For those that follow me, I often write on the susceptibility of the healthcare sector to todays’ data threats because it’s:
- A part of our critical infrastructure,
- Is one of the most highly targeted cyber niches,
- They oftentimes pay ransomware to (hopefully) recover their (our) data.
Yet when most think of healthcare data breaches, you might imagine cyberattacks like ransomware and hacking. While guarding your data from cybercriminals and other external threats is extremely important, your defensive strategy shouldn’t stop there. Healthcare data breaches are often caused (whether intentionally or unintentionally) by your own employees, contractors, or third-party vendors who have authorized access to your sensitive data and systems.
2 recent cases are United Healthcare’s Change Healthcare will likely take months before the company determines how many individuals have been affected by the data breach. UnitedHealth said the number of people impacted “could cover a substantial portion of people in America. And in Australia, the Australian federal police are investigating after the electronic prescriptions provider MediSecure reported being the victim of a large-scale ransomware data breach but it has yet to be revealed how many people have had their personal information exposed. MediSecure has said the breach likely originated from a third-party vendor,
Yet this article is on Malicious Insider Threats
A malicious insider makes a conscious decision to act inappropriately and has some motive to benefit themselves or harm your organization. Here are some examples of intentional misuse of health information:
- a departing employee downloading patient data for a possible whistle-blower action;
- an employee using patient information to commit fraud and identity theft or accessing a celebrity’s medical records for financial gain; or
- an administrative staff member snooping at medical records for personal reasons.
The financial impact can be staggering. Earlier this year, the U.S. Department of Health and Human Services (HHS) reached a $4.75 million settlement with a non-profit hospital system based in New York City after HHS investigated the hospital for several potential healthcare security violations, which allowed an employee to steal and sell patients’ protected health information over a six-month period. The settlement details can be found here.
Unintentional Insider Threats
Insiders can pose a major risk to the health sector even if they do not have malicious intent. Here are some examples of insider threats resulting from lack of training or careless mistakes:
- a residential care staff member casually discussing one patient’s mental health issues with another patient who further disseminates that information,
- an employee who falls for a phishing attack that enables bad actors to access your healthcare network,
- an employee leaving an unencrypted laptop unattended, allowing a third-party bad actor to copy sensitive data on the device; or
- remote workers attending sensitive meetings virtually in the vicinity of unauthorized individuals or active voice assistants, leading to data leaks.
What Are the Consequences?
Healthcare data breaches can have serious consequences such as civil and criminal penalties and damage your organization’s reputation. For example, HIPAA violations can subject:
- covered entities and business associates to civil monetary penalties up to $68,928 (or up to $2,067,813 for violations that are not timely corrected) – per incident but subject to annual caps – depending on culpability levels; and
- in severe cases, individuals (such as healthcare professionals who knowingly violate HIPAA) to criminal penalties including fines up to $250,000 and imprisonment up to 10 years depending on the nature of the violation.
Your organization should also consider implementing internal disciplinary procedures for employees who violate your healthcare data security and privacy policies.
Tackling insider threats should be a joint effort between healthcare leadership and your information technology and human resources departments. Consider taking these five steps:
1. Review and Revise Your HIPAA Policies and Procedures
Scale and customize your policies for the specific needs of your organization. Because of the huge range in types and sizes of entities that must comply with the HIPAA rules, there is no one-size-fits-all approach. Your approach MUST be updated as your workforce, operations, and technologies evolve.
2. Train Your Workforce on An Ongoing Basis
Since insiders are a common cause of breaches and mistakes can be costly, it is imperative that your workforce is aware and current on your HIPAA policies and procedures. Training should be specific to your organization and your employees’ job responsibilities, and you should conduct it on a regular basis. Strongly emphasize to your employees that they serve a critical role in protecting privacy and security. Remember, as in cyber awareness training this MUST be an ongoing commitment, NOT a one and done!
3. Establish a Consistent Sanction Policy
Consider establishing a sanction policy that clearly communicates your expectations for your workforce members, their individual compliance obligations, and the consequences of noncompliance. Doing so can create a culture of compliance, more importantly you can eliminate potential claims of discrimination or wrongful termination from employees by pointing to a uniform policy.
Disciplinary action can include warnings, additional required training, and even termination. Last year, HHS issued a newsletter regarding how sanction policies can support HIPAA compliance.
4. Look Out for Warning Signs
Certain indicators can raise red flags of nefarious activity, including:
- official records of security violations or crimes,
- unprofessional or combative behavior; and,
- suspicious activity such as creating backdoor accounts, password changes that deny others access to the data, massive downloads of corporate data, or sending sensitive data to a non-work email address.
By detecting potential insider threats, you may be able to prevent or reduce harm to your organization.
5. Acknowledge Other Laws Beyond HIPAA
Healthcare data breaches can bring other laws into play, including:
- the Federal Trade Commission Act, which prohibits companies from misleading consumers about what is happening with their health information and provides similar breach notification rules as HIPAA that apply to vendors of personal health records and their third-party service providers; and
- other federal laws that require employers to keep employee information confidential like disability-related medical information under the Americans with Disabilities Act or genetic information under the Genetic Information Nondiscrimination Act,
- state breach notification laws, which may impose stricter timing requirements than HIPAA for providing the breach notification; and
- private lawsuits, which have permitted individuals in some states to bring claims against covered entities for alleged HIPAA violations, even though that law does not provide any private right to sue.
Consider our firm to assist you in your cyber hygiene needs before you become another victim as so many have – large and small across all verticals!
Richard Freiberg
Profitability Consultant
Richard Freiberg CPA PC
Phone (980)339-3352
Cell (914)393-0033
www.rmfreibergcpa.com
LinkedIn
to subscribe to Cyber Insights Today
to subscribe to LinkedIn Newsletter Cyber Security
Providing valuable counsel to help boost your company’s bottom line, while navigating competitive forces, industry, and economic risks in today’s challenging environment
|
1 thought on “The Insider Threat to Healthcare Data and Your Rresponsibility”
Insider threats are such a sneaky business.