HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

68% of Healthcare Employees Would Share Regulated Data

The Dell End User Security Survey has revealed that sensitive information, including data covered by HIPAA Rules, would be shared by employees without authorization under certain circumstances.

The Dell End User Security Survey sought to uncover how widespread the unauthorized sharing of confidential information has become. The results show that even in heavily regulated industries such as healthcare, unauthorized data sharing is occurring.

The survey was conducted on 2,608 individuals whose job duties involve handling confidential information. Across all industries, an alarming 72% of employees said they would willingly share sensitive information. 68% of healthcare employees who took part in the survey also confirmed that they would share PHI without authorization under certain circumstances.

Dell explains that in most cases, unauthorized sharing of confidential data is not malicious. It occurs when employees are trying to be more efficient and work as effectively as possible. Unfortunately, however, in an effort to get more work completed in less time, those employees are taking considerable security risks. In the case of healthcare employees, those actions could potentially violate the privacy of patients and result in their organization facing a significant HIPAA penalty.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Across all industries, 43% of employees would share sensitive, confidential data if they were directed to do so by management and 37% would share data with a person that was authorized to receive it. As Dell points out, this is why cybercriminals pose as trusted individuals and why business email compromise is so effective.

Other situations when employees would share data include if the risk was low and the benefit was high (23%), if it would allow them to perform their job more effectively (22%) and if it made the recipient of the information able to work more effectively (13%).

Dell explains that employees make the decision to share data independently and that they assess the risks and benefits of doing so on a case by case basis and points out that it is up to organizations to put policies and procedures in place to define the circumstances under which information can be shared. However, it is also important to ensure that employees are aware that when data are shared, it happens in a secure fashion.

Some of the most common security risks taken by the respondents who work in highly regulated industries such as finance and healthcare were using personal email accounts to send confidential information – 52% of respondents – and accessing confidential data via public Wi-Fi hotspots – 48% of respondents.

35% of respondents said it was common to take confidential work information with them when they changed employment. When that does occur, 61% used a USB drive and 56% sent the information to a personal email account.

Other risky behaviors involved using work-issued devices to access personal social media accounts – 46% of respondents – and using public cloud services to store or save their work – 56% of respondents.

The survey revealed that two out of three employees feel it is their own responsibility to educate themselves on possible risks, rather than being told by their company. However, while training on cybersecurity is important, it is not 100% effective. Even when provided with training on best practices, 24% of trained employees said they still engaged in unsafe behavior in order to get their work done.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.