Six Things You Need to Know about Insider Threats to Electronic Protected Health Information (ePHI)

Why will criminals shopping on the black market pay at least 20 times more for patient records - and the ePHI they contain - than they will for credit card records? In addition to payment information, patient records contain an enormous number of personal details, ranging from medical history, to medications, to family history, all of which can be used for blackmail, identity theft, insurance fraud, and financial account hijacking.

Despite TV show depictions of threats to ePHI and patient data security, external hackers are not the healthcare industry's top threat. In study after study, it is insiders (e.g., employees, contractors, and business associates) that are named as the biggest threat to health data security. In this post, we present six need-to-know facts about ePHI for executives, and their implications for your security and privacy efforts.

1. Insider Threats Are Not New, But They Are Becoming More Dangerous

Everyone in the security and privacy field knows that insider threats are not new. They have, however, become more frequent and damaging in recent years, due to the widespread adoption of electronic health records (EHRs). Incorporating clinical context into your privacy and cybersecurity solutions is critical; you need a healthcare-tailored approach.

Solutions must also be proactive and intelligent, using advances in big data technology to help overburdened privacy officers sift through the multitude of insider threats and HIPAA violations hospitals are faced with daily, many of which might be false alarms.

2. Different Types of Threats Necessitate Different Approaches

According to data security experts, there are four categories of insider threat that health systems need to plan for:

• Compromised actors are individuals whose access credentials have been stolen by an outside threat (e.g., a phishing attack).
• Negligent actors expose data accidentally, through ignorance or negligence.
• Malicious employee snoopers who steal data from the EHR with nothing more than their day-to-day access.
• Tech-savvy actors use their knowledge of hospital systems to do significant damage, and may have elevated privileges or complex patterns of access.

Ensuring that you have a solution in place that is able to catch these four distinct, but interrelated, types of threats is critical.

3. Compliance Is Not Enough (Even for Compliance)

A solid majority of healthcare organizations state that compliance requirements drive their data protection efforts. Unfortunately, threats to patient data rarely move at the speed of compliance. Typically, years lapse between compliance requirement revisions. Conversely, threats evolve on a day-by-day basis, meaning that fulfilling compliance requirements alone does not protect sensitive health data.

In addition, privacy and security guidance is often not detailed enough in healthcare, leaving organizations guessing what they should do. Staying ahead of the curve on compliance and security technologies is the best way to protect hospital medical records and avoid an after-action finding through data breach forensics that you could have done more to prevent a breach.

4. Basic Blocking and Tackling Improves Health Cybersecurity

It’s well-known but not always discussed that healthcare still has a lot of basic work to do on the cybersecurity front. While levels of cybersecurity readiness vary widely in the industry, many institutions still have a long way to go before they catch up with industries like finance and consumer goods. The good news is that security hygiene and the day-to-day “blocking and tackling” of cybersecurity protects against both internal threats and external hackers. Some important initiatives include:

• Educating employees on the importance of security, creating a culture of respect for privacy and security
• Deploying or contracting for network security services, utilizing a SIEM, and deploying appropriate team resources or managed services to monitor your infrastructure
• Deploying a proactive privacy monitoring solution to ensure individuals are only accessing the data that they need for their job and not inappropriately accessing the EHR
• Ensuring encryption both in-transit and at-rest for any ePHI-containing system

5. Understanding Your Data Is Key

In order to protect your data, you have to understand it - who has access and in what particular contexts is the data used? However, the answers to these questions change second-by-second as a patient’s diagnosis evolves, personnel changes occur, and new technologies are incorporated into your enterprise. Hospitals must have the ability to develop a 360-degree view of all their data and how it is being used to understand the risks they might be facing and where to focus their energies.

However, doing this manually is extraordinarily costly and time-consuming, if not impossible. When integrating additional security and privacy technologies into your institution, ensure that they are capable of automatically processing and interpreting the huge amounts of data that characterize modern hospital systems.

6. Patient Privacy Monitoring of User Activity Mitigates Risk

Employees authorized to access your EHR violate HIPAA and breach your system whenever they view or copy the records of a patient who is not under their care, putting the organization at risk. They are often also able to run reports exporting vast amounts of patients' personal data which only increases the potential cost of an EHR data breach.

With the majority of breaches happening through the use of legitimate user accounts, the importance of monitoring user access to the EHR and associated ePHI-containing systems cannot be overstated. These include regular business users, IT users with various levels of administrative privileges, and external contractors/business associates.

Check out our Johns Hopkins case study, where we detail the transformation we were able to effect in their patient privacy monitoring program.