The insider threat security risk is a prevalent challenge to the healthcare industry, not just in the US, but globally. A study by Verizon in 2018 suggested that more than half of healthcare breaches were caused by the insider threat, and in 2019 this figure was 34%. Although there has been some improvement, these figures are still worryingly high compared to other industries.
US healthcare organizations have become a prime target for hacking communities, not because they have weak security, but because the data they protect has considerable value. HIPAA compliance was created to ensure mandatory safeguards were being observed to reduced this risk. Some of the biggest risks to healthcare IT are ransomware (malware), poor security management (eg. weak passwords), and the insider threat.
According to the Ponemon Institute, insider threats are defined as “ a careless or negligent employee or contractor, a criminal or malicious insider or a credential thief”. There was a staggering 4,700 reported insider security breaches in 2020. It is likely the real figure is much higher than this because non-healthcare industries are not bound by regulation to disclose this information.
What causes insider data breaches?
Not all insider actors intentionally seek to damage the healthcare institution they work for, and there are many different reasons why confidential information may have been leaked. The breach could be the result of human error. Everyone makes mistakes, and it is possible that employees rushing to meet deadlines may inadvertently share protected health information (PHI) – perhaps they emailed the wrong client.
Other personnel might simply not be aware that sharing PHI is considered a breach of HIPAA regulations. The accidental sharing of PHI may have been triggered by inadequate training, or non-compliant security tools, such as an email client missing email encryption protection.
That being said, employees may also deliberately leak information to harm their employers, such as sharing confidential data with rival healthcare practice. Some may steal it for personal financial gain, others may do it to demonstrate known internal security risks, almost acting like a vigilante for the greater good.
Other risks might include employees transferring confidential information to a new employer when they move jobs, either deliberately or not. Some employees have been discovered leaking data to cybercriminals, or even selling data to a competitor. There is also a risk when employees share data on their personal devices, for example, emailing themselves, copying files to their phone, etc. Something that may seem innocent is a major breach of HIPAA compliance.
Why is healthcare a target?
Healthcare is a heavily regulated industry. HIPAA compliance was introduced in 1996 to protect the integrity of protected health information (PHI), essentially any data that can be used to identify an individual. There have been subsequent amendments to the rules as technology has evolved, notably the Security and Privacy rules of 2003, and the Final Omnibus Rule of 2013.
These safeguards are enforced by the U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR). The rules are designed to protect the patient data, any personally identifiable information such as personal addresses, bank accounts, payroll numbers, insurance information, and so on.
If any of this data got into the wrong hands it would likely cause much distress to the victim, and potentially have significant ramifications to the healthcare organization at fault. The impact of a data breach will likely cause substantial reputational damage, a loss of customers, deep financial losses to remediate the problem, and perhaps a loss of intellectual property.
What can be done to counter this threat?
The Ponemon Institute identified three key areas for Insider threat management. These are a “program that combines people, processes, and technology to identify and prevent incidents within the organization”.
Healthcare organizations and their business associates have a joint responsibility to protect PHI. Outsourcing key technology to a HIPAA compliant hosting partner is an easy win to secure PHI. Leveraging a provider’s hosting service that is built to the highest specifications, to meet and exceed the administrative, physical, and technical safeguards of HIPAA will help to create a secure ecosystem that will greatly reduce the risk of human error.
Safeguards that can track, trace, and report upon unexpected user activity and monitor user behavior analytics. Organizations must create access controls based upon the principle of least privileged, introduce strict access control management, and operate privileged access management (PAM) to servers or databases that contain restricted information. This is usually a Multi-Factor Authentication (MFA) service, similar to what you might use for online banking.
Threat detection platforms, such as an intrusion protection system (IPS) can be used to scan networks for suspicious activity and monitor network traffic for intelligent data loss prevention (DLP). Detailed logging capabilities introduce security incident and event management operations, and procedural incident response safeguards should be in place, explaining how to react if any threats are identified.
Moderate monitoring and surveillance should be conducted on employee activity, this is not a big brother scenario, instead of having checks and balances in place that can be called upon if needed. For example, detailed logging can be used to track system administrator activities, this is common practice within the industry, warnings are often displayed directly to users upon logging into a business domain using a customized interactive message.
Any investigation into insider threats can easily identify the culprits. Each user has a unique login, and event logging on servers is so detailed, it is easy to work out user activity. If suspicious activity is suspected, the appropriate escalation paths should be available within the organization to report to.
If an insider has breached information then it is important to have containment and remediation planning in place. This could be as simple as changing passwords on a user account, or it could mean powering down part, or all of a production system, or even invoking disaster recovery, which is one of the key requirements of HIPAA for this very reason.
Employees of business associates should receive regular training on data security and compliance, training is one of the best ways to protect healthcare organizations. Most breaches are not malicious and are usually the result of an honest mistake. This can be countered by offering regular employee training.
Each employee is the first line of defense, and they have a duty to uphold HIPAA regulations. Therefore the employer must ensure adequate training is provided as well as refresher courses.
To summarize, the insider threat is definitely a threat to be taken seriously by healthcare organizations, but studies have shown that the bad actor does not always breach information on purpose. Most data breaches are accidental and human error. Human error can be addressed by debriefing employees on the incident and offering training to ensure mishaps do not happen in the future.
We understand that rogue insiders do exist, but certainly to a lesser scale. The only way this can be improved upon is to firm up the selection process when hiring employees, offer ethics and security training, and ask managers to keep an eye on their employees. It would be ethically wrong to closely monitor all employee activity as trust must always exist to create a productive working environment.
The best way to counter the insider threat is to outsource healthcare IT systems to a HIPAA compliant hosting partner. Both organizations work together to secure the platform, and the business associate has a duty of responsibility to hire diligent and trustworthy employees.
Read More from this Author