Employees, vendors and third parties inside an organization can threaten the security of patient data.
An example of an intentional theft happened last year at a Portland, Oregon lab. In November, 2022 Legacy Health reported that an employee had stolen patients’ protected health information (PHI), transferring the data to a personal storage device without authorization. The employee was fired but the damage was done. Almost 8,000 patients had their information stolen.
The stolen files contained names, dates of birth, medical record numbers, provider names, health insurance information, diagnosis and/or treatment information, as well as social security numbers for some of the files.
Loss of PHI Happens Through Negligence More Often than Intentionally
Losses and theft occur accidentally too. An example of an insider threat caused by negligence is leaving an unencrypted mobile device or laptop containing protected health information unattended causing the device to be stolen, or the data copied. Another example is when an employee working remotely has a smart listening device, like Alexa or Google Home on during meetings when PHI could be disclosed.
In 2022, the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) published a report warning about insider threats in healthcare. The report defines an insider threat as “potentially a person within a healthcare organization, or a contractor, who has access to assets or inside information concerning the organization’s security practices, data, and computer systems.”
Insider threats come from:
- Careless or negligent workers
- Malicious insiders
- Inside agents
- Disgruntled employees
- Third parties
The HC3 report goes on to say that, “While most companies invest more money on insider threats with malicious intent, negligent insider threats are more common.”
According to Ponemon’s 2022 Insider Threats Report, 57 percent of the study respondents said the data breaches involving an insider were primarily unintentional, caused by negligent insiders. Another 51% said that a malicious outsider stole data by compromising insider credentials or accounts – respondents were allowed to provide more than one response.
Most Common Locations for Risks
The riskiest locations are all of the unmanaged devices – the Internet of Things – think of the many devices connected to the internet we all use everyday, at work and at home, from patient monitoring devices to security systems and HVAC controllers.
When asked where the risks are, the respondents cited:
- Unmanaged devices (the IoT) at 63%
- the Cloud at 51%
- Network at 52%
- Email at 47%
Web applications, USB/removable media, and endpoint devices, both corporate owned and personal were also named.
The following best practices can help reduce insider threats:
- Conduct up-to-date cybersecurity awareness training for staff – use sanctions to discourage intentional actors.
- Limit access to PHI and establish role-based access control.
- Implement the zero-trust and multi-factor authentication models.
- Back up data and deploy data loss prevention tools.
- Manage USB devices across the network.
HIPAA Risk Management is Essential
HIPAA compliance helps prepare for and mitigate against all kinds of threats to patient data. You can make it harder for malicious insiders, negligent staff or third-party vendors to compromise your security by doing a HIPAA risk analysis and following the risk management steps that result.