OCR Publishes Guidance on Addressing Dangerous Insider Threats

by | Oct 16, 2019

Healthcare groups can create strong defenses to stop cyber criminals from gaining access to sensitive data, but not all threats come from outside the organization. It is also crucial to put in place policies, procedures, and technical solutions to detect and prevent internal attacks.Healthcare workers need access to protected health information (PHI) to complete their work duties. While those individuals may be deemed trustworthy, allowing access to PHI exposes the group to risk. Workers can go rogue and view or download patient information without authorization and could easily abuse their access rights and steal patient data for financial profit.

There will always be the occasional bad egg, but the 2019 Verizon Data Breach Investigations Report suggests the problem is far more common than you would think. According to the report, 59% of all security incidents and data breaches reviewed for the report were caused by insiders.

Many of those breaches were due to errors made by healthcare workers, but a large percentage were caused by malicious insiders who stole patient data for financial profit. Typical malicious insider attacks include accessing the medical records of celebrities for financial profit and stealing patient data to carry out identity theft and fraud.

These attacks can have serious implications for patients, who may suffer huge losses from identity theft and other improper uses of their PHI. The attacks can also lead to financial and reputational harm to the healthcare group and expose the body to regulatory fines. Memorial Healthcare System was fined $5.5 million for HIPAA violations related to the inappropriate access and theft of health data by some of its staff during 2012.

This week, the Department of Health and Human Services’ Office for Civil Rights (OCR) has published guidance for healthcare groups on how they can reduce the danger of insider breaches and ensure they are detected rapidly when they do happen.

In its 2019 Summer Cybersecurity Newsletter, OCR provides advice on overcoming the challenges associated with protecting patient data from attacks from within and outlines how risk can be managed to comply with HIPAA Rules.

In order to safeguard patient data, healthcare providers must know all locations where their patient data is stored and how that information flows around the organization. Without such information it is impossible to conduct a thorough and accurate risk analysis to discover all risks to the confidentiality, integrity, and availability of patient data and eliminate those risks or bring them to a reasonable an appropriate level.

Physical, technical and administrative access controls must be created to secure patient data against unauthorized access from within. Role-based access controls can help to reduce risk by stopping employees from accessing resources they are not authorized to use. Those controls should restrict access to the minimum necessary information required to complete work duties.

OCR also reminds covered entities that they must manage what individuals are able to do with patient data. If view only access is needed, users should not be able to change, delete, or download data. Controls should be configured to prevent access from certain devices such as smartphones and the copying of data to portable storage devices like zip drives.

The complex nature of healthcare IT systems makes it hard to put in place total visibility into the entire network and see every active device. However, without full visibility, it is hard to identify unauthorized data access quickly. OCR reminds covered entities that they must tackle the challenges and obtain visibility into what users are doing on the network. Security teams must constantly check systems, event, application, and audit logs in order to quickly detect suspicious activity and unusual data access activity. It may not be possible to eliminate insider breaches, but when they occur, they must be identified and rectified swiftly. There have been many cases of insiders accessing patient records without authorization for many years before the breach is discovered.

Safeguards can be created, and policies and procedures developed to cut risk, but those measures may not remain effective forever. Security is an ongoing process. Safeguards, policies and procedures need to be constantly reviewed to ensure they continue to be effective. Access rights should be reviewed and amended as appropriate when employees move roles or transfer to another department, and physical and electronic access to data must be disabled quickly when employees leave the group.

Stopping and discovering attacks by malicious insiders is difficult, but by being aware of the risks and implementing appropriate safeguards, the risk of a breach can be addressed and reduced to an appropriate level.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy