Foil insider breach threats. You may be ready for ransomware takedowns and other outside dangers to your lab’s protected health information (PHI), but are you ready for breaches caused by insider threats? Reality: According to the United States Computer Emergency Readiness Team (US-CERT), there are two types of insider threats: malicious and unintentional. Employees, business associates (BAs), and vendors who work specifically to corrode, corrupt, or hack your system are considered malicious threats. On the other hand, vendors, BAs, and staff with access to your IT resources can hurt your practice accidentally, and they bring an unintentional threat to your lab. “Although there has been a lot of recent publicity about external threats to the information systems of healthcare providers, covered entities [CEs] need to also consider and proactively address threats from within their organization,” remind attorneys Elizabeth Hodge and Carolyn Metnick with national law firm Akerman LLP. 1. Watch for These Unintended Risks Many HIPAA breaches are due to human error, and US-CERT research suggests that the following four elements can lead to unintended threats: Inadvertent hazards like these are best eradicated with a combination of these tools: 2. Look for Suspicious Behaviors You’ll usually have signs that an intentional insider threat is on the horizon, suggests US-CERT guidance, if you know what to look for. For instance, the following actions may be the start of malicious activity by an employee or BA: Tip: Make sure you train employees to keep their eyes open and report suspicious behavior of other employees that may pose a security threat, Hodge and Metnick say. Start privacy training upon hiring, and coordinate it with other training such as records management, code of conduct, etc. 3. Tackle Dangers Head On The HHS Office for Civil Rights (OCR) Cybersecurity Newsletter offers great advice on insider threats and what to do after an employee is terminated. Pocket these OCR tips to set up your procedures: Expert advice: Employees are often nervous to verify breaches or tell practice management about their hunches. “Train [employees] in incident management, top to bottom,” advises Jim Sheldon-Dean, principal and director of compliance services for Lewis Creek Systems, LLC, in Charlotte, Vermont. “Staff need to feel like they are empowered to report their suspicions of information security incidents. The handling of incidents needs to be clearly defined, and top management needs to understand the impacts of incidents and the necessity to prevent them as reasonably practicable.” Resources: Find more US-CERT guidance at https://resources.sei.cmu.edu/asset_files/TechnicalReport/2016_005_001_484758.pdf. Review the OCR Cybersecurity Newsletter on insider threats at www.hhs.gov/sites/default/files/november-cybersecurity-newsletter-11292017.pdf.