According to the recently-released IBM X-Force Threat Intelligence Report, 71% of recorded data violations in the healthcare sector are attributable to what an employee has done. Staff members are responsible for data breaches are split into two categories – “malicious Insiders” (25%) and “inadvertent actors” (46%).
25% of Healthcare Data Violations are Attributable to Malicious Insiders
Although IBM´s Intelligence Report focuses on the number of violations – instead of the number of records breached – the percentage of data breaches attributed to malicious insiders seems high. However, it is not the case that 25% of the medical profession is illegally taking Protected Health Information for personal gain. A closer inspection of the data shows that the “malicious insiders” category includes employees snooping on the medical records of friends, colleagues and celebrity clients.
Snooping was revealed as the largest single cause of data breaches in the healthcare sector in a 2013 study conducted by Veriphyr Identity and Access Intelligence. As snooping makes up an unauthorized disclosure of Protected Health Information, it is classed as a breach of HIPAA and therefore – by the number of breaches alone – is one of the top HIPAA threats Covered Entities should be aware of. It is certainly a threat OCR would expect a Covered Entity to tackle a HIPAA risk assessment.
Other Data Breaches that Occur due to Malicious Insiders
Whereas snooping can be the largest cause of employee HIPAA violations by number, the largest cause of employee HIPAA violations by records breached is insider data theft. In a recent high-profile case, a secretary working for the Jackson Health System in Florida was charged with accessing more than 24,000 computerized patient records and selling the data to hackers, who then used it to file fraudulent tax returns with the Internal Revenue Service.
A spate of high-volume data breaches around the same time lead to the HHS´ Office for Civil Rights to release a reminder to Covered Entities to take action to prevent insider data theft. Unfortunately many Covered Entities appear not to have reacted to the reminder. A survey completed in late 2016 revealed half of healthcare IT professionals were more concerned about insider data theft than external data theft, but were not given the resources to deal with the danger.
Are Inadvertent Actors Really More of a HIPAA Threat than Hackers?
According to the basic data it would seem so. However, the category of “inadvertent actors” incorporates victims of phishing attacks and IT professionals who fail to set up their security mechanisms properly; so it may be more accurate to retitle this category “employees who inadvertently invited hackers to steal data”. Nonetheless, the percentage of reported data breaches attributable to inadvertent actors is nearly double that of external hacks.
This would imply another of the top HIPAA threats is the absence of employee awareness. Phishing is a huge threat to HIPAA compliance, but it is one that can addressed with phishing simulation training. Similarly, mistakes made by IT security can be cut by implementing procedures to review the configuration of security mechanisms on a constant basis – which should be part of an annual risk assessment in any scenario. Basically, data breaches due to inadvertent actors are mostly preventable.
The Main HIPAA Threats and How to Defend Against Them
At HIPAA Journal we strongly advised Covered Entities encrypt data, put in place two-factor authentication and conduct due diligence on Business Associates. These practices – and others supplied by HIPAA threat-style articles- will help safeguard against some HIPAA threats, but not the top HIPAA threats. In order to prevent the main HIPAA threats of snooping, insider data theft and a lack of staff awareness, Covered Entities need to:
- Apply strong policies relating to employee conduct and enforce them with an equally stringent sanctions policy.
- Apply effective access controls that monitor who accesses PHI when and where, and what happens to it next.
- Apply a thorough HIPAA training program to raise employee awareness – particularly in the area of Internet security.
Covered Entities need to designate more resources to cutting out data breaches attributable to employee actions. If the data supplied in the IBM X-Force Threat Intelligence Report is taken at face value, Covered Entities should invest three times as many resources to safeguarding against the top HIPAA threats that come from within than they allocate to external threats.