In 2017, the Department of Health and Human Services Office for Civil Rights levied over $19 million in fines to healthcare organizations for HIPAA violations. Organizations are scrambling to secure their patient data in 2018 to prevent data breaches, fines, and reputational damage. What they’ve found is that a number of these security incidents and breaches are caused by insiders, employees and non-employees who have access to patient data – also known as “insider threats”.
Protecting Dispersed Patient Data from Insider Threats
A hospital’s network can be thought of as a web of interconnectivity where patient data is stored or transmitted in many systems. Healthcare organizations focus strongly on keeping their networks secure and unauthorized users blocked but that’s not enough. The HIPAA Privacy Rule specifies the necessity of protecting “all individually identifiable health information” and that protection must be for external actors and internal users who have no legitimate access rights to the data. This protection, against both external and internal individuals, must also occur across dispersed systems. Protection must occur in EHRs and all the other devices and systems where patient data may be dispersed such as ancillary clinical systems, revenue cycle systems, mobile devices, removable media, biomedical devices, and messaging apps.
Below are 4 examples of organization insiders maliciously or accidentally misusing patient information:
1. Third Party Contractor
Robert is a non-employee working as a contracted healthcare data analyst. He supports the geriatric clinic with technical and data analysis tasks. Due to the nature of his work he has access to a large amount of patient data. Robert was curious about the value of the patient information he handles and learned how much money he could obtain selling this data to those committing Medicare fraud. He can supply himself with a second income if he exfiltrates the data regularly. Robert obtains clinical and Medicare data on a small group of patients each month to sell and eventually leaves the organization without detection.
2. Social Engineering
Vanessa works as a registration clerk in a hospital’s emergency room. She is committed to helping patients and the hospital but often feels overwhelmed at the volume of work and information she deals with daily. One day, Vanessa receives a call from a lawyer she knows has volunteered his services at the hospital previously. He explains that if she can supply him a list of patients with specific injuries on specific dates, that he can assist these patients and the hospital with his legal services. Vanessa thinks she is doing nothing wrong, especially since she’s giving the information to a lawyer who has volunteered at the hospital before and who knows many of the executives there. She gives him the data on a weekly basis via copies of printed patient data.
3. Family Member Snooping
Lyle Johnston has been a physical therapist, of a community hospital for over 30 years. He learns his estranged brother was in a car accident and taken to the ER of the hospital where he works. Worried about his brother but not sure he wants to be contacted, Lyle accesses his brother’s medical record within the hospital EHR.
4. Access After Termination
Jim Taylor, an IT clinical systems analyst was fired the day before the Labor Day Holiday weekend. However, his network access was not properly terminated, and this allowed him network access until the following Tuesday. Before his access was removed, Jim used his administer level access to obtain the medical records of several IT coworkers and hospital executives. In October, he contacted his former employer and threatened to release those records unless he is paid a significant sum.
Mitigate Risk and Prevent the Insider Threat
The examples above demonstrate just a handful of the many real-life challenges healthcare organizations face that expose them to data breaches and compliance violations. These examples often result in the involvement of law enforcement including forensic investigations and e-discovery. Because 60% of data breaches are caused by insiders, healthcare organizations need to take a comprehensive approach to access control where attacks from inside the network are guarded against.
Organizations are using FairWarning’s Patient Privacy Intelligence (PPI) and Managed Privacy Services(MPS) to achieve this comprehensive access control and transform their security and privacy programs. PPI provides real-time detection and proactive alerting of inappropriate access to personal health information across all major EHRs, healthcare applications, cloud applications, and big data projects.
MPS is an affordable security services solution for healthcare providers, of all budgets, that leverages FairWarning’s expert team of HIPAA certified compliance, security, and product analysts to provide worry-free staffing. With the MPS team providing daily monitoring, internal privacy and security teams can review items escalated to them from the MPS team only. This ‘time back’ to internal team members allows them to work on higher value, more strategic projects.