Mitigating Internal Security Threats in Healthcare

Over the past several years healthcare organizations have received warnings from the Department of Health and Human Services (HHS), the FBI, and others outlining the risks of external cyberattacks compromising electronic protected health information (ePHI). However, healthcare organizations cannot forget about the importance of mitigating internal security threats to ePHI.

Enforcement Actions

The HHS Health Sector Cybersecurity Coordination Center (HC3) issued a warning about insider risks in 2022. Now that warning has been reinforced by a recent enforcement action. On February 7, 2024, the HHS Office of Civil Rights (OCR) announced its first penalty of 2024 related to HIPAA violations. Montefiore Medical Center was hit with a $4.75 million penalty, the largest since 2021, after a reported PHI breach impacting 12,517 patients.  

Montefiore Medical Center, a non-profit hospital based in New York City was informed of a potential breach of PHI by the New York Police Department in May 2015. A Montefiore Medical Center staff member unlawfully accessed the PHI of 12,517 patients between January 1, 2013, and June 30, 2013, and sold the data to identity thieves. Montefiore reported the breach to the OCR and the subsequent investigation demonstrated that the medical center had not done accurate and thorough risk assessments of the risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Additionally, Montefiore Medical Center did not have policies and procedures to record and examine activity in information systems containing or using ePHI. In addition to the $4.75M settlement, the organization must perform a comprehensive risk assessment and remediate identified risks. Montefiore is also subject to monitoring by the OCR for the next two years. This penalty demonstrates that the OCR does not only consider the number of records breached but also the overall risk control environment within the organization when determining the appropriate enforcement actions.

Unfortunately for Montefiore Medical Center, this was not the only evidence of insider activity resulting in potential ePHI breaches. In 2020, Montefiore reported that a former employee accessed the information of 4,000 patients between January 2018 and July 2020 and used that information to perpetuate a billing scam.

But Montefiore Medical Center is not alone.  In June of 2023, Yakima Valley Memorial Hospital entered into a settlement for $240,000 resulting from inappropriate access to ePHI for 419 individuals by several security guards. The 2023 Verizon Business Data Breach Investigations Report noted that 35% of healthcare breaches were caused by internal threat actors. 

How Healthcare Organizations Can Mitigate Internal Security Threats

Risk Assessments

Conduct a comprehensive risk assessment of the potential security risks and vulnerabilities to confidentiality, integrity, and availability of ePHI. Make sure your risk assessment considers the internal risks to ePHI. Have you restricted access to the minimum necessary? Are you monitoring PHI access?  Are you looking for patterns that might indicate inappropriate use of ePHI?    

Unfortunately, the evidence continues to show that healthcare organizations and their business associates are not performing comprehensive security risk assessments. This is in spite of the HIPAA Security Rule requiring them dating back to 2003.  A review of the 2023 OCR Enforcement actions related to breaches of PHI noted that in 70% of the resolution agreements the OCR cited the organization’s failure to conduct a risk analysis as a contributing factor. 

Train, Train, Train

Annual security training needs to cover insider threats. Ideally, periodic security reminders will reinforce the lessons. A 2021 survey by the training vendor Knowbe4 indicated 24% of the healthcare respondents had never received security training.  Do not assume your workforce knows what an insider threat is or what to do if they have concerns about their peers’ use of PHI. Train them!  

Monitor

Implement monitoring to make sure you can spot inappropriate access to ePHI by your workforce. You may have tools to monitor for external threats such as an intrusion detection system. Unfortunately, that will not catch the employee going through multiple records and obtaining demographic and financial information to commit fraud.  

CompliancePoint offers cybersecurity services tailored for healthcare professionals. We can help your organization design and implement an effective cybersecurity program, achieve HIPAA compliance, and obtain a HITRUST certification. Contact us at connect@compliancepoint.com to learn more.