A recent study regarding cybersecurity insiders showed that many college students tend to be happy to break the HIPAA Rules. If paid the right price to do so, they are willing to steal and disclose patient information. The right price ranged from $10,000 to over $10 million. Professor Lawrence Sanders of the University of Buffalo, Department of Management Science and Systems, together with colleagues at the School of Management, conducted the study, in relation to a 2020 study that looked into the cost of healthcare privacy violations.
JMIR Medical Informatics published the 2020 study, which involved 523 21-year-old students who were going to start working. The study asked the respondents to imagine they were employed in a hospital, and given five various scenarios, would they illegally steal and disclose sensitive health data? The results showed that 46% of participants said that they would violate HIPAA rules and disregard patient privacy when given the right price. In one scenario, the study respondents were asked if paid $100,000 (which they needed for their mother’s treatment not covered by insurance), would they get and expose a politician’s health records? 79% of respondents said yes to this question.
The recent study on cybersecurity insiders, on the other hand, involved 500 undergraduate college students taking technology courses, who would be potential future IT staff in healthcare. They were requested to imagine being employed in a hospital, with salaries between $30,000 and $100,000. Then asked, in case they are experiencing financial stress, would they access and leak the data of a famous patient if paid to do so?
They received training about HIPAA rules and they are unauthorized to access and disclose protected health information (PHI). Still, 58% of the respondents stated they would violate HIPAA if paid to do so. The payment amount (starting from $10,000) required to entice them to violate the law varied, subject to the employee’s wage level and the perceived possibility of being captured. Employees with higher salaries required more money to violate HIPAA and steal information. Those who were interested in ethical hacking are the same with individuals interested in unethical hacking, requiring less money to violate HIPAA, if they were sure of not getting caught.
The study shows the threat of insider data breaches and the significance of providing employees with training on the HIPAA Privacy Rule and the penalties of HIPAA violations. All workers should know that in case of HIPAA violations, the penalties can be severe when discovered.
Professor Sanders stated that with growing trend of cyberattacks and data breaches, specifically in healthcare and in data-intensive industries, organizations need to tackle the human and economic factors of cybersecurity together with standard technical controls. Providing awareness and training can dissuade people from participating in cybercrime by showing the negative effects and dangers related to it. Together with cybersecurity literacy, having a more secure digital environment is a necessary solution to the problem.