The Insider Threat: Lessons From 3 IncidentsHow to Detect, Prevent Inappropriate Access by Authorized Users
Three recent incidents involving inappropriate use of patient information by insiders illustrate how difficult it is for healthcare organizations to deal with the insider threat.
The organizations who recently announced they are notifying patients of insider incidents are Detroit-based occupational therapy practice PsyGenics; Wilkes-Barre, Pennsylvania-based Geisinger Wyoming Valley Medical Center; and the Phoenix-based practice Arizona Endocrinology Center.
The Insider Theat
"Larger organizations especially face the challenge of how to distinguish 'authorized' access from one that is not for a legitimate work-related purpose because there is such a massive volume of activity from employees accessing patient information every single day," says privacy and security attorney Helen Oscislawski of the law firm Attorneys at Oscislawski LLC.
"Role-based access credentials offer some guardrails which should, for example, prevent a C-suite executive from accessing a patient's medical record, since such an administrative person does not have a clinical need to do so. Once access credentials are issued to a clinician, there is no great way to be able to identify when that clinician may be poking around in records she/he is not supposed to access."
In a statement issued Monday, PsyGenics said that on March 25, as part of a regular security review, it discovered that a day earlier an employee forwarded patient information contained within Excel spreadsheets to their personal email address without authorization.
Among the information contained in the spreadsheets were names, diagnosis code, appointment time and provider name, the Pennsylvania practice said.
PsyGenics said it's unaware of any attempted or actual misuse of the information. It's notifying affected individuals as well as federal regulators. The organization did not immediately respond to an Information Security Media Group request for additional information.
Geisinger Wyoming Valley said in a statement issued Monday that on March 20, the organization's privacy office was alerted to an employee possibly accessing medical records without a confirmed need to do so.
"An immediate investigation validated that this employee accessed medical records as part of their daily job responsibilities," the statement noted. "It was however confirmed that [the employee] accessed over 800 patients' records without a business need."
The employee inappropriately accessed records from July 2017 to March 2020. "As a result of the investigation, the individual is no longer employed at Geisinger," according to the statement.
"While the investigation did not reveal any evidence of malicious intent, the information that may have been viewed by the employee included: name, date of birth, Social Security number, address, phone number, email address, medical conditions, diagnoses, medications, dates of service, visit notes, results and appointment information," the statement noted.
Geisinger did not immediately respond to a request for additional details.
As of Wednesday, neither the PsyGenics nor the Geisinger incident appeared on the Department of Health and Human Services' HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals.
Arizona Endocrinology Center
In another recent incident, Arizona Endocrinology Center notified 74,000 patients about a breach involving one of its former physicians (see Health Data Breach Update: What Are the Causes?.
In a recent statement, the organization explained that when the doctor was preparing to leave the practice to join another medical group, the physician "downloaded basic information about patients from our electronic medical record," including patient names, phone number, address, name of primary doctor, and identifying number assigned to each patient.
Arizona Endocrinology learned about the incident after it heard from patients that the doctor's new practice used that information to send text messages to the individuals. "The text messages informed patients that [the doctor] was moving to [the new practice] and/or advertised [its] services," the statement noted.
"Healthcare entities certainly have a vested interest in protecting against data breach threats, even those posed by authorized insiders. However, many lack the internal resources and capacity to do so effectively and consistently," says Yolanda Stonewall, senior security consultant at risk management consultancy Pondurance.
"The challenge lies in the fact that patient information systems are accessed by authorized users hundreds of times per day, creating thousands of activity records. This makes it very difficult for constrained security personnel to identify insider abuses timely," she says. "Also, some entities face challenges with appropriately managing user access rights and keeping users educated on their responsibilities to protect information."
For hospitals and clinics, trying to identify unauthorized access to patient information "is like looking for a needle in a haystack," says Tom Walsh, president of the consultancy tw-Security.
"That's why an advanced audit tool - application/program - is needed. It acts like a large electromagnet to pull those needles from the haystack," he says. "While intelligent audit tools are effective in finding inappropriate access, they can be costly to purchase and maintain ... especially for smaller healthcare organizations. Also, the audit tools require dedicate staff time to review the reports."
While the PsyGenics' statement indicates it discovered its insider incident the day after alleged inappropriate use of patient data occurred, the Geisinger incident apparently took nearly three years to discover, and that was only after the organizations' privacy office received a tip.
So, why does it take so long for some entities to determine authorized users are misusing or inappropriately accessing patient records?
"To be effective, organizations need to have a written audit strategy or plan to address: What to audit, who to audit, when to audit, how to audit," Walsh says.
Most commercial audit log analysis tools have artificial intelligence capabilities that can identify inappropriate access, says Keith Fricke, principal of tw-Security. "Examples include detecting a user account accessing medical records in sequence, accessing records of a patient from a department that the worker does not work in, and comparing the address of a hospital worker to that of a patient to identify if neighbor snooping is occurring."
Data loss prevention tools can be effective at preventing users from emailing sensitive information if those tools are appropriately configured and tuned, says Stonewall of Pondurance. "However, organizations should couple technology with regular preventive education such that users are made aware of the company's stance on what is acceptable regarding the use and dissemination of patient information."
Remote Worker Risk
With more employees working from home amid the COVID-19 crisis, how can healthcare entities do a better job in terms of preventing and detecting potential insider breaches that occur when employees inappropriately access patient data from home?
Healthcare entities should consider using "virtual desktop" technology, from which they can more securely access corporate systems using their home computers," Stonewall says.
"A cloud application security broker [CASB] can be used to technologically enforce security policy compliance and user activity monitoring for cloud-based health patient information systems," she adds.