Tip: Implement multi-factor authentication on all your devices. The news is always ripe with tales of phishing attacks and ransomware takedowns, but many health IT breaches are caused by insider threats. Whether employees seek to purposely harm your health IT or do so unintentionally, it’s wise to protect yourself and your patients against an inside attack. Definition: According to the United States Computer Emergency Readiness Team (US-CERT), there are two types of insider threats: malicious and unintentional. Employees, business associates (BAs), and vendors who work specifically to corrode, corrupt, or hack your system are considered malicious threats. On the other hand, vendors, BAs, and staff with access to your IT resources can hurt your practice accidentally, and they bring an unintentional threat to your business. “Although there has been a lot of recent publicity about external threats to the information systems of healthcare providers, covered entities [CEs] need to also consider and proactively address threats from within their organization,” remind attorneys Elizabeth Hodge and Carolyn Metnick with national law firm Akerman LLP. Watch for These Unintended Risks Many HIPAA issues and lost protected health information (PHI) are due to human error. US-CERT research suggests that there are four main causes of unintended threats. Those include the following: Inadvertent hazards like these are best eradicated with a combination of risk assessment and management, security protocols like encryption and multi-factor passwords, logging and monitoring of devices, and most importantly, comprehensive staff education from the top down. Tip: Make sure you train employees to keep their eyes open and report suspicious behavior of other employees that may pose a security threat, Hodge and Metnick say. “Start privacy training upon hiring (coordinate it with other training such as records management, code of conduct, etc.).” Tackle Dangers Head On There are usually signs that an insider threat is on the horizon, suggests US-CERT guidance. US-CERT indicates these actions may be the start of malicious activity by an employee or BA: The HHS Office for Civil Rights (OCR) Cybersecurity Newsletter offers great advice on insider threats and what to do after an employee is terminated. Pocket these OCR tips to set up your procedures: Expert advice: Employees are often nervous to verify breaches or tell practice management about their hunches. “Train in incident management, top to bottom,” advises Jim Sheldon-Dean, principal and director of compliance services for Lewis Creek Systems, LLC, in Charlotte, Vermont. “Staff need to feel like they are empowered to report their suspicions of information security incidents, the handling of incidents needs to be clearly defined, and top management needs to understand the impacts of incidents and the necessity to prevent them as reasonably practicable.” Resources: Find more US-CERT guidance at https://resources.sei.cmu.edu/asset_files/TechnicalReport/2016_005_001_484758.pdf. Review the OCR Cybersecurity Newsletter on insider threats at www.hhs.gov/sites/default/files/november-cybersecurity-newsletter-11292017.pdf.