3 min read

How do we protect patient data against insider threats?

How do we protect patient data against insider threats?

Insider threats put the healthcare industry's security and confidentiality of patient data at risk. Healthcare organizations often overlook potential dangers within their walls. To better protect patient information, organizations should understand the types of insiders and recent breaches, and adopt effective strategies. A zero-trust security approach and enhanced awareness programs can mitigate risks posed by insiders.

 

What is an insider threat?

An insider threat refers to individuals within a healthcare organization with legitimate access to company resources containing personal health information (PHI). These individuals may be employees, contractors, third-party vendors, or volunteers with authorized access to electronic medical records (EMRs), cloud applications, or documents containing sensitive patient information. The consequences of an insider breach can be severe, including compliance fines, reputational damage, lawsuits, and loss of patient trust.

According to research, healthcare organizations in the US experienced a staggering 60% increase in insider attacks in 2022, with an average of 1,426 attacks per week. Insider breaches often go undetected for longer periods, resulting in greater damage and financial losses compared to external attacks.

Related: Insider threats in healthcare 

 

The $16.2 million insider security threat and urgent need for change

A 2023 DTEX systems Cost of Insider Risk Report shows that insider security threats come in two main types: malicious or non-malicious. The malicious threats involve people stealing information, committing fraud, or even doing violent things at work.

Non-malicious incidents happen when people make mistakes, or someone tricks them, like falling for phishing emails. What's necessary is how much money these incidents can cost. Even though intentional harm is not as common, it is the most expensive, costing about $701,500 each time.

See also: The $16.2 million insider security threat and urgent need for change

 

Types of insider threats

Insider threats can be categorized into two main types: malicious insiders and accidental insiders.

 

Malicious insiders

Malicious insiders are individuals who deliberately seek to harm their organization. Motivations for such threats can include financial gain or personal grudges against the company. A study by Accenture found that almost 20% of healthcare employees would be tempted to steal confidential information for a substantial sum of money. 

 

Accidental insiders

Accidental insiders, on the other hand, pose a risk to data security and compliance due to human error and negligence. These breaches often occur when employees unintentionally share sensitive information with the wrong recipients, improperly handle patient records out of curiosity, or fail to follow good cybersecurity practices.

 

Examples of insider threat incidents

Several high-profile incidents highlight the significant impact of insider threats on healthcare organizations and patient data security. Understanding these examples can provide valuable insights into the nature and consequences of insider breaches.

 

Florida hospital fraudulent claims

In one case, a Florida hospital discovered that two employees had been printing sensitive files containing PHI for approximately two years. These files contained valuable information such as social security numbers, names, and addresses, which the employees used to make fraudulent benefit claims with patients' health insurers. 

 

Bupa data breach

In 2017, an employee at Bupa, a leading healthcare provider, with legitimate access to the company's customer relationship management system, copied the sensitive data of over half a million customers. The employee then attempted to sell this information on the Dark Web, exposing the data to potential misuse. Bupa faced severe repercussions, including a £175,000 fine from the UK's Information Commissioner's Office for failing to safeguard personal data. 

Related: The $16.2 million insider security threat and urgent need for change 

 

Defending against insider threats in healthcare

Protecting patient data from insider threats requires a multi-faceted approach that combines a zero-trust security model and an effective security awareness program.

 

Zero trust for insider threats

Implementing a zero-trust security approach can enhance an organization's ability to defend against insider threats. Zero trust revolves around the principle of "never trust, always verify," requiring continuous authentication of users as they access company resources. Zero trust eliminates the possibility of malicious insiders stealing patient data. It prevents accidental insiders from inadvertently sharing sensitive information, ensuring compliance and data security.

 

Enhancing security awareness

Traditional security awareness training often falls short in combating insider threats. Instead of relying on one-off training sessions that yield low knowledge retention rates, healthcare organizations should adopt more effective approaches. Workflow nudges and prompts can influence employees' security decisions positively. These real-time reminders serve as educational tools, providing guidance and explanations when employees attempt actions that violate security policies. 

 

FAQs

What are insider threats?

Insider threats are security risks that come from within an organization, involving employees or contractors who misuse access to harm the organization, either intentionally or accidentally.

 

What is a data breach?

A data breach occurs when sensitive, protected, or confidential data is accessed, disclosed, or stolen without authorization. 

 

What are the signs of a potential insider threat in healthcare?

Signs of a potential insider threat include employees accessing patient records they don't typically handle, unusual activity during non-working hours, or excessive data downloads without clear justification.

 

What are HIPAA’s breach notification requirements?

HIPAA's breach notification requirements mandate that healthcare providers, insurers, and their business associates must notify affected individuals, the Department of Health and Human Services, and sometimes the media, within 60 days of discovering a data breach involving protected health information.

 

How can healthcare organizations ensure compliance with breach notification regulations?

Healthcare organizations can ensure compliance by developing clear, predefined data breach notification procedures that outline specific timelines and communication methods for notifying patients and regulatory bodies, ensuring timely and effective responses.

See also: HIPAA Compliant Email: The Definitive Guide