Several recent health data security incidents serve as reminders of why healthcare entities need to stay focused on efforts to prevent and detect insider breaches even as attention is diverted by headlines about hacker attacks and ransomware.
For instance, last week, St. Charles Health System in Bend, Oregon, began notifying nearly 2,500 patients that a caregiver - over a period of about 27 months - was found to have accessed individuals' electronic medical records without authorization.
"Insiders can also play an involuntary role in helping hackers succeed in their attacks."
In a statement, the healthcare system says it launched an investigation on Jan. 16 and conducted an audit of all of the patient files accessed by the caregiver, concluding the insider may have inappropriately reviewed files containing patients' names, addresses, dates of birth, health insurance information, driver's license numbers and health information such as diagnoses, physicians' names, medications and treatment information.
While St. Charles Health says the employee has since "signed an affidavit stating that she has never used or shared any of the confidential patient information for the purpose of committing fraud, financial crimes or other crimes against the patients whose records were among those she viewed," the assurance apparently wasn't enough for local law enforcement officials.
On March 17, the day after St. Charles Health issued its statement about the incident, Deschutes County District Attorney John Hummel issued his own release saying he had launched a criminal investigation into the apparent breach.
"I was dismayed to learn via media reports that apparently a St. Charles employee impermissibly accessed records of thousands of patients," Hummel said. "An alleged breach of this magnitude should have been reported to local police so that a proper criminal investigation could be conducted - as far as I'm aware this did not happen."
Hummel added that his office is working with local law enforcement "to ensure that all relevant facts are detected and then conduct a legal analysis to determine if any criminal laws were violated." In a statement, Hummel tells me that he just started the criminal investigation this week, and "when it's concluded I'll announce the results."
Meanwhile, in a statement, St. Charles Health would not say whether the caregiver at the center of the DA's investigation is still employed by the organization. "As a matter of corporate policy we do not release the details of personnel actions, but we can say that we took swift and appropriate disciplinary action in this case." St. Charles Health also declined to disclose the exact role the caregiver played at the organization, other than saying she provided "direct patient care."
Criminal Cases and Lawsuits
St. Charles Health is just the latest in a seemingly endless string of healthcare entities at the center of law enforcement investigations as a result of insider-related breaches. And as we all know, many health data breaches - including those committed by insiders - also result in lawsuits filed by breach victims.
Just last week, an Alabama federal judge granted class-action status to a lawsuit filed against Flowers Hospital, where a former lab technician was convicted in 2014 of identity theft that led to federal tax refund fraud. That's a case worth keeping an eye on.
Insider Breaches Rise
So how common are breaches tied to insiders in healthcare?
Protenus bases its monthly breach trend analysis on incidents disclosed in the media and other sources as well as those posted on the Department of Health and Human Services' "wall of shame" website that lists health data breaches affecting 500 or more individuals.
Of 31 health data incidents in February analyzed by Protenus, insiders were responsible for 18, or 58 percent. In January, the company tracked nine insider incidents, which accounted for 29 percent of all breaches that month.
Of course, insiders can also play an involuntary role in helping hackers succeed in their attacks, especially when it comes to falling for phishing scams and other social engineering schemes designed to obtain user credentials.
Protenus reports that in February, eight of the 18 insider incidents were the result of insider wrongdoing, nine of the incidents were the result of insider error and one insider incident could not be classified due to lack of provided information.
Security and privacy experts say that healthcare entities and their business associates need keep a close eye on insiders as part of their overall data security efforts.
Attorney Steven Teppler of the Abbott Law Group, for instance, calls the Flowers Hospital breach case "a public service announcement to healthcare providers" urging them to have their "house in order" in terms of dealing with insider threats.
Attorney Marti Arvin, vice president of audit strategy at the security consulting firm CynergisTek, says healthcare entities must ensure they take steps to protect against and detect insider breaches, including turning on and reviewing "appropriate electronic access control logs" to identify whether rogue employees are accessing patient data without authorization.
Employees must also be carefully vetted prior to hiring and assessed periodically while on the job, the legal experts suggest.
Rebecca Herold, president of SIMBUS LLC, a privacy and security cloud services firm, and CEO of The Privacy Professor, a consultancy, urges organizations not to skimp on regular, periodic workforce awareness efforts to bolster security. "If you don't provide training, your employees will not know how to effectively secure the protected health information they access when performing their job responsibilities," she notes.
While hackers are becoming increasingly sophisticated in their attack schemes, insiders will also continue to be a persistent threat to data security and privacy - and a potential cause for serious breaches that land up in court and on the HHS wall of shame.