'Sell patients' medical information for cash? Why not?' say 18 per cent of US healthcare staff

Accenture survey finds one-in-five employees in healthcare sector would flog patient data for $1,000

Just under one-in-five employees in the healthcare sector would give access to confidential medical data to an outsider in return for up to $1,000, according to a survey of healthcare workers in the US and Canada.

As many as 18 per cent indicated that they would be prepared to either handover their login credentials, deliberately install software that would compromise their PC or download requested data to a USB stick in return for a brown envelope stuffed with cash.

While 82 per cent claimed that no amount of money would induce them to compromise patient records, one-quarter of the respondents claimed to have known someone within their organisation who has sold their credentials or access to an unauthorised outsider.

Health organisations are in the throes of a cyber war that is being undermined by their own workforce

Nevertheless, 99 per cent of the respondents to the survey also claimed to "feel responsible for the security of data", while 97 per cent claimed to fully understand their healthcare organisation's data security and privacy policies.

"Health organisations are in the throes of a cyber war that is being undermined by their own workforce," said John Schoew, who leads Accenture's Health & Public Service Security practice in North America.

"With sensitive data a part of the job for millions of health workers, organisations must foster a cyber culture that addresses these deeply rooted issues so that employees become part of the fight, not a weak link."

While the survey only covered North America and Canada, it is open to question how much different the answers would be in the UK or elsewhere in Europe.

Other aspects of poor security practice include the 21 per cent who admit to scribbling down their login details on a Post-It Note attached to their PC.

Schoew added that training alone isn't enough and that organisations - all organisations, not just healthcare - should implement multiple security techniques including security tokens, privilege and digital rights management and "selective redaction and data scrambling".

He added: "Monitor continuously and vigorously not just for unauthorised access but also for undiscovered threats and suspicious user behaviour."