Insider Breaches a Growing Risk

Steve-Spearman1Organizations Should Implement Strong Monitoring Plans

Steve Spearman, Founder and Chief Security Consultant
Ashley Booth, Marketing Coordinator
Health Security Solutions
Twitter: @HIPAASolutions

Eligible providers and their contracted vendors must comply with HIPAA and HITECH regulations to secure patient data. More pressure than ever is on these organizations to protect sensitive information, especially in light of more stringent government audits and increased penalties for breaches. However, despite a growing number of available ingsecurity and privacy protections, data breaches are still occurring. Security policies and procedures generally focus on protecting data from outside attack, but recent studies indicate the need to mitigate another type of risk: insider threats.

What is an Insider threat?
Healthcare organizations are based on the concept of people helping people. Without employees, organizations and businesses cease to function, but in any work environment, employees are simultaneously the greatest asset and greatest risk. The same is true in relation to protecting patient data. Employees have the potential to be the best security asset and the greatest vulnerability.

This vulnerability is referred to as an insider threat. For many healthcare providers, a huge number of people have access to protected health information (PHI), and mitigating these human, insider risks is becoming a significant focus. From human error to malicious intent, insiders represent one of the greatest risks to the security of PHI.

Why is mitigating insider threats so important?
Insider threats translate into data breaches when employees, third parties, and malware inappropriately gain access to sensitive information and networks through the use of legitimate access rights such as employee usernames and passwords. Many insider breaches are due to a lack of appropriate security training, leading to the infection of networks with malicious software and viruses. However, the biggest insider threat is not a lack of appropriate security training, but malicious intent. Healthcare information is valuable, more so than financial data, and the intent behind many insider breaches is to commit fraud and identity-theft.

In 2013, Florida Digestive Health Specialists LLP notified 4400 patients following a data breach. The breach was discovered when a local Walmart employee noticed suspicious photos being printed. Upon further investigation, it was discovered that a Florida Digestive Health employee had photographed patient records containing information such as name, birth date, SSN, and phone number. The employee was terminated following discovery of the data theft.

Ilene W. Bullington, a former employee of Owensboro Medical Health System in Kentucky was recently indicted on six counts of wire fraud, two counts of aggravated identity theft, and one count of using patient information under false pretenses. Over a period of two years, Bullington used patient information gathered at her workplace to obtain financial loans ranging from $300-$7,000.

Phoenix Medical Group of New Jersey experienced an insider breach when employee Berness Swan began to file fraudulent income tax returns using patient information. Employed from 2009 to 2012, Swan abused her access privileges to obtain patient birthdates and SSNs. She and her cohorts (not employed by Phoenix Medical) then used this information to file fraudulent tax returns, ultimately obtaining more than $120,000 in returns. At the time of her arrest, Swan was accused of theft of government property and aggravated identity theft.

When Sharon McCray, a corporate audit adviser at Children’s Healthcare of Atlanta, announced her resignation, she also sent electronic protected health information (ePHI) to her personal email address. The information included pediatric patient health information, and provider DEA and state license numbers. Upon discovery of the breach, Children’s Healthcare requested that McCray delete or return the information. McCray stated that she took the records to use as a backup for future employment, but failed to relinquish the information. While there was no evidence that the PHI was used for fraud or identity theft, Children’s Healthcare promptly terminated her access privileges and employment.

In 2003, UCLA Medical Center terminated the employment of surgeon and researcher Dr. Huping Zhou. Following his termination, Zhou accessed the ePHI of his co-workers and supervisors via the UCLA Medical Center network. Over the next several months, Zhou accessed the system 323 times. Upon detection of this post-termination breach, UCLA also discovered that Dr. Zhou had illegally accessed ePHI of celebrities and high-profile patients while still employed. UCLA notified authorities of the breach, and Zhou was sentenced to four months in prison and a $2,000 fine.

What can I do to prevent insider breaches?
While not all insider breaches result in identity theft and fraud, it is important for organizations to employ safeguards to mitigate this type of risk, not least because insider breaches can expose the individual and the organization to legal action and penalties. As with any type of breach, quick detection of inappropriate activity is key. So what can you do to mitigate this risk?

  • Create distinct usernames and passwords for each employee to enable tracking of employee activity.
  • Use finely-tuned access controls to restrict employee access to the minimum necessary PHI.
  • Deploy data loss prevention technology that enables monitoring of user transmissions (creates an audit trail).
  • Set rules for what information can be downloaded or sent to personal email addresses.
  • Develop (and implement) end-of-employment procedures that prevent employee access to PHI following notice of resignation and/or termination.

According to a recent Vormetric survey, the three most important security controls were network security tools, identity and access management, and intrusion detection and prevention. The executive summary of this survey stated:

Status quo security is not working well. Organizations continue to invest in… security technologies…, but these security defenses are no longer a match for knowledgeable insiders… who have the right access, skills, and tactics to… steal valuable data, and cause massive damage.

Ultimately, organizations should implement a strong monitoring plan that will allow administrators to track what employees are doing within their system. Organizations must work proactively to mitigate insider threats, using all available security measures and audit programs to analyze usage and detect breaches.

About the author: Steve Spearman is the Founder and Chief Security Consultant for Health Security Solutions. He has been employed in the healthcare industry since 1991, when he began working with Patient Care Technologies, an electronic medical record solutions provider. As Chief Security Consultant, Steve stays busy providing HIPAA Risk Analysis for clients and business partners.  This article was originally published on Health Security Solutions and is republished here with permission.