Despite the fact that ransomware and hacking attacks draw the biggest headlines, it is actually improper insider access that causes the highest number of data breaches. Such are the results from the most recent Protenus “Breach Barometer,” which analyzes reported and sometimes not so publicly reported breaches in healthcare each month. For those who follow privacy and security in healthcare, the Protenus findings are not that surprising. Reports of inappropriate access by insiders are frequent and show a disturbing trend.
Many of the reports allege that information was not used in any detrimental manner. Only that snooping occurred. However, there are two problems with that view. First, even small insider breaches can have far lasting impacts. In case people do not remember, ProPublica did an expose on the impact of small breaches in December 2015. The individuals who had information accessed frequently faced social impact or other issues not readily visible from a high level. Additionally, inappropriate access of information can form the basis for criminal investigations or outcomes. For example, an insider who accessed information out of curiosity for over two years in Oregon is being investigated by the local District Attorney.
Why are insider threats so high? Likely a number of factors come into play, which may include an increasing amount of data that is accessible, easier means of access (i.e. electronic medical records and other digital health records), potential belief that access cannot or will not be detected, and a myriad number of other reasons. The converging of these factors seems to be creating a perfect storm in terms of inappropriate or unjustified access.
What can organizations do to combat insider threats? First, education and training are essential. This mantra has been repeated often in previous articles, but it is always helpful to provide the reminder. If insiders are not aware of obligations, such as HIPAA, or understand how an organization is implementing protections, then those insiders cannot be expected to do the right thing. Regular education and training make a difference. Arming individuals with knowledge is key.
While education and training are good, the number of insider incidents suggests that it may not be beneficial to extend trust too far. Regardless of the view on trust, HIPAA requires monitoring access to systems and information. From this perspective, organizations must monitor their systems and detect inappropriate access to files. The ability to find people opening files when no needed or even data leakage will mitigate the potential harm or fallout from the inappropriate access.
It will be worth monitoring future breach reports to see if insider continue the unfortunate rise as the primary cause of data breaches. It should be remembered that individuals on the whole try to do the right thing. Do not allow a small percentage to color all perceptions.
About the author: Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA. Matt advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute. This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.