Spotting Insider Breaches: Employees Can HelpTwo Recent Incidents Provide Important Lessons
Two recent security incidents involving insiders spotlight the importance of employee vigilance in detecting and containing breaches.
In one incident, an employee at Rutland Regional Medical Center in Vermont noticed unusual activity with their email account and reported it to the medical center's IT department. In the other incident, a former employee of Kentucky Counseling Center in Louisville reported to the mental health services provider that they had received an email containing unauthorized patient information from a staff member.
"Employees who report incidents like these should be commended, and they provide a learning opportunity for their organizations," says Kate Borten, president of security and privacy consulting firm The Marblehead Group. "While employees may not be named, the workforce should be made aware of their actions in support of the organization's security and privacy programs."
Rutland Regional Medical Center Incident
Rutland Regional reported to the Department of Health and Human Services on Feb. 20 that an email-related breach affected more than 72,200 individuals, according HHS' HIPAA Breach Reporting Tool website.
In a Feb. 20 statement, the Vermont medical center says that on Dec. 21, 2018, an employee identified a high volume of spam emails being sent from their email account.
"The employee reported this activity to Rutland Regional's IT department on Dec. 29, 2018. Subsequently, on Dec. 31, 2018, Rutland ... determined the employee's email account was subject to unauthorized access and immediately changed the employee's password and locked the account."
Rutland Regional says it enlisted the assistance of a third-party forensic expert to further investigate the incident and discovered that the hack also affected the emails of other employees beyond the worker who reported the problem to the medical center's IT team.
"Although the investigation is ongoing, Rutland confirmed on Feb. 6 that an unauthorized actor or actors had access to nine employees' email accounts at certain times between Nov. 2, 2018, to Feb. 6, 2019," the statement says.
The intrusion potentially exposed information related to certain patients, including name, contact information, financial information, date of birth, medical record number, patient identification number and medical and/or clinical information - including diagnosis and treatment information and health insurance information, the organization reports.
Some 3,683 Social Security numbers were also affected. Rutland Regional is offering prepaid credit and identity monitoring to those individuals whose Social Security numbers were impacted by the incident.
Rutland Regional says it cannot confirm whether any information was actually accessed, viewed or acquired by the hacker, the statement notes.
The medical center is working to implement additional safeguards and security measures to enhance the privacy and security of its patient information, the statement adds.
The organization did not immediately respond to a request for additional information.
Kentucky Counseling Center Breach
In the other insider incident, Kentucky Counseling Center reported to HHS on Feb. 11 that its breach affected 16,440.
In a statement, the counseling center says that on Jan. 4, a former staff member reported receiving an email containing a link to a list of patients.
"Having whistleblower protections in place creates an environment where those reporting incidents do not fear retaliation from management."
—Tom Walsh, tw-Security
"Based on KCC's investigation to date, we believe a staff member took the list without authorization from our computer system on Dec. 6, 2018. We believe that same individual used an anonymous internet file sharing service to email the list to the former KCC staff member who then reported it to KCC. "
The individual believed to be responsible for the inappropriate patient data email no longer works for KCC, the statement notes.
"While we do not believe the individual took the list to cause harm to individuals on the list, we wanted to make patients aware of these circumstances out of an abundance of caution," KCC says in its notification statement.
The organization has taken steps to enhance security, it adds, including implementing multifactor authentication for computer system access.
KCC did not immediately respond to a request for additional information.
While employees - and even former workers - can help play a role in the detection and containment of breaches, organizations can take other important steps to prevent these kinds of incidents.
"Strong onboarding processes must include granting access at the minimum necessary level," Borten says. In addition, entities must be vigilant in cutting off access to users when they leave their employment or no longer need such access to perform their jobs, she adds.
"Strong offboarding processes must cover all users, not only employees, and prompt disabling of access," she says. "But just as important is periodic user account review by managers to ensure that every user account continues to be authorized and have appropriate access permissions."
Educating the Workforce
Tom Walsh, president of tw-Security, says healthcare organizations must take steps to encourage employees to play a proactive role in breach prevention and containment.
"Educating the workforce on what is a reportable security incident ... providing specific examples - and how to report them is crucial," he says. "Having whistleblower protections in place also creates an environment where those reporting incidents do not fear retaliation from management."
But some insider threats are impossible to mitigate, Walsh acknowledges.
"As much as I would like to find a way to 'fix' people - there is not much an organization can do when a person makes up their mind to do something that is against policy," he says. "That is why organizations create policies, have the workforce sign agreements, provide training - including new hire and annual refresher training - send out periodic reminders and establish safeguards/controls. The authorized user misusing their access privileges is not easily 'fixed'."
Walsh also suggests several steps organizations can take to minimize the risk that employees' email accounts will be used by hackers for sending spam.
"Review SMTP relay/gateway rules to only allow email from internal IP addresses to prevent the local domain from being spoofed from external machines," he says. "Mail systems can also be configured to prevent users from mass emailing to all users."
Entities can also take steps to more quickly identify spam-related issues, Walsh says, including monitoring outbound email traffic and receiving automated alerts when the volume reaches a certain level.