Are Healthcare Workers Aware of Workaround Security Risks?

In my last blog, What Types of Workarounds Are Your Healthcare Workers Using?, I explored the types of tools healthcare workers are using to circumvent solutions or security that gets in the way, driving non-compliance issues and additional privacy and security risk. An example of a workaround could be copying unencrypted patient records onto a personal USB key in order to transfer them.

A global survey of frontline healthcare workers completed January 2013 by HIMSS and Intel, with 674 respondents, reveals that more than half of respondents use workarounds either every day, or sometimes. In this blog we look at results from the survey that highlight to what extent healthcare workers are aware of the risks associated with using workarounds, why they are doing workarounds anyway, and why workers may not be adequately aware of risks.

In order to gauge awareness of risks associated with workarounds we asked in the survey, “Do you think people using workarounds are aware of the associated privacy and security risks?” Almost evenly split, 36 percent indicated yes while 35 percent indicated no, and another 20 percent indicated they don’t know. Clearly there is much work to be done in increasing awareness of risks associated with workarounds, a basic first step to mitigating this type of risk. To dig a little deeper we surveyed respondents with two further questions on why those that are aware of risks use workarounds anyway, and where things may be breaking down for those that aren’t aware of risks.

To understand why healthcare workers that are aware of risks use workarounds anyway, we asked, “If people are aware of risks, why do you think they use workarounds anyway?" Of the major categories of response to this question, 53 percent indicated frustration with currently system, 53 percent that workarounds make their job easier, 38 percent indicated risks were insignificant, and 29 percent indicated that improving the quality, improving efficiency, and reducing the cost of patient care takes priority over security. These results suggest that current healthcare solutions are in many cases viewed as more difficult to use that workarounds. Many healthcare workers are also clearly making a decision to do workarounds that improve healthcare while waiving the associated risks as insignificant or lower priority.

To explore why some healthcare workers lack awareness of risks, we asked, “If people are not aware of risks, why might they not be aware?" Forty-five percent indicated lack of oversight or enforcement of policy, 43 percent indicated lack of effective security awareness training, and 19 percent indicated lack of privacy and security policy. It seems that while most organizations have a policy, often it is not adequately enforced, and security awareness training is in many cases ineffective.

Stay tuned for the finale of this blog series next week with the release of a HIMSS/Intel whitepaper on this recent security survey. We’ll also be releasing these survey results and the HIMSS /Intel whitepaper at a workshop at HIMSS 2013. If you will be at HIMSS13 in New Orleans, join us for this complementary workshop panel to explore these concepts further. RSVP and reserve your spot.