IT managers are hacking their own systems, even in healthcare, survey finds

The Absolute report also showed that 65 percent of IT decision makers believe they would lose their job in the event of a breach.
By Bernie Monegain
10:21 AM

A high percentage of IT workers admit to not following the same security protocols they are expected to enforce, according to a new survey conducted across the United States by Absolute, a Canadian security firm.

In fact, 33 percent admitted to successfully hacking their own or another organization and 45 percent admitted to knowingly circumventing their own organization's security policies.

"The big surprise for us in this survey is that the gatekeepers are really the gatecrashers," said Stephen Midgley, vice president of global marketing for Absolute. Moreover, he said, while the survey of IT department managers included several industries, the findings apply across the board, with healthcare no exception.

[Also: Hollywood Presbyterian gives in to hackers, pays ransom]

"Given that IT is the security gatekeeper for an organization, it was alarming to see such high incidents of non-compliant behavior by IT personnel," he said. "Even if these actions are being performed to validate existing infrastructure, senior leadership should be aware that this activity is occurring. It may also be worthwhile to consider third-party audits to ensure adherence with corporate security policies."

IT decision-makers bear the brunt of responsibility. Of those surveyed, 78 percent said the organization's security is primarily IT's responsibility. The report also showed that 65 percent of IT decision makers believe they would likely lose their job in the event of a security breach.

"The gaps in current data breach response plans and in upholding general best practice policies must be addressed," Midgley said.

As he sees it, when it comes to security – especially in healthcare, but also in other sectors – there's an accountability divide.

"That is a very precarious space for IT to be in," Midgley said. "They are tasked with data security, but aren't actually responsible for the device that contains that data.”

"I think in healthcare it's magnified," he added, "because of HIPAA, HITECH, PHI. So, you can have all the security in place, but at the end of the day, IT is reliant on the employee to ensure security is implemented correctly. Yet, what we find is those very same employees try to find ways to circumvent the security policies that have been put in place."

There's a lot of work for IT in terms of bridging that gap, he said, and recommended that organizations implement technology that is adapted to their environment that gives them complete visibility and control of the devices.

Midgley mentioned the example of one healthcare entity that has a policy of automatically wiping data from any device – laptop, tablet or phone – that goes beyond a certain location.

[Like Healthcare IT News on Facebook]

"They assume that device has PHI on it," he said. "It's mitigating the risk of a data breach."

The survey – which polled 501 U.S. adults who work in information security management roles in companies or organizations with 50 or more employees – found that security remains at the top of the IT spending list, with 87 percent of respondents expecting increased investment in security this year.

Twitter: @HealthITNews