HHS Issues Guidance on Managing Malicious Insider Threats

The Department of Health and Human Services’ Office for Civil Rights has issued guidance for HIPAA-covered entities on managing malicious insider threats in its summer 2019 cybersecurity newsletter.

Hackers are attacking healthcare organizations with increased vigor, but not all threats are external. Healthcare employees are in an ideal position to access and steal patient data and each year dozens of insider data breaches are reported to the HHS. These include accessing the data or celebrities, colleagues, and acquaintances without authorization and stealing data for financial gain. Data is sold to cybercriminals and used for a range of different fraudulent activities such as identity theft, medical identify theft, and tax fraud.

According to Verizon’s 2019 Data Breach Investigations Report, 59% of all data security incidents are the result of the actions of insiders.  These attacks tend to impact fewer patients that cyberattacks by external hackers, but the consequences for employees can be severe. Breach victims can suffer major financial losses as a result of insider breaches.

Healthcare organizations also suffer losses as a result of the attacks. Malicious insider breaches can damage a healthcare provider’s reputation, are expensive to mitigate, and regulatory fines can be issued if appropriate safeguards have not been implemented to reduce risk to a reasonable and acceptable level.

OCR points out one such fine was issued to Memorial Healthcare System after several of its employees accessed the records of patients without authorization in 2012. The health system was fined $5.5 million for the failure to safeguard against such attacks.

Safeguards to Protect Against Malicious Insider Attacks

In order to protect PHI, healthcare organizations must know where PHI is located at all times and all systems and applications that touch PHI. That knowledge is essential in order to perform a comprehensive risk analysis to identify all risks to the confidentiality, integrity, and availability of PHI. Physical, technical and administrative safeguards must then be implemented to reduce all identified risks to a reasonable and acceptable level.

Physical controls should be implemented to restrict access to locations and devices where PHI is stored. Access controls are required to prevent employees from accessing data unless there is a legitimate need for PHI to be accessed for work reasons.

Controls should limit the actions that employees can perform on PHI. Healthcare organizations should consider whether employees need to download or alter records, or if read-only access is all that is required. Access controls should then be set accordingly.

If employees do not need to use smartphones, portable storage devices, and laptops for accessing PHI, safeguards should be implemented to block the use of those devices.  If those devices need to be used, appropriate security controls must be implemented to safeguard data when using those devices – e.g. encryption.

These controls can prevent data leakage but when an unauthorized access incident occurs, data breaches need to be detected promptly. Healthcare organizations therefore need full visibility into what is happening on their network. Users must have unique logins that allow their PHI interactions to be monitored and logged. Those logs must then be regularly reviewed for unauthorized access and suspicious activity.

Polices and procedures should be regularly assessed to ensure they continue to be effective. Access rights must also be regularly reviewed and updated if a user changes role, department, or leaves the organization. The latter is especially important as the risk of data theft is greatest in cases of involuntary separation. OCR reminds covered entities that in such cases, access rights to PHI, computers, and applications must be terminated before an individual leaves the organization.

“The healthcare sector is a tempting target for malicious insiders who seek to disclose or steal an organization’s sensitive information,” explained OCR in the newsletter. “By recognizing the risks and implementing appropriate safeguards, organizations can manage this risk and comply with the law.”