HIPAA Breaches – Don’t Forget About Insiders
While cyberattacks, whether on large hospital systems or small clinics, make for splashy headlines, healthcare providers should not forget to look within when it comes to vulnerabilities.
A recent examination by Verizon of security incidents across 27 countries found that the majority (58%) of healthcare protected health information (“PHI”) data breaches were due to insider threats.
The report highlighted several areas that healthcare providers encounter on a frequent basis where risks could arise internally, such as the potential for privilege abuse. Personnel require access to specific PHI to perform their duties but providing such access puts them in position to easily use or access the PHI for other, malicious purposes. This can be especially problematic with disgruntled or recently fired employees. The three steps a healthcare provider should take to protect itself are: (1) Identify; (2) Address; and (3) Audit.
Identification requires healthcare providers to identify all of the vulnerabilities to PHI; not only those risks from the outside, but just as important, those risks from within the organization. Once a healthcare provider identifies its vulnerabilities, steps should be taken to address each by implementing the appropriate safeguards necessary to protect the PHI, both in terms of technology and internal policies and procedures. Many may recognize this as the first step of any HIPAA compliance plan, which is the Risk Analysis and Management required under the Security Rule. Finally, healthcare providers must continue to be vigilant against the ever-present threat to extremely valuable data through regular audits of the systems and policies in place to find new vulnerabilities or current vulnerabilities being exploited.
Healthcare providers would be wise to conduct an updated (or first) risk analysis and understand where they stand in the fight against threats to PHI.
For questions or information on HIPAA compliance, please contact Jay D. Reyero (firstname.lastname@example.org).