Insider Threats to Healthcare Records
Insider threats to healthcare records can be attributable to a number of motivations, vulnerabilities, and opportunities, or a combination of all three. To maintain the privacy and security of healthcare records, covered entities, and business associates must minimize the motivations, vulnerabilities, and opportunities for insider threats to healthcare records to a reasonable and appropriate level.
Between November 2021 and October 2022, approximately 19% of all data breaches were attributable to internal actors according to the Verizon Data Breach Investigations Report 2023. However, when data breaches in the healthcare sector were analyzed separately, the percentage of data breaches attributable to internal actors increased to approximately 35%.
The Verizon Report notes a number of the data breaches attributed to internal actors in the healthcare sector were not malicious and were the result of human error. Nonetheless, it is important for healthcare organizations to factor all types of insider threats into their risk assessments in order to prevent HIPAA violations, financial losses, reputational damage, and operational disruptions.
10 Malicious Insider Threats to Healthcare Records
Healthcare data breaches do not necessarily involve the theft of PHI. Any impermissible use of PHI, unauthorized access to PHI, or misuse of authorized access to PHI qualifies as a data breach. Because of the wide range of circumstances in which an event qualifies as a data breach, there is a wide range of motivations for acquiring, accessing, or using PHI in violation of HIPAA.
Financial Gain
The most common motivation for all malicious insider events identified by the Verizon Report was financial gain. The percentage of events motivated by financial gain in healthcare (and financial services) was much higher than the all-industries average due to vulnerabilities and opportunities that allowed malicious insiders to abuse access privileges.
5 Year Jail Term for Clinic Worker Who Stole PHI
Economic Espionage
The theft of trade secrets is considered a serious offense in the U.S. Because of the risk of sensitive research information being passed to foreign governments, Congress passed the Economic Espionage Act of 1996. Despite the penalties for violations of the Act having twice been increased since its passage, economic espionage remains a worrying insider threat to healthcare records.
Hospital Researcher Jailed for Selling Research Data to China
Disgruntled Employees
Disgruntled employees who are dissatisfied with their jobs or the organization can pose a significant insider threat. Their motivations can range from resentment over issues affecting their roles – or the ability to perform their roles – to unresolved objections to workplace changes. These individuals may intentionally damage systems, steal data, or disclose PHI as an act of revenge or to get noticed.
Disgruntled Employee Suspected of Dumping Medical Records
Departing Insiders
Departing insiders can take advantage of inadequate employee offboarding procedures to steal healthcare records for financial gain, take patient databases with them to a new job, or disrupt the operations of their former employer. In such cases, departing insiders take the opportunity to combine their motivations with organizational vulnerabilities.
Failure to Terminate Employee’s Access Rights Results in HIPAA Fine
Personal Grievances
It is not necessary for grievances to be directed against an employer for an employee to access healthcare records with malicious intentions. Some employees may misuse their privileges to access the healthcare records of former friends, classmates, or work colleagues in order to disclose sensitive information about the individual with the intention of causing harm or embarrassment.
Patient Care Coordinator Gets Jail Term for HIPAA Violation
Snooping on Healthcare Records
Data breaches attributable to snooping are classified in the Verizon Report as “Fun” data breaches. However, although it may be “fun” for some to discover secrets about family members or friends, or celebrity/high-profile patients, it is not fun for the victims of snooping and can result in financial losses and reputational damage for the healthcare organization at which the snooping occurs.
Washing Hospital Pays $240,000 HIPAA Snooping Penalty
Ideological Data Breaches
A “new entry” on the Verizon motivations list is ideology – insider threats to healthcare records due to a cultural belief or ideal. The new entry is likely attributable to the Supreme Court’s June 2022 opinion in Roe vs. Wade.; however, it is also possible that data breaches due to employees’ cultural beliefs or ideals may have been misattributed to other motivations in previous years.
Third-Party Malicious Insiders
One of the most difficult to detect malicious insider threats to healthcare records is when the malicious insider works for a business associate or subcontractor. When a third party is responsible for the privacy and security of PHI, it may be impossible for healthcare organizations to identify a malicious event until years after the event has taken place.
Medical Biller Faces Decades in Jail for Healthcare Fraud
Accomplice-Based Cybercrime
Malicious insiders do not always work alone. There has been a noted increase in accomplice-based cybercrime in which “initial access brokers” approach employees to obtain their login credentials in return for untraceable cryptocurrency. Those willing to facilitate a ransomware attack by uploading malware onto company servers have sometimes been offered a percentage of the proceeds.
Compromised insiders
Healthcare records acquired by external bad actors are sometimes used to blackmail the victims of a data breach. But they can also be used to blackmail employees of healthcare organizations into providing login credentials or stealing data on their behalf. Although this would be categorized as an accomplice-based cybercrime, the accomplice’s motivation is much different from the example above.
10 Unintentional Insider Threats to Healthcare Records
Unintentional insider threats to healthcare records are not so well chronicled because they are most often resolved by changes to policies and procedures, workforce training, and voluntary compliance. Nonetheless, data breaches due to human error can often be eliminated by implementing additional technical safeguards and configuring the safeguards to limit the likelihood of a user error.
The following is a list of unintentional insider threats to healthcare records extracted from HHS’ Breach Report Archive. Although none of these events resulted in financial penalties, healthcare organizations should be conscious of the types of unintentional events as they could trigger a compliance investigation and a financial penalty for a violation of HIPAA.
Failure to Sanitize Devices and Media
In October 2022, Forefront Dermatology notified HHS of a data breach affecting 45,580 individuals. The breach was attributable to an employee failing to sanitize decommissioned devices before they were sold. HHS recommends devices and media be sanitized according to NIST SP 800-88 guidelines.
