Why Detecting Insider Breaches Is So ChallengingRecent Healthcare Incidents Spotlight the Problem
Several recent health data security incidents - including two at a Florida hospital and another at a Washington state Medicaid agency - illustrate the challenges healthcare organizations face in detecting and preventing insider breaches.
See Also: Rethinking Endpoint Security
Jackson Health System in Miami says it has terminated a "rogue" hospital unit secretary "who may have stolen confidential patient information" over the last five years. Protected health information compromised in the breach includes names, birthdates, Social Security numbers and home addresses contained in more than 24,000 patient records, according to a Feb. 10 statement from the health system. The hospital says it is cooperating with law enforcement agencies on the investigation.
Earlier this month after an internal investigation and settlement of a related lawsuit, Jackson Health fired two other workers who allegedly leaked to ESPN private health information of New York Giants player Jason Pierre Paul, whose right index finger was amputated at the hospital last year.
Meanwhile, the Washington State Health Care Authority has terminated two employees for a HIPAA privacy violation affecting 91,000 individuals.
"Insider breaches are a huge problem that don't really get enough attention from companies," says privacy attorney Kirk Nahra. "They do result in terminations and/or prosecution in certain situations where they are caught. But it is a major problem that often gets ignored or under-treated because of more attention on things like hacking."
Jackson Health says that in the wake of the most recent incident, "we are already in the process of acquiring and implementing a more robust security system to monitor access to patient records. Any allegations about a breach in security and patient privacy are taken extremely seriously. Jackson Health System continually educates all employees on privacy rules and regulations and has zero tolerance for violations."
The health system is offering free credit monitoring to affected individuals in the latest incident. A Jackson Health spokeswoman declined further comment on the incidents.
Back in 2011 and 2013, Jackson Health reported to the U.S. Department of Health and Human Services two separate breaches involving insiders.
In the 2011 incident, which impacted almost 1,600 individuals, an employee allegedly removed patient information over a period of 18 months in order to commit identity theft according the HHS "wall of shame" breach tally.
In a breach reported in 2013, a volunteer at the organization's Jackson North Medical Center allegedly photographed paper documents containing the PHI of 566 patients for use in an identity theft scheme, according to HHS.
A National Problem
Many other healthcare organizations across the country are also struggling with insider breaches. For example, the Washington State Health Care Authority, in a Feb. 9 statement, said it discovered that personal identification information and private health information, including Social Security numbers, dates of birth and client ID numbers, of more than 91,000 Apple Health (Medicaid) clients "was handled improperly" by employees.
Two state employees in two state agencies exchanged Apple Health client files in violation of HIPAA, according to the Health Care Authority.
"Both employees assert that the exchange of information occurred because the HCA employee needed technical assistance with spreadsheets that contained the data and that the information was not used for any additional unauthorized purposes or forwarded to any other unauthorized recipients," HCA says in a statement. The breach was discovered in the course of a whistleblower investigation into misuse of state resources.
Because the investigation could not confirm that the data stayed within the state's systems, it was determined there was a breach of protected data, requiring client notification, according to HCA. Both individuals involved with the incident have been terminated.
Affected individuals are being offered one year of free credit monitoring.
Steps to Take
Rebecca Herold, CEO of consulting firm The Privacy Professor and co-founder of security firm SIMBUS360, says healthcare organizations and their business associates should consider taking several steps to mitigate insider threats, including:
- Documenting policies, standards and procedures that cover the requirements for minimum necessary access to personal information, access logging and sanctions for not following policies;
- Providing security and privacy training and sending ongoing awareness reminders about security requirements;
- Performing risk assessments and reviewing personal information access logs;
- Conducting work area security and privacy reviews;
- Implementing database access logging tools and procedures for regularly reviewing access;
- Consistently enforcing sanctions policies.
"Some organizations have implemented whistleblower types of programs to allow employees to report when they know or suspect co-workers are breaking security and privacy policies," Herold says. "This will work well in some types of organizations, but may not be feasible in others."
Insider breaches frequently involve users who are authorized to access patient data, which makes the incidents particularly difficult to detect, Herold notes.
"Hacker and external bad actors leave a trail; those who are authorized to access PHI do not leave such trails, or their access is not considered to be out of the ordinary, so inappropriate access is often not noticed," she says. "For example, in many hospital systems the patient databases and associated applications are set up in such a way that access to specific patients cannot be accomplished, so all doctors, nurses and possibly other staff are given access to the entire patient database even though they only need access to a small subset of their particular patients. If access is not being logged, then it is very easy for them to get into all the patient files and take whatever data they want."
The healthcare sector has plenty of company when it comes to the security and privacy headaches caused by insiders, Nahra, the attorney, notes. "These insider situations are not unique to healthcare - it is an issue for every industry where relatively low-level people have access to information to do their job - think a call center employee - with limited ways to control access and lots of opportunity to do bad things," he says.
"Companies need to take this issue seriously, and look at realistic ways to control access and engage in better ongoing monitoring of potentially problematic behavior."