Clinic Breach Involved Authorized UserExperts Offer Insights on Preventing Insider Incidents
A data breach potentially affecting 16,000 patients at a group of Texas pediatric clinics spotlights the challenges in preventing and detecting breaches involving insiders who are authorized to access records.
See Also: Secure Access in a Hybrid IT World
A staff member at Children's Medical Clinics of East Texas, which has three clinics at one location in Kaufman, allegedly took home business documents and did not return them and also provided an unauthorized screenshot of patient records to a disgruntled former employee involved in a dispute with the clinic.
"Unfortunately I think these incidents are much more widespread than what we see discovered and reported," says Mac McMillan, CEO of the security consulting firm CynergisTek. "Users know if their organization is proactively monitoring or not."
The Texas pediatric clinics group on Oct. 28 reported to the Department of Health and Human Services an "unauthorized access/disclosure" incident affecting 16,000 individuals, according to HHS' "wall of shame" website listing major health data breaches.
A sample breach notification letter from the clinics' law firm, Shaw & Associates, posted on the healthcare provider's website, indicates the incident involved "an employee of the clinic [who] was found to have taken business documents home from the office and did not return them."
Police were notified and a police report was filed Aug. 10, the letter says. "Thereafter, logs revealed the employee also improperly accessed patient health information by logging into patient records and providing a screenshot of patient records to a ... third party," the letter says. "This third party, who was a disgruntled ex-employee, appears to have a retaliatory agenda against the clinic."
The employee who accessed the records has been terminated, says the letter signed by attorney Diane Shaw, representing the clinic. "At this time, there is no evidence the employee disclosed to others the information. We believe the employee engaged in these behaviors due to the likely retaliatory agenda ... and not with any intent to harm patients. However, there is no way to narrow down which records were improperly accessed."
The improperly accessed records contained protected health information including names, date of birth, diagnosis and treatment, the letter says.
The clinic is offering free credit monitoring to potential breach victims upon request.
"Under HIPAA, this employee's access was authorized and she had HIPAA training. However, once she became involved with forwarding information to a third party, her access was unauthorized. Therefore, the HIPAA privacy rules require that incidents be notified to you and reported to the regulatory agency, HHS," the letter notes.
The two former employees involved in the incident were both front office clerical workers at the clinic, Lee Shaw, an IT specialist at the clinic's law firm, Shaw & Associates, tells Information Security Media Group.
The former disgruntled worker who received a screenshot of the patient records allegedly "is building a case against the clinic" related to undisclosed circumstances, he says. The patient information contained in the records is believed to be "secondary" in the alleged dispute between the former disgruntled worker and the clinics group, he says.
Also, the snapshot of patient records apparently involved "one incident," Shaw says. But because the worker who allegedly sent the information to the third party had authorized access to thousands of patient records, all potential victims of the breach are being notified, she adds.
The incident at Children's Medical Clinics of East Texas spotlights some of the challenges involved with preventing breaches involving authorized users, says Tom Walsh, founder of the consulting firm tw-Security.
"In this case, it is extremely difficult to prevent an authorized user from snooping or accessing patient records in an unauthorized manner," Walsh says. "This is especially a problem in smaller healthcare environments." That's because an individual may have multiple job responsibilities or roles, allowing them to have broader access privileges, he says. "Therefore, organizations would have to rely on detecting an inappropriate access of patient records through auditing and monitoring or user activities."
Walsh also notes that preventing "screen scraping or capturing screen shots is also a difficult security control to implement because it may interfere with other business processes."
McMillan says healthcare entities should consider bolstering their monitoring and auditing of insiders. "We need to get away from simple compliance-based auditing and start using behavioral analytics. Often those engaged in this type of activity stay within the parameters of their access, but their pattern of access or their 'behavior' will show a very different outcome," he says.
Children's Medical Clinics of East Texas says in its notification letter that it's "following a strict internal review process and upgrading all security systems in accordance with guidance provided by HHS, including enhanced on-site security measures. Additional measures include a security watch, surveillance cameras and more stringent HIPAA training."
To help battle insider breaches, Walsh suggests that organizations conduct random audits of user activities.
"Today, most healthcare organizations only review audit logs when there is an incident, [if they] suspect unauthorized behavior or when there is a complaint or an investigation," he says. "Most smaller organizations lack the tools needed to shift through the volumes of audit logs to detect any inappropriate behaviors."
Walsh notes that HIPAA recommends that organizations conduct periodic background checks on employees. "Organizations many times only do the minimum background checks before hiring someone. But this initial investment upfront may save a lot of money later on if the employee proves to be untrustworthy," he says
"People change over time. An employee that had a clean background check for 10 years may be different today as people's personal lives or circumstances change."