Insider Breach: 12 Years Undetected?
Inappropriate Access to Records at UMass Medical CenterA data breach involving an insider at UMass Memorial Medical Center, which may date back as far as 12 years, illustrates just how difficult it can be to detect inappropriate access to patient records.
See Also: Webinar | Identity Crisis: How to Combat Session Hijacking and Credential Theft with MDR
But security experts say healthcare organizations can take steps to better detect and prevent insider breaches, including implementing technologies such as audit log systems as well as ramping up employee training.
In a May 5 statement, UMass Memorial, the 781-bed, Worcester-based flagship medical center of UMass Memorial Health Care, says it learned on March 6 "that a now former employee may have accessed patient information such as name, address, date of birth and Social Security number outside of the employee's normal job duties."
The former employee worked for the medical center from May 2002 to March 2014. A UMass Memorial spokesman declined to identify what job the former employee had or in which department the individual worked.
The information accessed "may have been used to open commercial accounts, such as credit card and cell phone accounts," the statement says. So far, UMass Memorial has determined that the information for up to four patients may have been "misused" by the former employee, the spokesman tells Information Security Media Group.
"We will further investigate any concerns reported by our patients of any misuse of information to determine whether those concerns are related to this incident" and if additional patients were affected, he says. However, the medical center is not aware of any misuse of any patient's medical information, he adds.
The medical center is mailing notifications to approximately 2,400 patients because those individuals' information was inappropriately accessed by the former employee, the spokesman says. "As a precautionary measure, we are offering one year of free credit monitoring services," he says.
Upon discovering this incident, the medical center immediately began an internal investigation, says the spokesman, who declined to describe how UMass Memorial learned of the breach, or why it apparently took years to detect the inappropriate access to patient information by the employee. "UMMMC continues to conduct its investigation and cooperate with law enforcement," he says.
Challenging to Detect
Security and privacy expert Kate Borten, founder of the consultancy The Marblehead Group, acknowledges that many insider breaches can be challenging to detect.
"If the insider was being discreet about copying patient information that he/she had legitimate access to, then it's very difficult to catch," she says. "I suspect it happens more often than we know, and it goes undetected."
In fact, identity theft and other criminal activity linked to insiders accessing patient information has been a problem for many other healthcare providers nationwide.
That includes a recent case at Jamaica Hospital Medical Center in Queens, N.Y., in which two admissions clerks allegedly inappropriately accessed computer records of 250 patients. Those clerks, who allegedly provided the information to lawyers and outpatient services clinics, who then solicited the patients' business, were charged in April with illegally accessing the electronic health records of patients (see ER Clerks Charged in Records Scheme.)
Fighting Insider Breaches
Security expert Brian Evans, principal consultant at Tom Walsh Consulting, says it's common for insider breaches to go undetected for long periods of time.
"Despite the impact of insider losses, healthcare organizations often focus on the wrong threats," he says. "They spend considerable money on external-facing infrastructure. They focus on easy-to-implement controls rather than risk-prioritized controls. And because of vendor hype, they believe technological solutions are the answer to their problems."
Protecting against the insider threat is becoming more challenging as the definition of "insider" changes, he says. "With highly mobile workforces composed of business associates and third-party vendors as much as internal employees, healthcare organizations face an expanded designation of who may be considered 'insiders,'" Evans says.
Risk mitigation strategies against insiders need to be adopted, and fundamental deterrence, prevention and detection and response defense mechanisms should be implemented, he says.
Deterrence, prevention, detection and response all have a place in information security programs, Evans says. "Prevention is preferable to detection and reaction. But without data collection, an organization cannot successfully detect or react to anything. IT generally collects copious amounts of data, but aggregation, normalization, centralization and retention may not be thoroughly executed," he says.
Audits and investigations require the collection of information to detect bad actors and to determine the effectiveness of controls, he says.
"Alerts or alarms should be designed to detect event sequences with potentially negative consequences. Statistical and anomaly-detection methods are particularly good for these purposes, as are rule-based detection mechanisms," he says. "When insiders abuse IT systems in fraudulent ways, they often create transactions of which volumes, times or other elements are beyond the norm."
Organizations are increasingly turning to SIEM, (security information and event management) systems or log management tools to augment data collection efforts, Evans notes. "To be effective, audit logs should be at an appropriate level of detail to the loss thresholds being detected," he adds.
The Role of Training
Borten says education of the workforce, and enforcement of policies through penalties, are essential to fighting insider threats.
"Workforce training and holding people accountable by applying sanctions are the main controls when electronic tools aren't available or helpful," she says. "Training should emphasize that co-workers and supervisors must report suspicious behavior when they become aware of it, or they may be sanctioned themselves. This is not optional."
Among the steps that UMass Memorial is taking to prevent insider breaches is "re-enforcing staff education regarding our policies and procedures to safeguard patient information," the medical center spokesman says.
UMass Memorial also is "identifying additional measures and enhancements to existing safeguards to protect patient information," he adds, declining to elaborate.