How Healthcare Providers Can Safeguard Against Insider Misuse

Understanding why employees expose protected health information is the first step for healthcare orgs to cut down on insider breaches.

Cyberthreats are, in many ways, the great equalizer for industries and organizations everywhere — most face the same threat vectors and problems. Healthcare, however, has one sore spot that makes it particularly vulnerable: its people.

In healthcare alone, insiders represent the largest threat to an organization, with 58 percent of cybersecurity incidents involving insiders, according to Verizon’s Protected Health Information Data Breach report.

“Access to a great deal of sensitive information is necessary for healthcare professionals to successfully carry out their duties. But along with that access comes the relatively easy ability to abuse it,” the report notes.

This ease, paired with the modernization of data, migration to electronic health records and a move toward more connected healthcare environment, can leave data more vulnerable to misuse than ever.

DOWNLOAD: Don’t be the next cybersecurity headline! Check out how to keep your organization safe!

3 Reasons Employees Expose PHI 

Why do employees misuse data and expose PHI at such an alarming rate? The report points to three main objectives for employees:

1. Financial gain: A staggering 48 percent of breaches from insiders are attributed to the pursuit of financial gain. According to the report: “The access that healthcare workers have to personal information of patients affords a convenient means to commit fraud of various types (for example tax return fraud or opening lines of credit).”

2. Fun/curiosity: Employees are people, and people are prone to curiosity. In the health profession, this curiosity can lead employees to access patient data outside of the parameters of their jobs, with fun being the motive behind 31 percent of these instances. “The admission of a family member, acquaintance or well-known personality into a hospital can present a temptation for employees who have technical access to that patient’s health record but no direct role in providing care or services to that patient. Any unwarranted access into that patient’s record simply to appease their curiosity would be (and is) considered a breach,” the report notes.

3. Convenience: Everyone wants to make their jobs easier, and that desire can overtake security policy. This happens in particular in the healthcare sector, with convenience motivating 32 percent of breaches from inside actors.

While this may be enough to put anyone off IT modernization altogether, the report authors warn readers not to be fooled into thinking less IT is safer: “The amount of breaches associated with old-fashioned paper documents is eye-opening,” it says.

MORE FROM HEALTHTECH: See how layered security can keep PHI protected!

What it Takes to Prevent Healthcare Data Misuse

So, how can provider organization IT teams protect against breaches caused by misuse?

“Work towards a reduction of paper-based PHI in your environment. Establish a holistic risk management program that protects not only ePHI, but also other sensitive data that’s stored and processed by your organization,” the report notes. 

Moreover,  Michelle O’Neill, director of corporate compliance and privacy officer for Summit Health Management, a physician-led management services model for medical practices, offered HealthTech six strategies to prevent against misuse and breaches:

  • Know and manage anyone with access to the organization’s systems.

  • Pay attention to unusual employee or user behaviors.

  • Focus on high-risk individuals.

  • Perform proactive audits to identify red flags.

  • Implement effective privacy and security training.

  • Have strong termination procedures in place.

Perhaps the most important element is training and education so that employees understand not how to keep data safe, but how to feel confident in maneuvering with data, Randall Frietzsche, CISO and privacy officer for Denver Health, told HealthTech.

“Users are really scared to use email today,” he said. “They get email that they’re afraid to click on and they hear all the horror stories. I want to not only reduce the risk of phishing email and ransomware, but I also want to increase users’ confidence in using email because they’ve seen phishing email before, they’re trained on the indicators and what to do with phishing email.”

6okean/Getty Images
Oct 04 2018