 million, according to a 2022 report by IBM Security. To avoid these costs, healthcare organizations must take cybersecurity seriously and implement best practices to prevent data breaches.

Sarah M. Worthy is the CEO and founder of DoorSpace, a company that is transforming the way healthcare organizations retain and develop talent while solving critical turnover issues in the healthcare industry. Worthy has more than 15 years of experience in the B2B technology and healthcare industries. DoorSpace’s innovative technology “flips the script” on the question from “What makes people leave?” to “What makes people stay?”

In Business Dailies

Sign up for a complimentary year of In Business Dailies with a bonus Digital Subscription of In Business Magazine delivered to your inbox each month!

  • Get the day’s Top Stories
  • Relevant In-depth Articles
  • Daily Offers
  • Coming Events