Insiders to Blame for Poor Cybersecurity in Healthcare

By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow

It comes as no surprise that the healthcare industry is a prime target for cybercriminals. Since it’s easy to recognize the potential profit in stealing Protected Health Information (PHI), it is crucial to know and understand the potential security threats that exist, including threats from the inside. Verizon found in their 2018 Protected Health Information Data Breach Report that insiders were the cause of more data breaches than hackers, with 58% of incidents involving insiders!

Healthcare is the only industry in which internal actors are the biggest threat to an organization. Often they are driven by financial gain, such as tax fraud or opening lines of credit with stolen information (48 percent); fun or curiosity in looking up the personal records of celebrities or family members (31 percent); or simply convenience (10 percent).”

Verizon has also found that 27% of incidents involved paper-based PHI. While we don’t often hear much about the concern for paper-based PHI in the news, there is still a great deal of paper used in healthcare. PHI may end up on paper in multiple forms, in some cases billing information, discharge paperwork, prescriptions sent to pharmacies, photocopies of ID or insurance cards and more. Human-error accounts for a large percent of paper-based PHI falling into the wrong hands.

…sensitive data being misdelivered (20 percent), thrown away without shredding (15 percent), and even lost (8 percent).”

Verizon further explains the need for employee education on security by outlining that 21% of incidents were due to stolen or lost laptops holding unencrypted PHI.

Looking at the incidents involving malicious code, 70% of those incidents in the healthcare sector involved ransomware. Ransomware is an attack where sensitive data is held hostage by criminals who demand a ransom be paid to release that data. With ransomware being a favored method of attack among cybercriminals, there is no room for human-error.

Verizon has many suggests that can help improve security both for the short-term as well as the long-term.

Short-term Improvements
Short term improvements can directly address some issues discovered in Verizon’s findings.

Full Disk Encryption (FDE), aims at keeping sensitive data from falling into the wrong hands. Monitoring record access on a routine basis is another critical component of security, in fact, polices and procedures should be in place that require routine monitoring of internal PHI access. Staff should be aware of the auditing procedure through their security training along with the potential consequences of viewing patient data without a legitimate business need. Organizations should also be ready to defend against ransomware as well as minimize the impact if it does occur.

Long-term Improvements
While short-term improvements can directly address some issues, protecting PHI in the digital world will also require long-term improvements.

One area to look at is electronic PHI (ePHI). Breaches involving ePHI included the publishing of sensitive data on public websites (7 percent) and misdelivery (7 percent) via email – still alarming, but much less so than those breaches associated with old-fashioned paper documents. So, organizations should work towards a reduction of paper-based PHI in their environments, and establish a holistic risk management program that protects not only ePHI, but also other sensitive data that they store and process.”

Organizations should also ensure employees have the appropriate level of access to PHI that is required for their jobs and routinely audit those access rights.

The use of the Internet of Things (IoT) is becoming increasingly common in the healthcare sector and will continue to grow in the future. It is vital that a policy be implemented for building security into all implementations of IoT devices.

Another critical component of long-term security is to have an incident response plan in place in the event a cyberattack were to occur. Knowing what to do in the event of a security incident can not only help in handling the event but can also help reduce the impact of the incident. The incident response plan should also be tested to ensure it works the way it’s intended to so that any gaps in the plan can be remediated.

This article was originally published on HIPAA Secure Now! and is republished here with permission. HIPAA Secure Now offers annual online subscriptions to help covered entities and business associates keep up with compliance. Learn more here.