Defending VS Internal Threats in Healthcare Organizations
One of the most serious data security challenges is how to defend against insider threats in the healthcare sector. Insiders handle more healthcare data breaches than hackers, making the industry unique.
Verizon’s Protected Health Information Data Breach Report highlights the range of the issue. The report shows 58% of all healthcare data breaches and security incidents are due to insiders.
Healthcare groups also struggle to spot insider breaches, with many breaches going unnoticed for months or even years. Healthcare groups must not only take steps to reduce the potential for insider breaches, they should also implement technological solutions, policies, and procedures that allow breaches to be detected rapidly when they do happen.
What are Insider Threats in HIPAA?
Before describing how healthcare groups can protected against insider threats, it is worthwhile covering the main insider threats in healthcare.
An insider threat is one that comes from within a group. That means a person who has authorization to access healthcare resources, which includes EMRs, healthcare networks, email accounts, or documents including PHI. Resources can be obtained with malicious intent, but oftentimes errors are made that can equally result in harm being caused to the organization, its employees, or its patients.
Insider threats are not restricted to employees. Any individual who is given access to networks, email accounts, or sensitive information in order to complete certain duties could deliberately or accidentally take actions that could negatively affect a group. That includes business associates, subcontractors of business associates, researchers, volunteers, and former staff members.
The outcomes of insider breaches can be severe. Healthcare organizations can receive heavy fines for breaches of HIPAA Rules and violations of patient privacy, insider breaches can impact an organization’s reputation, cause a loss of patient confidence, and leave organizations open to legal actions.
According to the CERT Insider Threat Center, insider breaches are twice as expensive and damaging as external threats. To make matters worse, 75% of insider threats go unseen.
Insider threats in healthcare can be divided into two main categories based on the intentions of the insider: Malicious and non-malicious.
Malicious Insider Dangers in the Healthcare Sector
Malicious insider threats in healthcare are those which involve deliberate attempts to inflict harm, either to the organization, employees, patients, or other people. These include the theft of protected health information such as social security numbers/personal information for committing identity theft and fraud, the theft of data to bring to new employers, theft of intellectual property, and sabotage.
Research by Verizon indicates 48% of insider breaches occur for financial gain, and with healthcare data fetching a high price on the black market, employees can easily be tempted to obtain data.
A 2018 Accenture survey aimed at on healthcare employees revealed one in five would be prepared to access and sell confidential data if the price was right. 18% of the 912 employees surveyed said they would steal data for sums from $500 to $1,000.
Worryingly, the survey showed that almost a quarter (24%) of surveyed healthcare staff knew of someone who had stolen data or sold their login details to an unauthorized outsider.
Unhappy employees may attempt to sabotage IT systems or steal and hold data in case they are terminated. However, not all acts of sabotage are aimed against employers. One notable example comes from Texas, where a healthcare worker used hospital devices to establish a botnet that was used to attack a hacking group.
Non-Malicious Insider Threats in the Healthcare Sector
The Breach Barometer from Protenus/databreaches.net makes available a monthly report of data breaches by breach cause, including the number of breaches caused by insiders. In many cases, insiders are to blame for more breaches than outsiders.
Spying on medical records is all too common. When a celebrity is brought to hospital, employees may try to sneak a look at their medical records, or those of friends, family members, and ex-partners. The motivations of the employees vary. The Verizon report suggests 31% of insider breaches were employees accessing records out of curiosity, and a further 10% were because employees just had access to patient records.
Other non-malicious threats include the accidental loss/disclosure of sensitive details, such as disclosing sensitive patient information to others, sharing login details, writing down login credentials, or responding to phishing messages.
The biggest healthcare data breach in history – the theft of 78 million healthcare records from Anthem Inc.- is believed to have been made possible because of stolen details.
The failure to ensure PHI is emailed to the proper recipient, the misdirection of fax messages, or leaving portable electronic devices including ePHI unattended causes many breaches annually. The Department of Health and Human Services’ Office for Civil Rights’ breach portal or ‘Wall of Shame’ is full of incidents involving laptops, portable hard drives, smartphones, and zip drives that have illegally taken after being left unattended.
How to Safeguard Against Insider Threats in Healthcare
The standard approach to addressing insider threats can be broken down into four stages: Educate, Deter, Detect, and Investigate.
Educate: The workforce must be trained on allowable uses and disclosures of PHI, the risk associated with certain behaviors, patient privacy, and data security.
Deter: Policies must be created to reduce risk and those policies enforced. The repercussions of HIPAA breaches and privacy breaches should be clearly explained to staff.
Detect: Healthcare groups should put in place technological solutions that allow them to spot breaches rapidly and access logs should be regularly reviewed.
Investigate: When possible privacy and security breaches are detected they must be reviewed promptly to limit the harm caused. When the cause of the breach is determined, steps should be taken to stop a recurrence.