Healthcare data breaches have been occurring at record levels, but not all privacy and security threats come from outside the organization. The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HCC) recently issued a warning about insider threats.
What is an insider threat?
According to a recent data breach report from Verizon, 58% of all healthcare data breaches and security incidents are the result of insiders. An insider threat is one that comes from within an organization. This means an individual who has access to healthcare resources or inside information concerning the organization’s security practices, data, and computer systems. Although there may not be malicious intent, often an unintentional mistake can result in harm.
There are several types of insider threats within an organization, including:
- Careless or negligent workers
- Malicious insiders
- Inside agents
- Disgruntled employees
- Third parties
While many organizations focus on insider threats with malicious intent, negligent insider threats are more common. According to Ponemon’s 2020 Insider Threats Report, 61% of data breaches involving an insider are unintentional, caused by negligent insiders.
Unintentional insider threats may include cases where healthcare workers may have snooped or gained accessed to the medical records of patients, family members, friends, or colleagues without authorization.
Other threats include the accidental disclosure of sensitive information, such as disclosing sensitive patient information, sharing login credentials, or responding to phishing messages. The Verizon data breach report suggests 31% of insider breaches were employees accessing records out of curiosity, and 10% were because employees simply had access to patient records.
These cases of unauthorized access may begin with an employee accessing a patient record, but they can quickly turn into major data breaches if left unchecked.
Most common reasons for negligent insider threats
Lack of awareness about security policies and the failure to provide security awareness training are two of the most common reasons for negligent insider threats. In fact, according to data from the HHS, 27% of employees saw security policies less than once a year, and 39% received security awareness training less than once a year.
Preventing insider threats
The following are best practices for preventing both intentional and negligent insider threats:
- Educate: Employees must be trained and educated on permissible uses and disclosures of PHI, patient privacy, and data security.
- Deter: Policies must be created to reduce risk and those policies enforced. The consequences for HIPAA violations and privacy breaches should be clearly explained to employees.
- Detect: Healthcare organizations should implement systems and processes that allow them to detect breaches quickly and effectively, and access logs should be checked regularly.
- Investigate: When potential privacy and security breaches are detected, they must be investigated promptly. When the cause of the breach is determined, steps should be taken to prevent a recurrence.
HIPAA and Cybersecurity Awareness Training
Lack of HIPAA training among employees is one of the major contributing factors to negligent insider threats. It’s essential and required by HIPAA to provide cybersecurity awareness training to staff, along with HIPAA training. Employees should be trained on HIPAA Privacy and Security Rules and must be informed of the consequences and potential criminal penalties for HIPAA violations.
References:
https://www.hhs.gov/sites/default/files/insider-threats-in-healthcare.pdf
Experience Better Healthcare Compliance
MedSafe is the nation’s leading one-stop resource for outsourced accreditation and healthcare compliance solutions. For over 20 years, we have been providing peace of mind to hospital groups, private practices, and their business associates. Our suite of onsite and online training services, including OSHA, HIPAA, Corporate Compliance and Code Auditing better equip your practice with the necessary tools and skills to achieve and maintain regulatory billing compliance. MedSafe takes a hands-on approach and works directly with your team to uncover issues and define suitable solutions.
Leave a Reply