As we have observed here, news reports of security risks, hackings and breaches caused by individuals, terror groups or even countries around the world certainly are important and can be unsettling. But, for many organizations, including healthcare providers and business associates, a significant and perhaps more immediate area of data risk is malicious insiders. On August 29, the Office for Civil Right (OCR) published its 2019 summer cybersecurity newsletter entitled, “Managing Malicious Insider Threats,” acknowledging this threat and providing some best practices to neutralize it.

According to the OCR:

The 2019 edition of Verizon’s Data Breach Investigations Report (DBIR) found that trusted insiders were responsible for 59% of all security incidents and breaches (both malicious and inadvertent)…[with] the primary motivation for incidents and breaches perpetrated by insiders was financial gain.

What do malicious insider threats look like?

Threats from insiders can take many forms. If successful, they can cause substantial, sometimes crippling harm to an organization by intentionally modifying, leaking, selling, or destroying sensitive information. Here are some examples:

  • Employees on the move. Planning to end employment with provider A, workforce member copies provider A’s patient list and shares it with new employer, provider B, in the hope of luring patients to the new provider. If the workforce member is successful, in addition to potential notification obligations, provider A likely will find itself responding to a number of angry patients asking why another provider has their protected health information (PHI). Provider A might even wind up being investigated and fined, as was the case for a provider in New York.
  • Poor performing employees. Some workforce members feel they have been wrongly accused by their employers for providing inadequate patient care, especially when they believe their co-workers engage in the same activity without incident. Anticipating they will be fired, they begin copying, downloading, or otherwise collecting information from patient EMRs and sending it to themselves. Their goal is to support wrongful termination claims they anticipate making when their employment ends. In the process, patient data is compromised and may require notification to patients and the OCR.
  • Curious and criminal employees. Curious workforce members might use their employer’s EMR to access certain patient records for personal purposes: (i) accessing the medical records of celebrities for financial gain or to satisfy the member’s curiosity; (ii) examining the records of a former spouse to gain leverage in a custody dispute, (iii) obtaining patient demographic information to commit fraud and identify theft.

How do malicious insiders get the information?

Malicious insiders already have access to patient information on the expectation that they need access to perform their jobs. In some cases, they only need access to do harm. For example, an insider may want to learn if a family member is pregnant or using illegal substances, and only has to view the medical records. In other cases, the insider will want to exfiltrate the information. This can be accomplished in a number of ways: forwarding the information to the insider’s personal email account, taking pictures of the information using the insider’s smartphone, copying information to a mobile or storage device (e.g., cell phone, USB drive), or unauthorized physical removal or theft of equipment. As the OCR notes, transmitted or copied data could be further hidden using subtle means such as by embedding data within other data to hide it (i.e., steganography).

How do HIPAA covered entities and business associates stop malicious insiders?

Detecting and preventing data leakage by malicious authorized is not easy – remember, these are individuals who frequently are supposed to have access to the data. Identifying potential malicious activity as soon as possible is critical, however, and there are some things that organizations can be doing.

  • Know your data. To protect data, organizations need to know the data they have, where it is stored, what format it is in, who has access to it, and how it flows through the organization. With this information, the organization is better able to develop policies and procedures to access and address risks related to the data.
  • Access management. Workforce members should be able to access only the information they need to perform their jobs. This can be accomplished in a number of ways – physical access controls (e.g., locked doors and cabinets) and network access controls (e.g., role-based access controls for devices, applications, administrator accounts, or data stores).
  • Control mobile device usage. Considering how a workforce member needs to interact with data as the organization may be able to limit the unnecessary utilization of mobile devices to prevent copying. If workers do not need thumb drives to perform their jobs, for example, they should not be available. If thumb drives are needed, they should be more closely tracked and managed.
  • Remain vigilant. The steps above will help, but they may not be sufficient. Organizations need to continuously manage their business and their systems to help detect and prevent suspicious activities:
    • Periodically review system event logs, application audit logs, access reports, and security incident tracking reports.
    • Configure alerts for (i) unexpected downloads of large amounts of data by employees not believed to have a need for such volumes of data, (ii) access to certain sites, such as personal cloud storage accounts; (iii) downloads to external devices.
    • Revise employee access privileges immediately on changes to roles and responsibilities.
    • Enhance the organization’s vigilance for employees who expect their employment will soon be terminated.
    • Terminate physical and electronic access data in advance of a workforce member leaving the organization’s employ.

Again, risks to an organization’s data are not solely from external sources. Insiders have reasons to compromise their organizations’ confidential and personal information. Organizations need to take steps to minimize those ongoing risks.