It is no secret that healthcare data breaches are on the rise. While we often hear about hackers targeting the healthcare industry, you may be surprised to learn that more healthcare data breaches are caused by insiders than hackers!
In their recent Protected Health Information Data Breach Report, Verizon has found that 58% of all healthcare data breaches and security incidents had been caused by insiders. An article on HIPAA Journal takes a closer look at insider threats and how organizations can help defend themselves.
Insider threats are those that come from within an organization and are caused by individuals who are authorized to access healthcare resources. Employees are not the only individuals that pose a risk to insider threats.
Any individual who is given access to networks, email accounts, or sensitive information in order to complete certain tasks could deliberately or accidentally take actions that could negatively affect an organization. That includes business associates, subcontractors of business associates, researchers, volunteers, and former employees.”
Insider breaches are also difficult to detect in many situations and can sometimes go unnoticed for months or even years. In one case, an employee at a Massachusetts hospital accessed over 1,000 unauthorized patient records, which went undetected for 14 years!
Insider breaches also violate HIPAA Rules and patient privacy, resulting in heavy fines for healthcare organizations.
According to the CERT Insider Threat Center, insider breaches are twice as costly and damaging as external threats. To make matters worse, 75% of insider threats go unnoticed.”
Insider threats in healthcare can be either malicious or non-malicious in nature.
Malicious Insider Threats vs. Non-Malicious Insider Threats
Malicious insider threats occur when an individual deliberately attempts to cause harm to either the organization, employees, patients or others. Often, malicious insider threats come from disgruntled employees who may attempt to sabotage their organization following a termination.
Research by Verizon indicates 48% of insider breaches are conducted for financial gain, and with healthcare data fetching a high price on the black market, employees can easily be tempted to steal data.”
Non-malicious insider threats include snooping on medical records, accidental loss or disclosure of sensitive information, sharing log in credentials and responding to a phishing email to name a few.
The Verizon report suggests 31% of insider breaches were employees accessing records out of curiosity, and a further 10% were because employees simply had access to patient records.”
Defending Against Insider Threats
A standard four-stage process can be used to help mitigate insider threats: Educate, Deter, Detect, and Investigate.
Educate: It is important that all workforce members know what acceptable use and disclosure of PHI is. Individuals should also be aware of the risks associate with patient privacy, data security and certain behaviors.
Deter: Policies and procedures must be in place and enforced by the organization. All employees should be made aware of these policies as well as the consequences for failing to comply with them as it relates to the organization, as well as a HIPAA violation.
Detect: Access logs should be available and checked regularly to detect any unauthorized access of sensitive information. Other technological solutions should also be considered to help rapidly detect any breaches.
Investigate: If a potential breach does occur, it should be investigated quickly to determine the cause and next steps. Action should also be taken to ensure the incident does not occur again.
Tips for Mitigating Insider Threats in Healthcare
Conducting background checks prior to employment will help get a sense of who is being hired and what risks they could pose. This should include doing a Google search, checking social media accounts and talking with previous employers.
HIPAA Training is crucial to ensure employees are aware of their responsibilities under the HIPAA Privacy and Security Rules. Individuals should know of all penalties associated with violating HIPAA Rules, including termination and potential criminal penalties.
Security Awareness Training is also a must to mitigate insider threats. No matter what technological solutions are in place, there is still a risk that email/web-based threats could sneak through. Employees must know how to spot these threats.
By implementing strong anti-phishing software, organizations can reduce phishing emails that successfully make it to an individual’s inbox. With phishing being the number one cause of a data breach, advanced spam filtering is a must for organizations.
Encourage Employees to Report Suspicious Activity
Employees should know who to report suspicious activity and behaviors to and feel comfortable in reporting such behaviors.
Control Access to Sensitive Information
Employees should only have access to the minimum amount of information that is required for their position. Limiting what information is accessible to employees will help mitigate insider threats.
Monitor Employee Activity
HIPAA requires that PHI access logs be maintained but also that those access logs are reviewed regularly. By reviewing access logs, you can spot inappropriate access to PHI. This monitoring can be done manually, however there is software available to help with this labor-intensive task.
Terminate Access When Appropriate
By implementing a termination procedure, you can ensure that employees do not have access to sensitive information when it is no longer needed. Similar, once a contract is completed, access should also be eliminated for individuals who had access during the duration of that contract.
Require Strong Passwords
Password policies must be enforced that required employees to use strong passwords or long passphrases. Commonly used passwords and weak passwords should not be allowed as part of those policies.
Use Two-Factor Authentication (2FA)
Two-factor authentication will help prevent unauthorized access of outsiders by requiring a password along with a security token.
Encrypt PHI on Portable Devices
Since portable devices can easily be lost or stolen, using these devices to access patient information comes with risk. By using full-disk encryption on portable devices, the sensitive information is protected, therefore if the device is lost or stolen, it does not result in a reportable incident.