Who’s Accessing Your Data?: The Insider Threat

privacy-policy-538714_640Despite the fact that ransomware and hacking attacks draw the biggest headlines, it is actually improper insider access that causes the highest number of data breaches. Such are the results from the most recent Protenus “Breach Barometer,” which analyzes reported and sometimes not so publicly reported breaches in healthcare each month. For those who follow privacy and security in healthcare, the Protenus findings are not that surprising. Reports of inappropriate access by insiders are frequent and show a disturbing trend.

Many of the reports allege that information was not used in any detrimental manner. Only that snooping occurred. However, there are two problems with that view.  First, even small insider breaches can have far lasting impacts.  In case people do not remember, ProPublica did an expose on the impact of small breaches in December 2015. The individuals who had information accessed frequently faced social impact or other issues not readily visible from a high level. Additionally, inappropriate access of information can form the basis for criminal investigations or outcomes. For example, an insider who accessed information out of curiosity for over two years in Oregon is being investigated by the local District Attorney.

Why are insider threats so high? Likely a number of factors come into play, which may include an increasing amount of data that is accessible, easier means of access (i.e. electronic medical records and other digital health records), potential belief that access cannot or will not be detected, and a myriad number of other reasons. The converging of these factors seems to be creating a perfect storm in terms of inappropriate or unjustified access.

What can organizations do to combat insider threats? First, education and training are essential. This mantra has been repeated often in previous articles, but it is always helpful to provide the reminder. If insiders are not aware of obligations, such as HIPAA, or understand how an organization is implementing protections, then those insiders cannot be expected to do the right thing. Regular education and training make a difference. Arming individuals with knowledge is key.

While education and training are good, the number of insider incidents suggests that it may not be beneficial to extend trust too far. Regardless of the view on trust, HIPAA requires monitoring access to systems and information. From this perspective, organizations must monitor their systems and detect inappropriate access to files. The ability to find people opening files when no needed or even data leakage will mitigate the potential harm or fallout from the inappropriate access.

It will be worth monitoring future breach reports to see if insider continue the unfortunate rise as the primary cause of data breaches. It should be remembered that individuals on the whole try to do the right thing. Do not allow a small percentage to color all perceptions.

Posted in Compliance, Health IT, HIPAA | Tagged , , , , | Leave a comment

HIPAA Certified: Not So Fast

seal-1674127_640A healthcare organization is looking for a new electronic medical record, secure messaging application or any other solution. It compares a number of vendors, product features and gets close to choosing one. Just before making the ultimate decision, someone asks, what about HIPAA? As this question enters the discussion, another person says that the chosen product is HIPAA “certified.” Hearing that the product is certified, everyone is satisfied and thinks that HIPAA obligations are all set. Unfortunately, HIPAA “certification” does not settle any issue.

The question of certification is one that has been around almost as long as HIPAA itself. From the legal perspective, certification is not even worth the paper it is printed on. The government, specifically the HHS Office for Civil Rights, does not contemplate certification of HIPAA compliance, nor does it authorize any third party to provide an “official” certification. This fact is revealed in a longstanding “Frequently Asked Question” from OCR. As such, any company or product advertising HIPAA certification is providing an unverifiable statement. Since OCR does not endorse or recognize certification, questions should be asked about any product claiming certification. A buyer cannot feel comfortable just be seeing the “certification.”

The lack of any recognized certification raises the question of whether it is time to have an official certification program. Would such a program help distinguish those products or solutions that truly meet HIPAA standards from those that do not? Who would administer and/or oversee a certification program? These are important aspects to consider if a certification program were to be pursued. At first blush, certification seems desirable because it may establish baseline standards and expectations. However, there could be a concern that certification would be an end in and of itself, without thinking farther. As such, certification is an open question and one worth fully vetting.

At first blush, certification seems desirable because it may establish baseline standards and expectations. HIPAA is quite clear in terms of privacy policies and protections that need to be in place. The differences can arise when it comes to security policies and procedures. The Security Rule is designed to be flexible. Not every organization will have the same policies and procedures. Such differences are not necessarily a barrier but need to factor into the certification standards.

