November 1, 2016

More Than Credit Card Fraud: Why Criminal Insiders Commit Health Data Breaches

Kira Caban, Director of Communications, Protenus

In our last “Patients at Risk" post, we discussed how insiders can pose a threat to electronic protected health information (ePHI) through health data breaches and explored why hospital leaders identify this group as the top threat to patient privacy. Within this category of insider threats, motivations for snooping can be divided into two main categories: malicious motivation involving criminal activity and innocent motivation involving curious employees with insufficient training on what inappropriate access to the EHR is.  

In this post, we will focus on criminal insiders, the risk they pose to health data, the damaging effects that this type of breach can have on patients, and ways to manage and reduce this threat.  

Download the Protenus Privacy Primer to learn how your organization stacks up on the full spectrum of privacy postures. How prepared are you to thwart Insider Criminal Activity?

Medical Records Provide Everything Necessary for an Array of Criminal Activity

Situations of employees non-maliciously but still inappropriately accessing patient records have often resulted from severely fractured interpersonal relationships between the affected patient and the hospital employee snooper. Perhaps an employee accessed a relative’s records and revealed sensitive health information to other family members that was meant to remain private. With malicious insider activity, the damages extend far beyond interpersonal relationships.

Here’s how an incident of criminal insider activity typically goes: A local crime ring convinces a hospital employee to share the rich details contained in a patient’s medical record - social security number, birthdate, address, medical history, and prescription and billing information - with them, and pays the employee for this information. Once the exchange occurs, criminals possess the necessary information to effectively steal the patient’s identity. They can purchase prescriptions and sell the medication on the dark web and claim Medicare reimbursements to which they are not entitled. Perhaps what is scariest is their ability to alter the patient’s medical histories and prescription lists to reflect incorrect information about a patient. Changing this information can be deadly.

The Ponemon Institute estimates the cost of medical identity theft at $30 billion a year. Yet it’s clear that the costs associated with medical identity theft have the potential to go far beyond its measurable economic impact.

Protecting Patient Data Security from Insider Criminals is Hard Work

The threat of internal actors improperly accessing patient data plagues hospital systems. They are responsible for 43% of data loss, half from intentional malicious activity and the other half accidental, proving the staggering amount of risk lingering inside organizations. This is amidst a continuous expansion of people with access to health information, meaning that the threat is only growing. On average, 150 individuals access a patient’s information during a routine hospital stay, and 15-40 users access a single patient’s records per day.  

Reviewing EHR Access Logs Alone is Not Enough

Having the ability to recognize subtle patterns in how employees interact with patient data is key to detecting insider threats because this insight allows organizations to stop insider criminal activity before it spirals out of control. The data that can expose these patterns already exists: EHR access logs that show who has accessed a computer and EHR system, when it was accessed, and which operations were performed. It’s extremely rich data that healthcare providers are required to collect. However, with millions of accesses recorded in a single weekly access log, compliance teams report that it’s extremely challenging to extract any meaningful insight from the data.

Moreover, manually sorting through each access is a highly reactive method of identifying threats to patient privacy. Compliance officers typically look at information months after the suspicious access occurs, allowing ample time for criminals to steal patients’ identities. On top of this, a very small percentage of accesses are actually monitored or audited, meaning that many cases of possible criminal insider activity go completely undetected until a patient realizes that their data has been tampered with or stolen. Cases that receive attention are frequently deemed to be false alerts.

Even knowing the necessary data exists, how can it be leveraged to support the needs of compliance teams?

Transforming Access Logs Into a Powerful Tool to Detect Criminal Activity

Proactive patient privacy monitoring systems that analyze data stored in access logs to accurately and quickly detect inappropriate access while also helping compliance teams manage alerts answers this question.

Here are three essential components of any monitoring system that will make compliance and privacy teams more effective at detecting threats from criminal insiders:

  1. Products built specifically for the healthcare industry account for the unique challenges in complying with HIPAA while transforming audit logs into powerful detection tools through advanced machine learning analytics. They reduce case time from months to matter of minutes and reduce the number of false positives and elevate true alerts.
  2. Understanding data is essential if it’s going to be protected - who has access and in what particular contexts is the data used? The answers to these questions change second-by-second as a patient’s diagnosis evolves, personnel changes occur, and new technologies are incorporated into throughout the organization. Hospitals must have the ability to develop a 360-degree view of all their data and how it is being used to understand where to focus their energies.
  3. Security plans that balance security, usability, convenience and efficiency are hard to come by. Once an inappropriate access has been detected, compliance and privacy officers need to understand the story behind the incident. Was it an employee who didn’t know better and looked at her husband and children’s records, or was an employee working with criminals with malicious intent? Platforms that balance these elements can help compliance officers make their jobs easier and prioritize their caseloads.

Insider Threats Will Never Completely Disappear

According to privacy lawyer Adam Greene, "Sometimes, staff betray the trust that the provider and patients put in them. The risk of staff violations can be reduced through background checks, training, regular auditing of system activity and consistent use of discipline. But problems like these can never be eliminated entirely." While this is a harsh reality to accept, once providers understand this and implement technologies that can effectively reduce these threats, patient data will be far less likely to fall into dangerous hands.  

See how your organization stacks up against the full spectrum of privacy postures.  Are you ready to be proactive in detecting inappropriate accesses to your EHR?

Download Privacy Primer