Preventing Insider Threats to Protected Health Information

We usually think of HIPAA violations as being caused by hackers outside the organization who deliberately use phishing email, pop-up ads, fraudulent Wi-Fi networks and other methods to trick users into providing access to Protected Health Information (PHI). But according to Verizon’s Protected Health Information Data Breach Report, 58% of all healthcare data breaches and security incidents are caused by insiders.[1] How can you protect your office from such threats?

First, understand which individuals are considered to be “insiders”. Employees are the most obvious insiders. Also include individuals who are given access to email accounts, the EHR, computers, tablets, smartphones, printers, fax machines and patient equipment that use your network. Anyone with access to the office network is also an insider. Finally, don’t forget to include visitors such as custodial staff, pharmaceutical reps and the individuals who stock non-medical supplies. Anyone who has access to an area where PHI resides in electronic or print form is considered an insider.

The threats posed by insiders may be either unintentional or malicious. Unintentional threats typically involve careless employees who cause breaches through errors. The Verizon report found that the most common errors include: incorrect delivery of emails and snail mail, inappropriate disposal of PHI, loss of devices containing PHI and publishing sensitive information on social media and public websites.

Insider breaches may also occur through intentional misuse of PHI access. Employees may be tempted to snoop into the records of well-known patients, ex-partners and neighbors. If the information they discover is “juicy”, they may share it on social media.

Malicious threats by insiders can be more serious. The Accenture 2018 Healthcare Workforce Survey on Cyber Security reported that one in five respondents indicated that they would consider accessing and selling confidential information for the right price.[2] Disgruntled employees may steal and sell patient information, and they may sabotage IT systems prior to their departure.

The Accenture report found that 29 percent of health care employees received cyber security awareness training only once. Additionally, 15 to 20 percent of survey participants admitted that their compliance with cyber security policies is poor. This included not utilizing secure password management, sometimes downloading questionable email attachments and software and using unsecure networks.

The report found that increased training did not correlate with better cyber security behaviors. While this finding does not diminish the value of training, it points to the need for other protective actions to embed cyber security into your practice culture. Use memorable poster reminders throughout your office and change them regularly. Encourage employees to share about potentially malicious phishing emails or pop-ups they receive. Involve employees in creating a cyber-secure office rather than just telling them what to do and what not to do.

Following are steps you can take to reduce the risk of an insider security breach:

• Conduct a thorough background check prior to employing anyone. In addition to speaking with former employers and checking for criminal records, conduct a Google search and check social media accounts. Be sure the individual you are hiring does not have a habit of posting gossip or inappropriate material.
• Conduct HIPAA awareness training and regular refresher courses. It is vital to repeatedly educate employees about their responsibilities under HIPAA. Employees should be informed about penalties associated with HIPAA violations, including termination and possible criminal charges.
• Phishing is a major cause of data breaches. In most instances, employees are unaware that they have aided hackers in accessing your PHI. Use strong anti-phishing defenses to prevent these types of emails from reaching employee inboxes.
• Control access to PHI by giving each employee only the access they need to do their jobs. A receptionist might not need access to all EHR information.
• Reinforce the importance of not sharing login credentials or writing down the login information and storing it in a place where it might be accessible to another employee or office visitor.
• Create Admin controls that prevent employees from using easy-to-guess passwords. This might include requiring both upper and lowercase characters, and at least one numeral and special character. You might also be able to prevent the use of 3 consecutive numbers or letters. Implement two-factor authentication that requires the use of a security code if apps or websites containing PHI are accessed from unknown devices.
• Monitor employee activity. HIPAA requires that EHR access logs be maintained and reviewed on a regular basis. The monitoring can be conducted manually, or you can invest in software to review the logs and flag any suspicious activity. Look for anomalies in user activity or suspicious changes to access patterns.
• Let employees know that you monitor EHR security logs and that these logs will detect any suspicious activity. This may discourage employees from being “recruited” by a friend or Internet acquaintance to steal PHI.
• Encourage employees to report suspicious activity, such as a co-worker or office visitor repeatedly hiding their device’s screen when someone approaches, a co-worker asking to use someone else’s login credentials or an employee who starts staying late “to catch up on work”. Assure whistleblowers that their identities will remain confidential to the extent possible.
• Create temporary login accounts with expiration dates for contractors or temporary employees.
• When employees leave your practice, immediately revoke access privileges. If the employee is using a personal device to access PHI, be sure the device is stripped of access codes and stored information. If you have a Bring Your Own Device policy, you may want to require employees to agree in advance that when they leave your employment, they will submit their device for a complete reformatting to ensure all PHI is deleted.
• Be alert after unexpected employee resignations. Immediately check all devices and systems the employee used to ensure there is no malware or evidence that the employee attempted to access data beyond their authorization level.
• Encrypt portable devices to the strongest extent possible. Remind employees to never walk away from a device without logging out and to keep devices physically inaccessible when they are at home or travelling. Young people are incredibly tech savvy, and the friend of an employee’s child may find it irresistible to hack a work tablet to read about patients or grab other PHI to use fraudulently.

The majority of individuals who work in your office are honest people doing their jobs the best they can. However, occasionally, a dishonest person may join your staff and may use patient information for financial gain. You can protect your patients and your practice by being cautious and implementing necessary safeguards.

Sources

HIPAA Journal. How to Defend Against Insider Threats in Healthcare. Apr 26, 2018. Accessed April 19, 2019. https://www.hipaajournal.com/how-to-defend-against-insider-threats-in-healthcare/

FairWarning. 5 Types of Insider Threats in Healthcare – and How to Mitigate Them. Accessed April 19, 2019. https://www.fairwarning.com/blog/5-faces-insider-threat-in-healthcare/