The survey found that many healthcare employees have poor cybersecurity behaviors and attitudes. 21% write down passwords by their computers, 24% are aware of unauthorized access to patient data within their organization, and 18% said they would be willing to provide unauthorized access for money. Nearly half are aware of patient data breaches at their organization. Cybersecurity training is not effective, with 16% receiving no training, and increased training did not correlate with better behavior. Willing compliance with security policies is still lacking, with nearly 1/3 questioning their effectiveness and 15-20% admitting to violations. The report calls for optimized training, limiting access, monitoring activity, and using multiple security techniques.

1. Accenture 2018
Healthcare Workforce Survey
on Cybersecurity
LOSING
THE CYBER
CULTURE
WAR IN
HEALTHCARE
#INNOVATELIVE
Copyright © 2018 Accenture. All rights reserved.

2. ACCENTURE 2018
HEALTHCARE WORKFORCE
SURVEY ON CYBERSECURITY
OVERVIEW
2
Accenture
commissioned
a web-based
survey to qualified
employees of
healthcare
providers and
payers in
the United States
and Canada
Respondents were
not required to
provide their
names, nor the
name of their
organization, but
did report their
department, job
responsibility
and/or primary
role
All respondents
were required to
have access to
patient digital
healthcare data
including PHI, PII,
or PCI
The survey was
conducted in
November, 2017
Copyright © 2018 Accenture. All rights reserved.
601
Provider
respondents
311
Payer
respondents

3. HEALTHCARE EMPLOYEES ARE
WILLING TO PUT PATIENTS’
MEDICAL DATA AT RISK
WRITING DOWN
USERNAMES
and password and
keeping it next to the
computer
SELLING
CREDENTIALS
or access to an
unauthorized outside
person or entity
WILLING TO
MAKE A PROFIT
by providing an
unauthorized
outsider access to
organization’s
confidential data
3
Copyright © 2018 Accenture. All rights reserved.

4. 21% OF HEALTHCARE EMPLOYEES WRITE
DOWN USERNAME AND PASSWORD NEAR
THE COMPUTER
4
PROVIDER VS PAYER
Employees who write down username
and password next to computer
17%
23%
79%
21%
Do you write down your username
and password next to the computer?
PROVIDER
PAYER
NO,
I do not
YES,
I do write my
username and
password
next to the
computer
Copyright © 2018 Accenture. All rights reserved.

5. 24% OF HEALTHCARE EMPLOYEES ARE AWARE
OF SOMEONE WITHIN THEIR ORGANIZATION
SELLING ACCESS
31
percent
ARE YOU AWARE OF SOMEONE SELLING ACCESS TO PATIENT
DATA?
Total
0% 100%
% EMPLOYEES
8% 68%24%
Yes, I am aware
of that
happening within
my organization
I am aware of
that happening
outside of my
organization
No, I am not
aware of that
happening
within my
organization
5
*Numbers rounded
Sample: All respondents (n=912)
Payers
Providers*
8%
77%15%
9% 63%29%
Copyright © 2018 Accenture. All rights reserved.

6. 18% OF HEALTHCARE EMPLOYEES ARE WILLING
TO MAKE A PROFIT BY PROVIDING ACCESS TO
AN UNAUTHORIZED OUTSIDER
PROVIDER VS PAYER
Employees who are willing
to make profit
12%
21%
82%
18%
PROVIDER
PAYER
NO AMOUNT
OF MONEY
WOULD
PERSUADE
ME to give
someone
confidential
company
information
WILLING TO
MAKE A PROFIT
by providing an
unauthorized
outsider access
to your
organization’s
confidential
data
6
Copyright © 2018 Accenture. All rights reserved.

7. NEARLY HALF OF HEALTHCARE EMPLOYEES
STATED THAT THEY ARE AWARE OF PATIENT
DATA BREACHES IN THEIR ORGANIZATIONS
HOW MANY PATIENT DATA BREACHES ARE YOU
AWARE OF IN YOUR ORGANIZATION?
Total*
0% 60%
% EMPLOYEES
No breaches
1-10 breaches
More than 10
breaches
7
47%3% 52%
Payers
Providers
43%1% 56%
47%
4% 49%
*Numbers rounded
Sample: All respondents (n=912)
Copyright © 2018 Accenture. All rights reserved.

8. CYBERSECURITY TRAINING ISN’T
REACHING EVERYONE
1 in 6
healthcare employees are
unaware of training at their
organizations or their
organization does not offer
training at all
29%
of healthcare employees
who receive training only
get it once
INCREASED TRAINING DID NOT CORRELATE
WITH BETTER CYBERSECURITY BEHAVIORS
CYBERSECURITY TRAINING ISN’T ENOUGH
8
Copyright © 2018 Accenture. All rights reserved.

9. WILLING COMPLIANCE WITH / SUPPORT
OF CYBERSECURITY POLICIES IS STILL
NOT EMBEDDED IN HEALTHCARE
ORGANIZATIONS’ CULTURES
Nearly
1 in 3
healthcare employees
question the effectiveness
of cybersecurity policies
and procedures at
their organizations
15-20%
of healthcare employees
admit to poor compliance
with key policies such as:
9
• Secure password
management
• Downloading email
attachments and software
• Using unsecure networks
Copyright © 2018 Accenture. All rights reserved.

10. CALL TO ACTION
01
LOSING THE CYBER CULTURE WAR
IN HEALTHCARE
OPTIMIZE
TRAINING
10
Ensure all healthcare
employees receive
consistent and
impactful
cybersecurity
training.
Particularly those
with access to
patients’ digital
healthcare data.
02USE MANY
TECHNIQUES
Encryption
Tokenization
Micro segmentation
Privilege and digital
rights management
Selective redaction
Data scrambling
03LIMIT, MONITOR
AND SEGMENT
ACCESS
Use two-factor
authentication as
much as possible.
Use role-based
access to make
automated decisions
about who is allowed
to see what data and
systems.
04MONITOR FOR
SUSPICIOUS
ACTIVITY
Monitor continuously
and vigorously.
Not just for
unauthorized access
but for undiscovered
threats and
suspicious user
behavior.
Copyright © 2018 Accenture. All rights reserved.