In this episode, we are joined by John Schoew, Managing Director of Accenture’s Health & Public Service Security Practice, to discuss cybersecurity issues with healthcare providers, payers, governments and educational institutions.
Mike Passanante: Hi, this is Mike Passanante. And welcome back to the Hospital Finance Podcast.
Hospitals and other healthcare providers go to great lengths to protect confidential data. However, their own employees could be undermining their efforts and putting them in jeopardy.
To offer some clarity on this topic, I’m joined by John Schoew who is an Accenture managing director. John leads Accenture’s Health & Public Service Security Practice in North America, working on cybersecurity issues with healthcare providers, payers, governments and educational institutions.
John, welcome to the show!
John Schoew: Mike, thanks for having me. Good to be here.
Mike: So John, Accenture recently released its 2018 Healthcare Workforce Survey on Cybersecurity. Why don’t you start out by telling us why you conducted this survey and who participated in it?
John: Happy to, Mike. You know, we’ve done previous surveys with security executives. We’ve done surveys with healthcare patients. But we haven’t done a survey looking at the attitudes, behaviors and beliefs of healthcare employees around the topic of cybersecurity. So, we were curious to understand where their heads are, what they’re doing, and what they believe about cybersecurity.
We add folks from the US and from Canada, around 900 patients, provider and payer employees that deal with patient records, sensitive healthcare data, et cetera. So, we’ve got a good swathe of healthcare employee population to take a look at.
Mike: Okay! So, let’s talk through some of the findings. First, let’s talk about what seems like a pretty straightforward thing, writing down usernames and passwords, and leaving them near your computer. That’s something we don’t do, right?
John: Well, ideally, it’s something we don’t do, I agree. And I think a lot of it is training, whatever industry we’re in, particularly healthcare. We’ll talk about that more in a minute. I think we all have heard it’s not a good idea to write your username and password next to your computer. And yet we found 21% of healthcare employees do just that. They do write their usernames and passwords next to their computer. And it’s a bit worse in the provider space. Twenty-three percent of employees said they did it in the provider space, and 17% said they did it in the payer space.
And so, we were surprised. I wasn’t expecting it to be quite this high. But there you have it! There are still folks that are behaving in ways that we know can put patient data at risk.
Mike: Now, we’ll talk about training more in a minute because that seems like a no-brainer. But obviously, we’re not there all the way yet.
Next, you asked employees about their awareness of someone selling access to patient data within organizations. And that finding was pretty striking too.
John: It was! It was one of the more striking findings we had. I’d seen in some other surveys more broadly across industry questions around willingness of employees to sell their login credentials to unauthorized third-parties. So we asked some questions around that. And we found that 24% of healthcare employees are aware of someone within their organization selling access which I found to be shocking. Again, back to saying that you’d think we all know right or wrong about cybersecurity. I think we’re seeing that it’s just not getting to everyone. We were certainly shocked when we came across that.
And again, we found that the payer employees are behaving a bit better. We found that 15% were aware versus 29% aware in the provider space. So again, the payer population seems to have a better grip on what’s important on cybersecurity than the provider space which is encouraging. But even these numbers are alarming across the board.
Mike: Yeah. As striking as that was—and I think you just alluded to it a second ago—what about the percentage of people who were willing to make a profit by providing access to an unauthorized outsider?
John: Yeah, this is what really struck me the most. Eighteen percent of healthcare employees are willing to make a profit by providing access to an unauthorized third-party—eighteen percent. Employees are aware of the value of healthcare data, and yet they’re still willing to do it. The trend there is 21% of provider employees and 12% of payer employees were willing to do it.
This was shocking. This is actually a bit higher than what we’ve seen in other folks’ studies which is around 10% willingness across industries. So, for some reason, we’re seeing healthcare employees were more willing to do it which is a grave concern of course.
Mike: It certainly is. There also seem to be a wide awareness of data breaches within organizations. What did you find there?
John: We asked employees were there breaches because we want to see their overall awareness of cybersecurity incidents and if they’re paying attention to them. And nearly half say they were aware of breaches within their own organizations. Some were aware of 1 to 10 breaches, and some were aware of even more than that. It was around half.
And it was similar for payers and providers. And so it proved to us that cybersecurity is on people’s mind, they’re aware of it. And yet these behaviors that concern us are still happening.
Mike: And I’ve worked in several organizations that handle PHI and cybersecurity training or HIPAA trainings, privacy in general. It was something that was part of what we did. It was expected, and it was required. But that’s not always the case, is it?
John: It’s not. We found that 1 in 6 employees are unaware of training in an organization or the organization doesn’t offer it at all, 1 in 6. And even though they do get it, 29%, almost 1 in 3, only get it once. And so, clearly, training just isn’t resonating and just isn’t getting through.
As a matter of fact, we found that increased training did not correlate with better behaviors. Which was incredibly shocking.
We actually found that those that had more training actually were more likely to sell their login credentials for a profit. So it certainly points to a need for a different way to think about cybersecurity training in healthcare.
Mike: Indeed! And at the end of the survey, you included four calls-to-action. Can you walk us through each of those?
John: The first one is around training, what we’ve been alluding to. I think it’s really important to optimize training for healthcare employees. You’ve got to make it relevant. You’ve got to make it memorable.
I think one of the challenges here is that, people, even though they get the training, even though they get the training, I really believe in my experience in talking to employees that the impact that a data breach can have on patients—from a financial perspective, from a privacy perspective—just hasn’t sunk in all the way with some healthcare employees. And I think that’s what’s driving some of these self-reported bad behaviors that we’re seeing in the survey.
So, again, I see training needs to be made relevant. It needs to be made memorable. It can’t just be a check-the-box kind of mentality that folks are taking towards it.
And we also need to incentivize good behavior. Lead from the top. Have the senior leadership within the health organizations demonstrate and celebrate good cyber behaviors to their employees. I think that’s really important.
On the technology side, using many techniques to protect patient data is really important. Obviously, there are employees that are willing to engage in bad behavior like we’ve been talking about. And so we can’t just rely on training alone.
Encryption, tokenization, digital rights management, selective redaction are some of the technologies that can be deployed. That’s important. Monitoring and segmenting access to sensitive data since the parts of the network is absolutely critical and needs to be taken seriously.
I think importantly as well on top of all of that, it’s important to have capabilities to monitor for suspicious and anomalous behavior. Once someone gains access via valid login credentials, we can’t assume anymore as our survey showed that that’s actually that employee who’s logged in. We’ve got to watch for anomalous and unusual behavior and lock it down when we see it so we figure out what’s happening.
So, I think those are the main things that we would certain recommend for healthcare organizations to take to counter these bad behaviors that we’re seeing.
Mike: Well, John, thank you for sharing the findings with us today. They’re certainly a wake-up call for anyone who is not taking cybersecurity seriously.
And if someone wanted to get a copy of the survey results, where they can go?
John: They can go to Accenture.com/health. And they can find our survey there as well as other reports and other points of view that we published. It will be right there for them to find.
Mike: John Schoew, thanks for joining us today on the Hospital Finance Podcast.
John: Mike, thanks for having me. Have a good day!