Share this article on:
Many articles listing the Top HIPAA threats pretty much follow a similar theme. Protect devices against theft, protect data against cybercriminals, and protect yourself against unauthorized third party disclosures by signing a Business Associate Agreement. Unfortunately these articles are way off the mark.
Inasmuch as the recommendations are sensible, and indeed should be followed, they fail to address the top HIPAA threats – employees. According to the recently-published IBM X-Force Threat Intelligence Report, 71% of recorded data breaches in the healthcare industry are attributable to employee actions. Employees responsible for data breaches are divided into two categories – “malicious Insiders” (25%) and “inadvertent actors” (46%).
A Quarter of Healthcare Data Breaches Attributable to Malicious Insiders?
Although IBM´s Intelligence Report focuses on the number of breaches – rather than the number of records breached – the percentage of data breaches attributed to malicious insiders appears high. However, it is not the case that a quarter of the medical profession is stealing Protected Health Information for personal gain. A closer inspection of the data reveals the “malicious insiders” category includes employees snooping on the medical records of friends, colleagues and celebrity patients.
Snooping was identified as the largest single cause of data breaches in the healthcare industry in a 2013 study conducted by Veriphyr Identity and Access Intelligence. As snooping constitutes an unauthorized disclosure of Protected Health Information, it is classified as a violation of HIPAA and therefore – by the number of violations alone – is one of the top HIPAA threats Covered Entities should be aware of. It is certainly a threat OCR would expect a Covered Entity to address in a HIPAA risk assessment.
Other Data Breaches Attributable to Malicious Insiders Tend to Attract Headlines
Whereas snooping can be the biggest cause of employee HIPAA violations by number, the biggest cause of employee HIPAA violations by records breached is insider data theft. In a recent high-profile case, a secretary employed by the Jackson Health System in Florida was charged with accessing more than 24,000 computerized patient records and selling the data to criminals, who subsequently used it to file fraudulent tax returns with the Internal Revenue Service.
A spate of high-volume data breaches around the same time prompted the HHS´ Office for Civil Rights to issue a reminder to Covered Entities to take action to prevent insider data theft. Unfortunately many Covered Entities appear not to have responded to the reminder. A survey conducted in late 2016 revealed half of healthcare IT professionals were more concerned about insider data theft than external data theft, but were not given the resources to deal with the threat.
Are Inadvertent Actors Really More of a HIPAA Threat than Cybercriminals?
According to the basic data it would appear so. However, the category of “inadvertent actors” includes victims of phishing attacks and IT professionals who fail to configure their security mechanisms properly; so it may be more accurate to rename this category “employees who inadvertently invited cybercriminals to steal data”. Nonetheless, the percentage of reported data breaches attributable to inadvertent actors is nearly twice that of external hacks.
This would imply another of the top HIPAA threats is a lack of employee awareness. Phishing is a massive threat to HIPAA compliance, but it is one that can mitigated with phishing simulation training. Similarly, errors made by IT security can be reduced by implementing procedures to review the configuration of security mechanisms on a regular basis – which should be part of an annual risk assessment in any case. Basically, data breaches due to inadvertent actors are mostly avoidable.
The Top HIPAA Threats and How to Defend Against Them
At HIPAA Journal we strongly recommend Covered Entities encrypt data, implement two-factor authentication and conduct due diligence on Business Associates. These practices – and others provided by HIPAA threat-style articles- will help defend against some HIPAA threats, but not the top HIPAA threats. In order to defend against the top HIPAA threats of snooping, insider data theft and a lack of employee awareness, Covered Entities need to:
- Implement strong policies relating to employee conduct and enforce them with an equally strong sanctions policy.
- Implement effective access controls that monitor who accesses PHI when and where, and what happens to it afterwards.
- Implement a comprehensive HIPAA training program to raise employee awareness – particularly in the area of Internet security.
More than anything, Covered Entities need to allocate more resources to eliminating data breaches attributable to employee actions. If the data provided in the IBM X-Force Threat Intelligence Report is taken at face value, Covered Entities should allocate three times as many resources to defending against the top HIPAA threats that come from within than they allocate to external threats.