What do Facebook and healthcare data have in common?

April 9, 2018 / By Barbara Aubry, RN

If you listen, watch or stream news updates then you’ve likely heard about the Facebook data privacy scandal. During a recent early morning treadmill jaunt, I listened to a CNBC interview of Michael Fertik, founder of Reputation.com, an attorney and a Harvard instructor. He was asked to give an insider’s thoughts on data privacy. With a wide grin, he shared some interesting comments about the safety of data shared on Facebook and the internet in general. He confirmed “all personal data is given away”—it’s the heartbeat of the internet economy. He asked how many of us actually 1) read an entire online data privacy agreement or 2) actually understand what it means and know what we are agreeing to. I’m guilty as charged.

Fertik also mentioned his concern regarding the popularity of online quizzes and surveys with innocent titles like “Which person in history do you resemble?” or “If you support national ice cream fudge sundae day, click here.” This seemingly innocuous entertainment is actually a popular way of collecting data from unsuspecting participants. Think about it; most would not share personal information with a stranger who approached them on the street with a “quiz.” But online it seems “safer,” especially when seen on websites or online communities we trust. Fertik reminds us these methods are dangerous because the user has no idea who is really gathering the data or what it will be used for—or who it will be sold to or shared with. And few know the identity or intentions of the third party aggregator or purchaser—certainly not the individual sharing their data. Hmmm.

Following quickly on the heels of the Facebook news, I read an article by Julie Spitzer on Becker’s Hospital Review titled “1 in 5 health employees willing to sell confidential data: 7 survey insights” that literally made me cringe. The data was gathered by Accenture in a survey of 912 provider and payer organizations in the U.S. and Canada. The findings:

  1. About 18 percent of respondents said they would be willing to sell confidential data—such as login credentials, installing tracking software and downloading data to a portable drive—to unauthorized parties for as little as $500 to $1,000.
  2. About 24 percent of respondents said they knew of someone in their organization who sold credentials or access to an unauthorized outsider.
  3. Respondents from provider organizations (21 percent) were more likely than those in payer organizations (12 percent) to say they would sell confidential data.
  4. Almost all (99 percent) of respondents said they feel responsible for data security.
  5. Even though 97 percent of respondents claim they understand their organization’s data security and privacy standards, 21 percent keep their username and password written down next to their computer.
  6. About one in six respondents were unaware of cybersecurity training at their organization, and 29 percent of respondents who receive training only do so once.
  7. Of those who receive security training, 17 percent said they still write down their usernames and passwords, and 19 percent said they would be willing to sell confidential data. However, those numbers increase for those who receive frequent training—of the employees who receive quarterly training, 24 percent said they write down their usernames and passwords and 28 percent said they are willing to sell confidential data

My take:

Wow.

What I find puzzling is the media’s coverage of the Facebook debacle but their lack of interest regarding the abysmal statistics about healthcare workers and data protection. Facebook users know they are sharing data—at least presumably with their “friends,” while no one expects their healthcare data to be shared with anyone other than their doctor or healthcare workers on a need-to-know basis in order to provide care. Doesn’t Accenture’s report deserve coverage beyond healthcare industry publications? Or is this status quo in other industries as well – and not news? No one wants their credit card information sold and I presume the same can be said of healthcare data.

I was shocked by the number of folks (almost a quarter of those interviewed) who knew someone who either sold data or data access. The number of healthcare workers being careless with passwords was also pretty astonishing.  I can sympathize with the password dilemma since so many of us have multiple passwords that must be managed and updated on a regular basis. Keeping it all straight is no easy task. As I tell colleagues, I don’t have a pass “word” anymore since my password requirements have so many digits, it’s more like a pass “sentence.” I’ve found a compliant password management solution that works for me, but it involves locks and keys and is not near my computer.

It seems electronic data has a higher risk of improper sharing than paper medical records. Back in the days of paper charts, it was not uncommon to see a physician, nurse or technician with no need to look at a chart snooping at the chart carousel behind the nurse’s desk in the hospital. Of course that wasn’t right, but it was one individual with a limited ability to distribute the pilfered information. Electronic data is very portable and can be accessed on multiple platforms by known and unknown users. No more nurses watching to see who is peeking at charts and reporting those who seem more than curious.

And cost – what is the cost to the industry for cybersecurity that is being undermined by employees? Perhaps the best investment is money well spent with a trusted vendor who is highly data literate.

As digital healthcare workers, we should be held to a higher standard since we have a unique responsibility to protect sensitive data; our privileged access demands it. How can the industry fight and protect itself in cyber wars if so many in the healthcare workforce are non-compliant – or worse?

Barbara Aubry is a senior regulatory analyst for 3M Health Information Systems.