Healthcare faces an advanced set of challenges to secure data compared to other industries. There’s no single contributing factor, but rather a wide array of industry obstacles that make securing Protected Health Information (PHI) and ensuring healthcare data privacy so difficult. From the proliferation of ePHI as business processes have become digitized, to the high value of ePHI to fuel fraud – data is now widely dispersed and highly valuable.
On top of this, healthcare is a highly regulated industry where compliance blunders and data breaches can cause organizations fiscal and reputational damage.
However, there’s one threat to ePHI that trumps all others: insider threats. 58% of breaches involved insiders according to the Verizon 2018 Protected Health Information Data Breach Report. Verizon evaluated 1,368 security incidents from 2016 and 2017. Below is a breakdown of the report:
Who Steals ePHI and Why?
Cybersecurity was once envisioned as a castle and moat model where the focus was on thwarting outside attackers. Network security, firewalls, and encryption should protect your organization from outside adversaries, right? While these technologies are necessary – this report exemplifies the need for an inside-out approach to security. As stated above, internal actors are most likely to pilfer an organizations’ ePHI, with 58% of security incidents caused by insiders. But why are they doing it? According to the report, it’s fiscal gain. 48% of the insider incidents were motivated by financial gain most likely fueling Medicare and Medicaid fraud, costing taxpayers nearly $100 billion dollars per year.
Trailing behind the motive of financial gain is fun/curiosity. Insiders are known to engage in “snooping”. This means looking at a coworker, family member, or celebrity’s medical record without having a role in their patient care. Snooping is known to leave organizations to face HIPAA compliance violations and data breaches.
How Does Data Theft Occur?
Diving into the 1,368 security incidents, the report focused on threat actions. In other words, what type of actions were associated with the incident? Note that there are often multiple actions associated with each security incident, some of which may not directly be the direct cause, but nevertheless a contributing variable. Here are the top 5 actions associated with security incidents:
- Error: 33.5%
- Misuse: 29.5%
- Physical: 16.3%
- Hacking: 14.8%
- Malware: 10.8%
- Social: 8%
In the report, an error is defined as “incidents involving the unapproved or malicious use of organizational resources. These mainly involve insider-only misuse.” Due to the tremendous complexity of workflows in healthcare, sensitive data may inadvertently be transcribed or transferred, causing or contributing to a security incident.
While the error may be inadvertent actions, “misuse” can be fined as “incidents involving the unapproved or malicious use of organizational resources.” The bad actor knows what he/she is doing is wrong. Below are the top 5 misuse cases:
- Privilege Abuse: 66%
- Data Mishandling: 21.6%
- Possession Abuse: 16.9%
- Knowledge Abuse: 4.2%
- Email Misuse: 2.6%
66% of misuse incidents were related to “privilege abuse.” With great power comes great responsibility, but in the case of privileged users, this power is often abused to gain access to sensitive data in an unauthorized manner. This should raise alarm bells for healthcare organizations being that privileged users are considered the most trusted members of the organization since they have advanced access to the company network.
Ransomware Enters the Network
Cybersecurity attacks such as Petya, Not Petya, and WannaCry plagued the healthcare industry in the past year. Not surprisingly Ransomware was reflected in the report’s findings as the top malware attack.
70.5% percent of malware attacks on healthcare were categorized as ransomware attacks. Ransomware encrypts the infected system’s data and requires the organization to pay a fee to regain access to it. Although this is an outside-in attack, ransomware attacks are enabled by insiders who are directly or indirectly manipulated by malicious outsiders to help them carry out their attack. Below are the top 5 threat action varieties:
- Phishing: 69.9%
- Pretexting 11.7%
- Bribery 7.8%
- Forgery 2.9%
- Propaganda 2.9%
Phishing topped the list and is carried out by an outsider who sends communications such as an email or phone call to a person inside an organization. The insider clicks on a link or file which then allows the malware to enter the network and pilfer information systems.
Time and Discovery Matters
They say the time it takes to discover and remediate a data breach or security incident often is a direct link to the amount of damage that is done to an organization. Verizon’s report notes a surprising statistic: 53% of the security incidents took months or years to discover.
Similar studies also highlight the alarming length of time to discover these incidents. The 2017 Cost of a data breach Study: Global Overview conducted by Ponemon found that the average time to discover a data breach was 206 days.
Take Action to Secure ePHI as Part of Security Program Maturation
So what do we make of Verizon’s findings? In order to help ensure healthcare data privacy and avoid HIPAA compliance and legal blunders, organizations can take the following steps:
- Conduct risk analysis of all system a risk analysis of all systems holding ePHI. Risk analysis looks to where your ePHI is stored and orders the prioritization of systems holding ePHI. Under the HIPAA Security Rule, all applications containing PHI are subject to the HIPAA Laws. Conducting a risk analysis to identify all systems and applications that contain ePHI will allow you to better monitor patient information.
- Strengthen identities and monitor to predict and prevent breaches. Healthcare organizations can use behavioral analytics and auditing to ensure the safety of mission-critical applications and systems. Since 58% of security incidents are caused by insiders, monitor user activity inside EHRs and cloud applications to detect suspicious or unusual behavior. The quicker you can spot a breach or security incident, the faster it can be contained and mitigated – especially since the average time to detect a data breach is 206 days. Organizations are crafting their security and privacy programs around Patient Privacy Intelligence (PPI), which secures patient data stored in EHRs, cloud, and big data as required by HIPAA. PPI assists organizations through pressing scenarios such as OCR audits, forensic investigations, eDiscovery, and lawsuits.
- Perform Access Rights Management Review. Since Privilege Abuse is the top case of misuse, users should be monitored and identified for permissions that need to be rolled back or reduced. Users should be given permissions to only what is necessary to perform their job role. Organizations can customize user privileges per user and per application. For example, if an employee needs read/write privileges to a certain files system, then they don’t necessarily need root privileges. Applying unnecessary privileges puts your organization at increased risk.
- Employ Managed Security Services. Healthcare organizations need to strengthen their privacy and security staff in today’s landscape of increasing threats. However, industry challenges such as staff turnover, scale, budget, and complex workflows make hiring and retaining cybersecurity staff difficult. The industry is turning to Managed Privacy Services (MPS) to strengthen their team. MPS provides outsourced monitoring and management of accounts, devices, and systems. In many cases, MPS reduces workload by up to 80%.
- Drive Culture and Training. A clearly defined culture of privacy and security should be driven by any organization handling PHI. Users should be trained in identifying and thwarting phishing attacks that could infiltrate the organization and spread ransomware. Also, training users on acceptable use policies and procedures through LMS will contribute to compliance.
- Prepare an Incident Response Plan. You should always be ready for the worst-case scenario. Crafting a quality incident response plan (IRP) will help contain security incidents that would otherwise become full-blown breaches involving regulatory authorities. Under the HIPAA Security Rule, IRPs are required for covered entities. The Department of Health and Human Services provides a free Incident Response Plan template to help organizations craft an agile plan to handle incidents.
Securing patient data will continue to be a challenge as new systems, technologies, and employees create a complex and widespread footprint of where ePHI is stored and transmitted. It’s explicit in this report that insiders are the greatest threat to healthcare data privacy and security. Organizations should take a multi-layered approach to security from the inside out where employees are your greatest asset to security, not the greatest vulnerability.
Hear directly from our customers about their success using Patient Privacy Intelligence and Managed Privacy Services: Success Stories