From the opposite perspective, there could be a concern that certification would be an end in and of itself, without thinking farther. Would organizations target the bare minimum to ensure that certification is issued, or think holistically about what is needed above and beyond HIPAA requirements. At this point, it is important to remember that HIPAA only establishes a baseline for good security protections. Truly effective security needs to go well beyond what HIPAA may require.

With all of these considerations in mind, certification is an open question. Even though it is an open question, the topic is one worth fully vetting. For the time being, an organization can certainly have an independent party audit its policies and procedures to have an unbiased scoring of compliance status. However, any audits results are more for internal education and assessment, not for holding out as a stamp of approval.

Posted in Health IT, HIPAA, Regulations | Tagged , , , | 1 Comment

HIMSS17 In a Day

Not wanting to miss the opportunity to join the big HIMSS party, I made the decision to attend HIMSS17 only for a day. What did that mean? A lot of walking, a lot of meetings,  a lot of bouncing around, but, most importantly, a lot of fun. I got to see many friends, make new ones and learn a lot.

Preparation for the day began right at the beginning. That means dressing to show my part in timg_3034he growing community of pinksocks. This helps set and remind that the tone should be community and coming together.

What does HIMSS look like at the beginning of the day? When working on toddler/baby time (which means earlier than you want), it is possible to get to HIMSS and see it in the calm before the storm.

img_3037

It is not often that a picture can be taken with barely any people in it at HIMSS. However, that is what happens when you arrive before anything really opens or starts.

When faced with a fair amount of time before any meetings, I also had to check an item off of the HIMSS bucket list:

img_3040

Of course, it was not possible to get the picture by myself. That was aided by a kind offer of mutual help through Twitter. Ashlie Johnson (@heyashlie) was nice to suggest that we both get our pictures.

img_3043

Before fully venturing out into the wild day, I had to admit to being unaware of some social media use. Candidly, Snapchat is not in my ordinary repertoire. However, HIMSS had a fun geolocating frame to help more easily capture and tag the famous HIMSSelfie. Thankfully, Amanda Burkey (@a_burkey) was on hand to provide a crash course.

img_3044

Now fully prepared, I began the day of meeting after meeting. While that does not necessarily sound like fun, each meeting was the chance to talk with someone new, learn something new and make a new connection, strengthen an old one or finally get the always sought after “in real life” meeting with a social media friend. As most readers of this blog would expect, the bulk of my meetings focused on HIPAA, privacy and security issues. There is a lot to discuss in that realm though, so there were no shortage of topics to consider.

 

img_3045

Bill Esslinger of Fogo Data Center

 

 

img_3046

Robert Lord of Protenus

 

 

img_3047

Chuck Webster, MD – The famous @wareflo and supplier of awesome laser cut Social Media Ambassadors buttons

 

 

img_3051

Colin Hung (@colin_hung) – Amazing co-leader of #hcldr

 

 

img_3056

Dr. Geeta Nayyar – @gnayyar and an amazing woman to learn from

 

img_3048

Justin Smith from Galen Healthcare

 

img_3057

Wilson To – @wilson_to, a long-time co-participant in #KareoChat, who as it turns out also likes good craft beer

 

img_3054

Orlee Berlove from OnPage

While I do not have a good picture, I cannot leave out (and want to highlight) the group of fellow HIMSS17 Social Media Ambassadors. It is a diverse group (not all caught in this picture) who provide thoughts and insights into so many different areas of healthcare. It is a great group to learn from, get challenged by and to hang around with.

 

img_3050

The Social Media Ambassador Meet Up

The pictures cannot do full justice to the busy day, but it was fantastic. The energy at HIMSS is palpable and inspiring.

In closing, here are  few statistics to help shape the day:

  • Ground time in Orlando – 24 hours and 30 minutes
  • Miles walked – 9.2
  • Meetings – 11
  • Facebook Live or other video recordings – 5
  • Friends seen or met – too many to count
  • Tweets sent – not sure, but certainly quite a few

Even in a short time, it is possible to obtain a significant amount of value. I hope others feel the same and if you have not been before, maybe next year.

 

 

 

 

 

Posted in Business, Healthcare, HIPAA | Tagged , , | Leave a comment