by Security Weekly Productions

The title of this article tells a story that is probably completely unsurprising to the listeners of the show, but a survey sponsored by a secure file sharing service named Biscom has announced that people working in healthcare share information over insecure channels. Some of the numbers in it were a bit interesting to me. 87% of survey respondents said that they shared protected information via email. The article later states that most of this was internal, rather than sending to patients personal email address, but it’s still not a great thing. 1/3 of the respondents said they used services such as Google Drive, Dropbox, and Microsoft One Drive to share information. 88% said they understood how to use company provided tools and policies, but 10% said they didn’t bother to abide by them.

Here’s the statement that stood out to me the most. “When asked why they did not use company tools or comply with company policies, respondents across industries agreed complexity was the biggest challenge. In fact, when deciding how to send sensitive documents, 60 percent said they simply do what is easiest.”

A couple of thoughts occur to me out of all this. First, I’m not surprised at all and I suspect that surveys of other industries (such as legal and financial) that deal with confidential information would yield similar results. And this survey just deals with data leaving the medical provider. I can only imagine the information being passed into the providers by patients. “Protected” data is all over the place and actual protections are frequently avoided or worked around.

Second, this is a pretty good indicator of how useful and easy to use secure data transfer tools are to use. Basically, they aren’t and their reach to the public is limited. There are legitimate needs to share information like health data. The doctor asks for something to be sent to the lab and the lab needs to send the results back. Are the tools for internal data sharing making it easy or hard to do so? Or is it easier to copy data out of the system and send it via email?

I know we get frustrated by data being shared insecurely, particularly when we find evidence of it occurring in our own organizations. I made the mistake once at looking at a customer service ticketing system that was driven by emails coming in. It was filled with financial information from clients sending emails to our customer service reps. SSNs, names, account numbers, income, and more. I saw points where our employees were sending it out as well. As much as we want to get angry and insult the intelligence of our users, we also need to look at the tools we are providing to do the job. Things like this is a sign we need to do better.

Here are some questions to ask as we evaluate this. Why are people doing sending information this way versus the way we want them too? Is there a way we can make our tools easier to use and still protect data? Are the current tools up to the task or do we need to look for replacements? Are there stories we can tell to our users that help them understand the impact of their decisions? Good examples would be things in the news.

I don’t mean to say that this is all our fault for not providing better tools or even awareness training. We can provide the easiest mechanisms we know for transferring data securely, but someone will decide something is easier and go that route. Perhaps send a screenshot to patient via Snapchat for some reason. But we can do better at providing tools that are simpler to use and less frustrating to the users.

Read full article: https://securityweekly.com