Ransomware takedowns populate news headlines, but many health IT breaches result from staff activities. Whether an employee accidentally discloses protected health information (PHI) or deliberately sets out to harm your health IT, the onus of providing and maintain the security of your systems falls on your organization.
Considering the devastating toll of unauthorized PHI disclosure, it’s imperative to cover all your bases and protect yourself and your patients against an inside attack.
External security threats, namely cybercrime, are an everyday reality. In fact, given the current level of criminal cyber activity, the chances are high that your system is attempting to fend off a penetration of your network as you read this. But external threats aren’t your only concern. You must also safeguard against internal, or insider, threats.
Insider threats, as defined by the United States Computer Emergency Readiness Team (US-CERT), include:
Tip: Beware of falling prey to a false sense of security — the belief that your staff is both ethical and well-versed in current HIPAA compliance protocols. To combat the lull of this presumption, it’s wise to take a proactive approach to insider threats with an informed appreciation of their likelihood.
Industry experts advise medical practices to implement background checks on all new employees, given that they will routinely handle sensitive information such as private medical data, payment information, and insurance identification numbers.
In addition to performing background checks, your office should educate staff about how to recognize insider threats.
Human error causes far too many HIPAA issues and lost PHI. US-CERT research breaks down these unintentional errors into four main categories:
Eradicate inadvertent hazards like these with a combination of risk assessment and management that include security protocols like encryption and multi-factor passwords, logging and monitoring of devices, and comprehensive staff education from the top down. Workforce training should focus on the sharing of information, the securing of authorized devices, and the use of third-party apps.
Do you know the signs that suggest an insider threat could be imminent? You can prevent malicious threats by recognizing key indicators. US-CERT guidance suggests that you watch for the following employee or BA behaviors:
The HHS Office for Civil Rights (OCR) Cybersecurity Newsletter offers great advice on insider threats and what to do after an employee is terminated. Pocket these tips to set up your procedures:
Tip: Direct all employees to keep their eyes open for suspicious behavior that may pose a security threat. Understand that your staff may feel nervous about reporting breaches or telling management about their hunches. Make sure that you encourage your staff to communicate their concerns.
Contributing Editor: Kristin Webb-Hollering
Stay on top of evolving regulations, new technologies, and security threats with current, to-the-point guidance in your monthly subscription to Health Information Compliance Alert. In every issue, our experts tackle challenging security scenarios across the spectrum of health IT to keep you in the know, help you train your staff, and equip you to implement protocols to preserve the integrity of your practice.
Master HIPAA compliance with the industry’s best-selling handbook — the HIPAA Handbook 2019. Our nationally-recognized HIPAA compliance experts lay out best practices and walk you step-by-step through the dos and don’ts of compliance. We also address new target areas and introduce you to tools to nail down risk assessments, tighten up your EHR privacy and security, reassess your risk analysis plan, prep for audits, and more.