As healthcare professionals, we’re surrounded by personal and patient data. Unfortunately, security awareness is highly dedicated to patient data, leaving little advocacy for travel employee protection. The responsibility is ultimately on employers and employees to avoid unsafe practices.
Healthcare travelers are in a current state of data insecurity. The healthcare marketplace puts added vulnerability on professionals’ data, and it’s your responsibility as a traveler and/or recruiter to deploy best practices to keep everyone safe.
Healthcare travelers and their recruiters do a great deal of remote data transfer, especially during major onboarding phases, like:
- texting of certifications
- emailing credentials
- faxing licenses
- texting DOBs & SSNs
- etc. – you see where we’re going with this
Travel healthcare staffing firms, HR departments, and compliance teams collect and store thousands of healthcare professionals’ personal information for potential lead sourcing, which creates a gold mine for those pesky hackers searching to acquire massive amounts of sensitive personal data. Names, DOBs, SSNs, medical records, addresses, and other important professional information are expected to be in an employee’s (or potential employee’s) profile.
This data is valued at $160-$350+ per individual on the dark web.
With the rise of staffing agencies and travel professionals, data security is becoming an increasingly important aspect of the industry. Unfortunately, staffing agencies often unnecessarily put talent data at risk for a security breach. Many large agencies are already suffering from data security issues and travelers are at risk of bearing the long-term costs of these issues through their lost time, worry/anxiety, and potential financial loss, etc. — all depending on how a hacker misuses their data and personal information.
Note: we’ve chosen not to highlight specific agencies who have, in the past or recently, suffered from data breaches and vulnerabilities. We’re not out to humiliate anyone, and we believe our entire industry wins when everyone is secure and supported — not singled out.
The staffing industry’s need for “speed to submittal” encourages reckless means of aggregating and exporting employee data as fast as possible. Recruiters and travelers resort to convenient and swift (read: insecure) means to send and receive that info (email, texting) that add to the growing number of personal data vulnerabilities from hackers looking to profit off malicious use of that data.
Compared to other major industries, healthcare has suffered the highest monetary losses due to data breaches over the last nine years. Recent cyber attacks on healthcare staffing agencies has exposed professional’s data and contributed to the $6.5 million average cost to organizations. This is 60% higher than other major industries.
What does this mean to the traveler?
What happens to healthcare professionals when their data is stolen?
- The data is sold on the dark web to and used for:
- Identity theft: personal information is used to open new financial accounts, steal tax returns, open new credit cards, loans, make online purchases, etc.
- The health data can be used to make fraudulent medical claims
- Scammers can purchase this info for malicious use against the victim(s)
What does it cost them?
- The DOJ’s study found that identity theft victims experienced a combined average loss of $1,343.
- This data is from 2014 — these figures have surely increased over time.
What should they do to protect themselves?
- Avoid unsafe practices
- Be wary of emailing/texting personal information and documents.
- Read privacy policies and ensure the entities you choose to share with are using safe practices.
Are you still texting and emailing credentials to your recruiter?
Talk to them about improving your data security.
What does this mean to staffing agencies and recruiters?
What happens to the employer?
- This depends on the situation and severity of the data breach. A few standard steps occur, with varying timelines and levels of engagement:
- Gather legal council.
- Hire data forensic experts to identify the vulnerability.
- Identify the user(s) behind the attack and stop further breach.
- Notify your affected audience of healthcare workers, facility clients and vendors.
What does it cost them?
- According to People 2.0, IBM Security recently reported that the average cost of a data breach has reached $4 million. That’s approximately $158 for every lost or stolen record.
- In highly regulated industries like healthcare, the cost of a breach can be as much as $355 per record. The current process of responding to a breach is extremely complex and time-consuming.
- Aside from monetary loss and a serious business distraction, the agencies suffers irreparable damage to the brand. As an agency, you’ve poured money, resources, and time into building brand equity with your clients. Don’t risk it all with unsafe data practices. You can’t earn back the talent’s trust after you’ve caused them time and money recovering their data.
- Learn more about the business impact of data breaches in McAfee’s report.
How can agencies and recruiters be more careful?
- Mandate encryption of all data transmissions. This includes data ‘at rest’ and ‘in motion’ (meaning: data you’re not using and data you’re actively sending). Also consider encrypting email within your company if personal information is transmitted. Encryption is the best way to protect your employee’s data from being accessed if someone has found their way onto your systems.
- Update your technical infrastructure. Enhancing your security tools will add an increased layer of data protection.
- Establish a written policy about privacy and data security and educate all employees in best practices. Discuss what types of information are considered sensitive and set clear expectations on recruiter responsibilities in protecting it.
- Educate about and avoid phishing tactics: receiving emails, texts and calls from scammers that are attempting to trick an employee to click a link or give valuable information (like a password) over to them.
- Avoid suspicious links, emails, phone calls, and web portals.
What communication methods do you use to communicate with your healthcare talent? Are you being secure? Are you encouraging — and educating — them to use safe routes to send their data?
Before we cover some popular communication methods, let’s clarify a fancy word: encryption.
At a top level, encryption is the process of taking plain text, and using a “key”, turning that data into cypher text. Cypher text is rendered as absolute gibberish, unless you have the encryption “key”.
Name: Casey Maxwell
NonEncrypted: Casey Maxwell
Encrypted looks something like: $dbZ31dfv rz35#afva!f1dfv1dfv
Why isn’t email secure?
While communication between you and your email provider may be encrypted (proper email client setup or by using their webmail client), the connection from their server to the destination server is most likely not. An email sent from you could actually transfer between more than one server before arriving at the destination server. Since this data is not encrypted, your information (email, etc.) may be logged in each of these “middle-ground” servers as it makes its way to the destination.
Why isn’t texting secure?
In this context, when speaking about insecure texting, we are talking about SMS (short message service). Apple created a new type of texting with iMessage that is actually secure. If you use an iPhone and you are seeing “blue bubbles” when chatting, you are having a fully encrypted and safe conversation. If you are on an iPhone and see “green bubbles”, you are NOT safe.
Those messages are likely traveling unencrypted across your cell carrier’s network(s).
What is secure?