OCR Publishes Guidance on Addressing Dangerous Insider Threats

Healthcare groups can create strong defenses to stop cyber criminals from gaining access to sensitive data, but not all threats come from outside the organization. It is also crucial to put in place policies, procedures, and technical solutions to detect and prevent internal attacks.Healthcare workers need access to protected health information (PHI) to complete their work duties. While those individuals may be deemed trustworthy, allowing access to PHI exposes the group to risk. Workers can go rogue and view or download patient information without authorization and could easily abuse their access rights and steal patient data for financial profit.

There will always be the occasional bad egg, but the 2019 Verizon Data Breach Investigations Report suggests the problem is far more common than you would think. According to the report, 59% of all security incidents and data breaches reviewed for the report were caused by insiders.

Many of those breaches were due to errors made by healthcare workers, but a large percentage were caused by malicious insiders who stole patient data for financial profit. Typical malicious insider attacks include accessing the medical records of celebrities for financial profit and stealing patient data to carry out identity theft and fraud.

These attacks can have serious implications for patients, who may suffer huge losses from identity theft and other improper uses of their PHI. The attacks can also lead to financial and reputational harm to the healthcare group and expose the body to regulatory fines. Memorial Healthcare System was fined $5.5 million for HIPAA violations related to the inappropriate access and theft of health data by some of its staff during 2012.

This week, the Department of Health and Human Services’ Office for Civil Rights (OCR) has published guidance for healthcare groups on how they can reduce the danger of insider breaches and ensure they are detected rapidly when they do happen.

In its 2019 Summer Cybersecurity Newsletter, OCR provides advice on overcoming the challenges associated with protecting patient data from attacks from within and outlines how risk can be managed to comply with HIPAA Rules.

In order to safeguard patient data, healthcare providers must know all locations where their patient data is stored and how that information flows around the organization. Without such information it is impossible to conduct a thorough and accurate risk analysis to discover all risks to the confidentiality, integrity, and availability of patient data and eliminate those risks or bring them to a reasonable an appropriate level.

Physical, technical and administrative access controls must be created to secure patient data against unauthorized access from within. Role-based access controls can help to reduce risk by stopping employees from accessing resources they are not authorized to use. Those controls should restrict access to the minimum necessary information required to complete work duties.

OCR also reminds covered entities that they must manage what individuals are able to do with patient data. If view only access is needed, users should not be able to change, delete, or download data. Controls should be configured to prevent access from certain devices such as smartphones and the copying of data to portable storage devices like zip drives.

The complex nature of healthcare IT systems makes it hard to put in place total visibility into the entire network and see every active device. However, without full visibility, it is hard to identify unauthorized data access quickly. OCR reminds covered entities that they must tackle the challenges and obtain visibility into what users are doing on the network. Security teams must constantly check systems, event, application, and audit logs in order to quickly detect suspicious activity and unusual data access activity. It may not be possible to eliminate insider breaches, but when they occur, they must be identified and rectified swiftly. There have been many cases of insiders accessing patient records without authorization for many years before the breach is discovered.

Safeguards can be created, and policies and procedures developed to cut risk, but those measures may not remain effective forever. Security is an ongoing process. Safeguards, policies and procedures need to be constantly reviewed to ensure they continue to be effective. Access rights should be reviewed and amended as appropriate when employees move roles or transfer to another department, and physical and electronic access to data must be disabled quickly when employees leave the group.

Stopping and discovering attacks by malicious insiders is difficult, but by being aware of the risks and implementing appropriate safeguards, the risk of a breach can be addressed and reduced to an appropriate level.