Hospital staff and other healthcare insiders may pose a greater threat to patients’ protected health information than external hackers. That is the view of Michael DuBose, managing director and cyber investigations practice leader for global investigations firm Kroll Advisory Solutions.
“Most US healthcare organizations are not taking the necessary steps to protect patients’ personal health information,” he said. “HIPAA and HITECH have played an important role in raising the visibility and importance of network security and cyber security. Unfortunately compliance with regulations alone will never be a sufficient security strategy because there are too many other things that really need to be done to maintain network security.”
DuBose penned a white paper titled The Insider Threat: Why Chinese Hacking May Be the Least of Corporate Worries. It states that two thirds of cyber thefts of trade secrets and other proprietary data involved insiders, rather than external hackers. He believes that healthcare organizations can take valuable lessons from its findings.
“There’s a data broker in the underground internet for almost any type of personal information and because healthcare records provide, in many respects, the broadest spectrum of personal information on any given individual, its value is higher in the underground brokerage system,” he said.
In order to protect against malicious insiders, DuBose recommends that patient data is encrypted and made available only to employees who really need to access it.
“Too often patient data is open to a much broader spectrum of employees than necessary and as a result it’s more susceptible to theft or negligent loss,” he said. “It’s also advisable to get better at profiling at-risk employees; employees who have had network security mishaps or network security violations or employees who have been written up for bad conduct – those types of behavioural characteristics put them in more of an at risk category for stealing patient information.”
He also recommends having a credible deterrent in the form of a thorough investigation of any breach and serious consequences for staff caught stealing patient information. In order to identify culprits, it is important to ensure that there is sufficient logging of activity on the network to be able to trace who might have been responsible for a data breach.
“Without that, without the kind of digital footprint created by sufficient network logging it’s very difficult for investigators to investigate a patient healthcare breach after the fact,” he said.
Staff, protected records, Kroll Advisory Solutions, HIPAA
