Eli's Rehab Report

HIPAA:

Threats to Your Organization Could Come from Within

Prevent and mitigate internal risks with these 6 expert pointers.

If you’ve been directing all your security efforts at keeping your data safe from nameless lurking outsiders, you could be overlooking a significant danger. Your own employees and business associates can also pose a significant danger to your organization.

What Is an Insider Threat?

“Although there has been a lot of recent publicity about external threats to the information systems of healthcare providers, covered entities need to also consider and proactively address threats from within their organization,” such as their employees and contractors, healthcare counsel Elizabeth Hodge and partner attorney Carolyn Metnick with Akerman LLP tell Eli.

According to the United States Computer Emergency Readiness Team (US-CERT), a malicious insider threat is a current or former employee, contractor, or business partner who meets the following criteria:

Has or had authorized access to an organization’s network, system, or data; and

Has intentionally exceeded or intentionally used that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.

Case in point: “As a recent example of an insider threat, the U.S. Department of Justice just announced that a former employee of a Florida hospital was recently sentenced to three years in federal prison after accessing protected health information [PHI] from more than 600 patients and using that information to file false tax returns,” Hodge and Metnick illustrate. “The court records evidence that the employee had received regular training on HIPAA compliance.”

Although insider threats aren’t always malicious or intentional, they can be just as detrimental to your organization as an outside cyberattack or theft. US-CERT offers the following steps to protect your electronic PHI (ePHI) from insider threats:

1. Look for Threats in Enterprise-Wide Risk Assessments

You should consider threats from insiders (employees) and business associates (BAs) in your enterprise-wide risk assessments. You may identify security threats by conducting a security risk assessment or a more thorough test of system-wide vulnerabilities, Hodge and Metnick say.

Also consider your workforce’s privacy knowledge, note Hodge and Metnick. “Many employees do not know how to identify socially engineered emails or other security threats. Employees should be trained on identifying socially engineered emails.”

Additionally, you should avoid directly connecting with your BAs’ information systems, and have employees, contractors, and BAs sign non-disclosure agreements or confidentiality agreements as necessary.

2. Clearly Document & Consistently Enforce Policies & Controls

Review and revise your security and privacy policies at least on an annual basis and whenever there is a relevant change in the law, Hodge and Metnick advise. Ensure that your employees know the location of your privacy policies and procedures (ideally, you should give them a copy) upon starting employment.

You can also raise privacy and security awareness within your organization by providing regular updates on privacy matters, including email blasts, posters, and/or in-service lunch training sessions, Hodge and Metnick suggest. Centralize information about policies and procedures and helpful links, and consider sending emails about opportunities for additional training and learning.

Key: Ultimately, management needs to cultivate and support a privacy culture and the privacy message should filter down into the workforce ranks.

“Many insider threats can be prevented when an organization makes information privacy and security part of the corporate culture,” Hodge and Metnick note. “This includes demonstrating to employees that management buys into protecting the privacy and security of the organization’s data. The culture of privacy and security is then reinforced through policies and procedures that are clearly and consistently communicated to the organization through ongoing training and awareness programs.”

3. Raise Awareness of Insider Threats During Employee Training

Make sure you train employees to keep their eyes open and report suspicious behavior of other employees that may pose a security threat, Hodge and Metnick say. “Start privacy training upon hiring (coordinate it with other training such as records management, code of conduct, etc.).”

Next step: Then, measure and assess employees post-training to help make training more effective and to confirm employee understanding.

4. Monitor & Respond to Suspicious or Disruptive Behavior

Beginning with the hiring process, you should monitor and respond to suspicious or disruptive behavior. Start by determining a baseline of employee user behavior, and then regularly audit employee usage of systems to determine if employees are trying to access information that is outside the scope of their job, Hodge and Metnick recommend.

If you have employees who deviate from the baseline, depending on their position, you should monitor them more closely.

5. Inventory All Your Assets

Maintain a complete inventory of all electronic equipment, data systems, and applications that contain or store ePHI, Hodge and Metnick advise. Incorporate these assets into your risk analysis that examines potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.

Also, prioritize your assets by value to determine which assets are likely to be significant targets, Hodge and Metnick offer.

6. Implement Strict Password & Account Management Policies

You should put in place strict password and account management policies and practices. Make sure employees change their passwords regularly (every three months), Hodge and Metnick recommend. And ensure that their passwords are complex, with at least eight characters and a combination of at least one number, one symbol, and both capital and lowercase letters.

Resource: For more guidance on protecting against insider threats, go to http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=34017.