Mitigating the Risks Posed by Malicious InsidersHIPAA Enforcement Agency Warns Against Overlooking the Threat
While hacking incidents grab the top spots on the federal tally of large health data breaches these days, the serious threat of malicious insiders must not be overlooked or underestimated, regulators and security experts warn.
Healthcare organizations need to proactively mitigate the threats of malicious insiders, the Department of Health and Human Services' Office for Civil Rights reminds covered entities and business associates in a recent alert.
"Malicious insiders can succeed in harming an organization by intentionally leaking or destroying sensitive information," OCR, which enforces HIPAA, writes. "The harm can take various forms, including loss of data, damage to the organization's reputation, civil liability exposure, and potential federal and state regulatory enforcement actions. In addition to organizational harm, individuals affected by a data breach could be at risk for identity theft, fraud, or even blackmail."
The reminder from OCR about malicious insider threats comes as the agency has been dealing this summer with an avalanche of breach reports mainly involving massive hacking incidents. Those include ransomware attacks and other cyberattacks, most notably a data breach at American Medical Collection Agency, which so far has affected more than two dozen clients and 25 million individuals.
"Organizations have so many threats to worry about, and malicious hackers tend to be the ones that garner most of the headlines," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine. "As a result, it is easy for organizations to spend insufficient resources guarding against insider threats - whether malicious or just due to carelessness."
Jon Moore, chief risk officer at the privacy and security consultancy Clearwater, says healthcare organizations likely suffer more malicious insider breaches than the public realizes.
"First, these insider breaches may be less likely to be discovered than an outside cyberattack," he says. "Second, similar to embezzlement by bank employees, organizations are very likely to try to keep such breaches quiet. Third, these breaches typically are not as sensational as hacker cyberattacks and don't get the notice of media."
What's the Motive?
Breaches that affect tens of millions of people typically involve external hackers, Greene notes. "As a result, the public hears less about the large number of breaches caused by malicious insiders. While these often affect less people, they are often higher risk, as the insiders often have already begun to use or sell the compromised information."
Kate Borten, president of privacy and security consulting firm The Marblehead Group, notes that the insider threats are "an old, old problem" that can get lost in the shuffle when so much attention is paid to hacker incidents.
"Any environment where many insiders have access to large volumes of confidential information - that includes healthcare providers and plans, as well as the IRS, for example - is ripe for insider breaches," she notes. "I doubt the public has any idea of how vulnerable their data is, but, frankly, there's not much patients can do about it in this age of electronic health records."
Most insider snooping is motivated by curiosity and not by malicious intent, Borten says. "While HIPAA has tamped down on casual snooping, it will always be a problem since it's driven by human behavior," she adds.
Malicious activities by insiders "are either motivated by greed, a need for money - for example, they are in significant debt - or they are disgruntled, such as being passed up for a job or recently the victim of downsizing efforts," Greene says.
Because insider breaches typically expose far fewer records than hacking incidents, many are not posted on OCR's HIPAA Breach Reporting Tool website, which lists incidents affecting 500 or more individuals.
But some malicious insider breaches make headlines because they become criminal cases.
For instance, in July, a former worker at a substance abuse treatment provider in Connecticut was sentenced in a federal court to serve seven months in prison and pay more than $1.3 million in restitution for her part in an identity theft and Medicaid fraud conspiracy case involving 150 stolen records (see Insider Medicaid Fraud Case: An Important Reminder).
And not all malicious insider breaches involve small numbers of patient records. For example, back in 2017, OCR reached a $5.5 million resolution agreement with Florida-based Memorial Healthcare System stemming from 12 employees' inappropriate access of health information on more than 105,000 patients that lasted for more than a year and led to criminal charges of income tax return fraud.
"Detecting and preventing data leakage initiated by malicious authorized users is a significant challenge facing security professionals today," OCR writes. "Identifying potential malicious activity as soon as possible is key to preventing or mitigating the impact of such activity."
Steps to Take
Healthcare organizations need to consider an insider's interactions with information systems to identify areas of potential risk, OCR says. To determine appropriate access controls, OCR says, organizations should carefully assess where sensitive patient data resides and who really needs to access that data.
One factor to consider, OCR suggests, is whether a staff member's job duties require the capability to write, download or modify data vs. having read-only access. Also to be considered, the office says, is whether a user needs to access data from a laptop, smartphone or via mobile storage devices, such as thumb drives. "Such devices are more difficult to safeguard and control, especially if they are 'personal' devices owned by the user," OCR notes.
"An organization should consider limiting unnecessary mobile device use and implementing security controls to prevent copying sensitive data to unauthorized external devices," OCR advises. "If users are given access to mobile or storage devices, the organization must implement appropriate security controls to safeguard the data when using such devices."
The migration to cloud computing, increased use of mobile devices, and the adoption of internet of things technology can impede an organization's ability to detect anomalous user behavior or indicators of misuse, OCR writes.
"To minimize this risk, an organization may employ safeguards that detect suspicious user activities, such as traffic to an unauthorized website or downloading data to an external device, such as a thumb drive," OCR says.
"Maintaining audit controls - for example, system event logs and application audit logs - and regularly reviewing audit logs, access reports and security incident tracking reports are important security measures, required by the HIPAA Security Rule that can assist in detecting and identifying suspicious activity or unusual patterns of data access."
Borten offers additional advice: "Perhaps most important are robust workforce training and awareness - and clear and appropriate sanctions."
She stresses the need to "repeat the explicit 'no snooping' message often and through different methods. When insiders snoop, ensure they are given more than a mild warning when they plead no malicious intent. While intent must be considered during the disciplinary process, assessing the potential impact on the patient is most critical."
To defend against malicious insider breaches, Clearwater's Moore says, "every organization should understand their own unique risk profile based on the impact to their organization of a breach, the vulnerabilities that exist within their unique portfolio of information assets and all reasonable threats that might exploit those vulnerabilities including insider threats.
"It is the organization's actual risk profile - along with the organization's business objectives, resources and compliance requirements - that should drive its cybersecurity strategy and program. In the long run, this is the most effective and efficient way for an organization to manage its cyber risk and protect its patients, patients' data and revenue."