Insider threats put the healthcare industry's security and confidentiality of patient data at risk. Healthcare organizations often overlook potential dangers within their walls. To better protect patient information, organizations should understand the types of insiders and recent breaches, and adopt effective strategies. A zero-trust security approach and enhanced awareness programs can mitigate risks posed by insiders.
An insider threat refers to individuals within a healthcare organization with legitimate access to company resources containing personal health information (PHI). These individuals may be employees, contractors, third-party vendors, or volunteers with authorized access to electronic medical records (EMRs), cloud applications, or documents containing sensitive patient information. The consequences of an insider breach can be severe, including compliance fines, reputational damage, lawsuits, and loss of patient trust.
According to research, healthcare organizations in the US experienced a staggering 60% increase in insider attacks in 2022, with an average of 1,426 attacks per week. Insider breaches often go undetected for longer periods, resulting in greater damage and financial losses compared to external attacks.
Related: Insider threats in healthcare
A 2023 DTEX systems Cost of Insider Risk Report shows that insider security threats come in two main types: malicious or non-malicious. The malicious threats involve people stealing information, committing fraud, or even doing violent things at work.
Non-malicious incidents happen when people make mistakes, or someone tricks them, like falling for phishing emails. What's necessary is how much money these incidents can cost. Even though intentional harm is not as common, it is the most expensive, costing about $701,500 each time.
See also: The $16.2 million insider security threat and urgent need for change
Insider threats can be categorized into two main types: malicious insiders and accidental insiders.
Malicious insiders are individuals who deliberately seek to harm their organization. Motivations for such threats can include financial gain or personal grudges against the company. A study by Accenture found that almost 20% of healthcare employees would be tempted to steal confidential information for a substantial sum of money.
Accidental insiders, on the other hand, pose a risk to data security and compliance due to human error and negligence. These breaches often occur when employees unintentionally share sensitive information with the wrong recipients, improperly handle patient records out of curiosity, or fail to follow good cybersecurity practices.
Several high-profile incidents highlight the significant impact of insider threats on healthcare organizations and patient data security. Understanding these examples can provide valuable insights into the nature and consequences of insider breaches.
In one case, a Florida hospital discovered that two employees had been printing sensitive files containing PHI for approximately two years. These files contained valuable information such as social security numbers, names, and addresses, which the employees used to make fraudulent benefit claims with patients' health insurers.
In 2017, an employee at Bupa, a leading healthcare provider, with legitimate access to the company's customer relationship management system, copied the sensitive data of over half a million customers. The employee then attempted to sell this information on the Dark Web, exposing the data to potential misuse. Bupa faced severe repercussions, including a £175,000 fine from the UK's Information Commissioner's Office for failing to safeguard personal data.
Related: The $16.2 million insider security threat and urgent need for change
Protecting patient data from insider threats requires a multi-faceted approach that combines a zero-trust security model and an effective security awareness program.
Implementing a zero-trust security approach can enhance an organization's ability to defend against insider threats. Zero trust revolves around the principle of "never trust, always verify," requiring continuous authentication of users as they access company resources. Zero trust eliminates the possibility of malicious insiders stealing patient data. It prevents accidental insiders from inadvertently sharing sensitive information, ensuring compliance and data security.
Traditional security awareness training often falls short in combating insider threats. Instead of relying on one-off training sessions that yield low knowledge retention rates, healthcare organizations should adopt more effective approaches. Workflow nudges and prompts can influence employees' security decisions positively. These real-time reminders serve as educational tools, providing guidance and explanations when employees attempt actions that violate security policies.
Insider threats are security risks that come from within an organization, involving employees or contractors who misuse access to harm the organization, either intentionally or accidentally.
A data breach occurs when sensitive, protected, or confidential data is accessed, disclosed, or stolen without authorization.
Signs of a potential insider threat include employees accessing patient records they don't typically handle, unusual activity during non-working hours, or excessive data downloads without clear justification.
HIPAA's breach notification requirements mandate that healthcare providers, insurers, and their business associates must notify affected individuals, the Department of Health and Human Services, and sometimes the media, within 60 days of discovering a data breach involving protected health information.
Healthcare organizations can ensure compliance by developing clear, predefined data breach notification procedures that outline specific timelines and communication methods for notifying patients and regulatory bodies, ensuring timely and effective responses.
See also: HIPAA Compliant Email: The Definitive Guide