Betrayal by an employee can be disastrous.
Montefiore Medical Center, a non-profit hospital system based in New York City, is paying $4.75 million to settle a HIPAA investigation related to inadequate security measures after an employee stole protected health information (PHI)
The $4.75 million monetary settlement and corrective action resolved multiple potential failures by Montefiore Medical Center relating to data security failures that led to the employee stealing and selling patients’ protected health information over six months.
The Office for Civil Rights (OCR) Director, Melanie Fontes Ranier, stated:
“Unfortunately, we are living in a time where cyber-attacks from malicious insiders are not uncommon. Now more than ever, the risks to patient protected health information cannot be overlooked and must be addressed swiftly and diligently. This investigation and settlement with Montefiore are an example of how the health care sector can be severely targeted by cyber criminals and thieves—even within their own walls.”
Causes of Insider Threats
At Montefiore, the employee was motivated by profit. However, several types of insider threats have different motivations and goals.
Insider threats include:
- Careless or negligent workers
- Malicious insiders
- Inside agents
- Disgruntled employees
- Third parties
Regardless of the cause or motivation, insider threats are real. A 2022 report from the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) warns about insider threats in healthcare.
Healthcare is more vulnerable to insider threats than other sectors. Last year, the Verizon 2023 Data Breach Investigations Report noted that external actors were responsible for 66% of breaches, while internal ones account for 35% in healthcare. Compare this to the numbers for all sectors, where external actors account for 83% and internal ones account for 19%. (the sum is greater than 100% because a small number were “multiple.”)
Defend Against Insider Threats
The HC3 report recommends stepping up prevention. Deterrence, detection analysis, and post-breach forensics are key areas of insider threat prevention.
Critical areas for healthcare organizations to focus on:
- Revise and update cybersecurity policies and guidelines
- Limit privileged access and establish role-based access control
- Implement the zero-trust and MFA models
- Back up data and deploy data loss prevention tools
- Manage USB devices across the corporate network
HIPAA Risk Analysis, Risk Management, and Training
HIPAA requires policies and procedures that meet the Privacy, Security, and Breach Notification Rules requirements. Conduct an annual HIPAA Risk Analysis and practice Risk Management year-round. Use the Security Rule Checklist to drill down into your cybersecurity defenses and ensure you stay current.
You should review and update workforce cybersecurity awareness training. Training helps employees stay alert to threats and defend against external actors. Training should also clarify the sanctions for employees who don’t follow HIPAA.
An employee’s dishonesty can become a liability to the organization when cybersecurity practices and training are inadequate.