Insider Threat in Healthcare: Tips Beyond Just HIPAA Compliance

Healthcare professionals need immediate access to patient data, but how can medical organizations help their employees save lives while keeping personal patient data secured?

Healthcare CISOs already know the reality they’re in – doctors and nurses use cloud services like Facebook and Dropbox, just like the rest of us. Typically, were any data breach to occur because of patient data shared within these applications, we’d assume it was done accidentally and not maliciously.

Human nature also plays a role when looking to understand how breaches happen. A Veriphyr healthcare survey from a few years back found that 35% of healthcare “insiders” had snooped into medical records of fellow employees, and 27% had accessed the medical records of family and friends. Imagine Taylor Swift being admitted to hospital one evening – can the hospital be 100% sure their employees won’t go snooping into her medical records out of curiosity - or with other ulterior motives?

At any rate, the intent doesn’t matter. The result is the same. The loss of protected health information (PHI), the financial/ trust losses of the organization, and the public and private recovery from such a breach are now the only things on the horizon for the CISO.

Employees Cause Over 50% of Healthcare Breaches

  • Verizon recently published a whitepaper called Protected Health Information Data Breach Report for 2018, which all security and IT professionals working in healthcare should read in full. We’ll cover some of the major topics here for the sake of brevity. 

The report found that 58% of incidents in healthcare involve employees. Note that the overall average across all industries is a (still-alarming) 27%. Unfortunately, the healthcare industry carries an honor all its own – it’s the only industry in which employees and internal contractors pose the biggest cybersecurity threat to the entire organization.

The HIPAA Journal recently posted an in-depth article about how to defend against insider threats. They focus on a four-staged approach to mitigating insider threats: Educate, Deter, Detect, and Investigate:

Educate: The workforce must be educated on allowable uses and disclosures of PHI, the risk associated with certain behaviors, patient privacy, and data security.

Deter: Policies must be developed to reduce risk and those policies enforced. The repercussions of HIPAA violations and privacy breaches should be clearly explained to employees.

Detect: Healthcare organizations should implement technological solutions that allow them to detect breaches rapidly and access logs should be regularly checked.

Investigate: When potential privacy and security breaches are detected they must be investigated promptly to limit the harm caused. When the cause of the breach is determined, steps should be taken to prevent a recurrence.

More specific steps provided by The HIPAA Journal are highlighted here, but more detailed tips are available on their website:

  • Perform background checks
  • HIPAA training and security awareness training
           o   All healthcare employees should be made aware of their responsibilities under HIPAA. Training should be provided as soon as possible, and ideally before network or PHI access is provided.
  • Implement anti-phishing defenses and employee education, including phishing simulation exercises
  • Encourage employees to report suspicious activity (safely and anonymously)
  • Controlling access to sensitive information and terminate access when no longer required for an employee’s job function
  • Encrypt PHI on all portable devices
  • Enforce the use of strong passwords and use two-factor authentication
  • Monitor employee activity