Chat with us, powered by LiveChat
678-389-6200

Insider Abuse and Errors –The Biggest Threat to Healthcare Security

Insiders are among the biggest threats to data security in healthcare. Research suggests the problem has reach epidemic proportions – with staff members snooping, stealing, or otherwise leaking sensitive data on a scale much broader than in other industries.

The trend is consistent:

  • Insiders caused 58% of the healthcare security incidents reviewed for the 2018 Verizon PHI Data Breach Report.
  • Insiders caused 37% of 2017 healthcare data breaches reviewed in the 2018 Protenus Breach Barometer Report.
  • An insider caused the largest healthcare data breach reported to OCR in 2017, allegedly stealing data affecting 697,800 individuals.

The trend has extended into 2018. A Calyptix review of the data breaches reported to the OCR from Jan. 1 to May 15 this year revealed:

  • 45% were caused by “unauthorized access / disclosure”, a type of breach typically associated with insiders. The breaches accounted for 55% of the total records exposed during the period.
  • 9% were caused by “loss” or “improper disposal”, which are also often associated with insiders.

The numbers might be inflated by the stringent breach reporting requirements in HIPAA. However, other industries – such as the public sector – also have stringent reporting requirements. While they often see higher levels of insider incidents, they are nowhere near the levels seen in healthcare, suggesting the severity of the problem may be unique to the industry.

Why Insiders Breach

Why do staff members knowingly violate HIPAA guidelines, causing a data breach? In a review of 306 data breaches in healthcare shown to be caused by insiders, 48% were financially motivated and 31% were motivated by fun or curiosity, according the Verizon report. Interestingly, another 10% were motivated by convenience.

Insider data breaches come in two general types: intentional and accidental. A staff member either mistakenly leaks data – such as by emailing health records to the wrong patient – or purposefully exposes the data – such as by theft or snooping. One snooping case reported in 2017 went undiscovered for 14 years. An employee at a Massachusetts hospital was found to have inappropriately accessed the medical records of as many as 1,176 patients over the years.

The person’s motivation can have a significant impact on the scale of the breach. For example, an insider who is financially motivated to steal patient health data may try to grab as much as possible. Malicious or nosey insiders are also more likely to attempt to hide their actions. On the other hand, an employee who makes an honest mistake will likely try to minimize the impact. This may partly explain why data breaches involving “insider wrongdoing” were shown to impact 14% more patient records in 2017 than breaches caused by “insider error”, according to the Protenus report.

Gaps in IT Security Knowledge

Many factors – including large volumes of sensitive data, legacy systems, and complex networks – combine to support a high level of insider breaches. Another factor may be a lower awareness of cyber security issues among healthcare staff. When tested on their security knowledge in 2017, end users in healthcare came in second-to- last compared to other industries, answering 23% of the questions incorrectly, according to a study by Wombat Security.

Healthcare IT professionals seem to echo this finding. More than half (52%) of those surveyed agreed with the statement, “Employees’ lack of awareness affects our ability to achieve a strong security posture.”

The problem also extends to specialized IT security staff, with 74% of respondents in healthcare IT indicating that “insufficient staffing” had hampered the organization’s cyber security posture – more than any other challenge cited. Filling the gaps is apparently not easy, with 79% reporting it is at least “somewhat difficult” to recruit IT security personnel. Nearly one-third (32%) reported it is “extremely difficult”

More Training Needed

Security awareness training is required by HIPAA – but the necessary quality and quantity of training is open to interpretation. In a survey of 239 IT security professionals completed in Jan.2018 by the Healthcare Information Management and Systems Society (HIMSS), only 8.4% said their organization did not have a security awareness training program – which is a good sign. Unfortunately, more than half of respondents (51.8%) said they conduct training just once per year. About one-in-five (22.9%) train monthly.

What Can You Do About It?

You need an IT support partner who thoroughly understands both HIPAA compliance and network security, as they have to work in tandem to keep your medical practice secure and clear of HIPAA violations. To learn more, call 678-389-6200 or see HIPAA Compliance and Network Security for Medical Practices.

Healthcare Hacking & Malware – Targeting Patient Medical Records

Healthcare hacking and malware is big business for bad guys. Cyber criminals are launching attacks against healthcare networks every single day. Healthcare hacking and malware is generally done by “malicious outsiders” rather than rogue employees. The motivation is almost always money.

 

Hackers Are Drawn to Data

Why do hackers target the healthcare industry? Many speculate one reason is the value of the data stored by hospitals, care providers, and other medical offices. When asked the types of information they believe hackers are most interested in, more than half of healthcare IT professionals surveyed pointed to the following three types:

  • Patient medical records: 77%
  • Patient billing information: 56%
  • Login credentials: 54%

Patient medical records remain a profitable commodity on the dark web. Criminals can use the records to conduct medical fraud schemes – collecting payments from public services such as Medicaid and Medicare – and can go undiscovered for years.

Patient billing information – including credit card numbers – is also valuable to data thieves and can be used for fraudulent transactions.

However, the lifespan of such schemes is often far shorter than medical-related ones. The payment card industry is far more efficient in detecting and blocking fraudulent transactions than government regulators in the medical field. This may partly explain why more healthcare IT professionals say hackers are targeting medical records.

Login credentials, of course, are often targeted to gain access to additional systems storing valuable data. Other types of data – such as clinical research, email content, and employee information – can also be targeted, though fewer respondents cited them than the three data types mentioned above.

The use of stolen credentials was found in nearly half (49%) of all healthcare security incidents attributed to “hacking” in the Verizon 2018 Protected Health Information Data Breach Report.

What can you do about it?

You need an IT support partner who thoroughly understands both HIPAA compliance and network security, as they have to work in tandem to keep your medical practice secure and clear of HIPAA violations. To learn more, call 678-389-6200 or see HIPAA Compliance and Network Security for Medical Practices.

Employee Training Can Prevent HIPAA Violations

HIPAA Compliance, HIPAA Audit

Human error is one of the primary causes of HIPAA violations. Even your best employees can make mistakes, or inadvertently create a situation that leads to a violation. All employees need HIPAA training, so that they understand what would constitute a violation, and what they should do if they see other employees mishandling information.

Fortunately, the software solution I’m now offering my medical and dental practices also covers HIPAA training. Compliance Guard is an end-to-end solution to help busy practices simplify compliance and provides the staff training necessary to ensure the whole team is on board.

The training, and tracking who has been trained in what areas, will be helpful during a HIPAA audit. The Compliance Guard software handles all the tracking and reporting. Because the software was developed by auditors, you can be assured that it covers everything that would be assessed during an audit. You’re never alone with Compliance Guard – our Compliance Coaches will answer questions and guide you. No practice that uses Compliance Guard has ever failed an audit! 

Contact us for more information. Call 389-678-6200 or email jmamon@mpoweredit.com.

Web Analytics