Failure to Use BCC Function when Sending Emails
In March 2022, Kareem Redmond DDS doing business as Blue Wolf Dental Services notified HHS of a data breach affecting 1,100 individuals. The breach was one of a number of cases on the Breach Report in which an employee sent a mass email without using the blind copy (BCC) function.
Failure to Recognize a Phishing Email
Almost 15% of breaches recorded in the Data Breach Archive relate to employees failing to recognize a phishing email. One of the largest data breaches was notified to HHS in September 2022 by Cytometry Specialists. The breach resulted in hackers accessing the PHI of 224,850 individuals.
Mailing PHI to the Wrong Recipients
Another common unintentional error is mailing PHI to the wrong residents or on postcards that clearly reveal PHI about the recipients. In one case notified to HHS in May 2022, an employee of the Health Insurance Plan of Greater New York mailed 792 letters containing PHI to the wrong recipients.
Careless Software Misconfigurations
Some organizations automate customer mailings; however, when the software is misconfigured, it can result in much larger data breaches. In September 2022, the Healthfirst health plan notified HHS of a data breach attributed to carelessly misconfigured software mailing the wrong PHI to 5,048 members.
Improper Disposal of Paper Records
In April 2022, the Mountain Area Health Education Center was required to retrain its workforce on the compliant disposal of PHI after one member of the workforce inadvertently placed the paper records of 1,115 patients into an unsecured recycling bin rather than a bin reserved for shredding.
Inadvertent Publication of PHI on the Internet
In November 2021, the Citizens Financial Corporation notified HHS of a data breach. The breach was reportedly caused by an employee inadvertently publishing the names, addresses, diagnoses, lab results, medications prescribed, and other treatment information for 688 individuals.
Loss of Devices, Media, and Documents
While it is understandable that an employee may misplace a USB drive, some reported losses of PHI are not so easy to comprehend. For example, in May 2021, Arizona Oncology Associates reported that an employee had carelessly lost documents containing the PHI of 717 individuals.
Sending Samples to the Wrong Lab
One of the most unusual unintentional insider threats to healthcare records was notified to HHS in April 2021. It involved the unauthorized disclosure of PHI relating to 846 individuals by an employee of Unlimited Medical Services of Florida, who sent patient samples to the wrong lab.
Using Unencrypted Communication Channels
Although HIPAA permits unencrypted communications when an individual has consented to receive PHI by (for example) email, unencrypted emails should not be used for mass marketing. Unfortunately, in October 2021, an employee of Redwoods Rural Health Center unwittingly sent an unencrypted mass email containing PHI to 2,306 individuals – prompting a compliance investigation.
How to Minimize Insider Threats to Healthcare Records
The healthcare industry is particularly susceptible to insider threats due to there being a complex ecosystem of stakeholders (i.e., healthcare professionals, administrative staff, business associates, software vendors, etc.) and high rates of employee turnover. There have also been rapid advances in technology without the skill sets always being available to ensure the security of the technology.
While external cyber threats to healthcare records continue to pose considerable challenges to healthcare organizations, the risks presented by insiders are equally important to address. Therefore, healthcare organizations are advised to implement the following six best practices to minimize insider threats to healthcare records:
Regular Policy and Security Awareness Training
Regular security awareness training is a requirement for all members of the workforce. Additionally, healthcare organizations should provide refresher training on the Privacy Rule and sanctions policies to mitigate malicious threats such as snooping, theft, and ideological data breaches.
Implement all Applicable Access Controls
The access control standards of the Security Rule require more than just issuing unique usernames and passwords. Healthcare organizations are required to implement workforce clearance and information access management procedures to prevent unauthorized access to PHI.
Monitor, Audit, and Review
Healthcare organizations are required to monitor user activity, audit compliance with the Security Rule standards, and implement procedures to regularly review records of information system activity (§164.308(a)(ii)(D)) in order to identify any unauthorized or suspicious activity.
Deploy Advanced Technologies
There are multiple solutions available to prevent both malicious and inadvertent insider threats to healthcare records. These include Data Loss Prevention tools, software orchestration solutions (for testing software configurations), and automated anti-phishing software.
Develop and Test Incident Response Plans
Many healthcare organizations will have developed incident response plans to comply with the requirement to address security incidents. However, it is important plans are tested to ensure they effectively mitigate the consequences of an insider threat to healthcare records.
Implement Whistleblower Policies
According to a Department of Justice study of trade secret theft, more than a third of insider theft events were brought to the attention of the organization by whistleblowers. This implies it will be worthwhile for healthcare organizations to encourage a culture where employees can report suspicious activities without fear of retaliation.
Conclusion
If the Verizon Data Breach Investigations Report is correct, insider threats to healthcare records are a bigger problem than many healthcare organizations acknowledge. Regardless of whether the insider threats are malicious or unintentional, healthcare organizations must take steps to maintain the privacy and security of PHI in order to prevent HIPAA violations, financial losses, reputational damage, and operational disruptions.
Although we have suggested six best practices to minimize insider threats to healthcare records, these may not be suitable for all healthcare organizations nor address all types of insider threats. Consequently, healthcare organizations should factor in the potential for these events into risk assessments, implement measures sufficient to reduce insider risks to a reasonable and appropriate level, and monitor, audit, and review the effectiveness of the measures regularly.
Finally, some of our best practices require a depth of understanding of the HIPAA Rules to ensure they are implemented compliantly. For example, whistleblower policies have to be supported by secure channels of communication to prevent ePHI from being transmitted via open networks. If your organization requires any assistance in implementing the suggested best practices, you should not hesitate to seek professional HIPAA compliance advice.
Steve Alder, Editor-in-Chief, HIPAA Journal
