Who’s Accessing Your Data?: The Insider Threat

privacy-policy-538714_640Despite the fact that ransomware and hacking attacks draw the biggest headlines, it is actually improper insider access that causes the highest number of data breaches. Such are the results from the most recent Protenus “Breach Barometer,” which analyzes reported and sometimes not so publicly reported breaches in healthcare each month. For those who follow privacy and security in healthcare, the Protenus findings are not that surprising. Reports of inappropriate access by insiders are frequent and show a disturbing trend.

Many of the reports allege that information was not used in any detrimental manner. Only that snooping occurred. However, there are two problems with that view.  First, even small insider breaches can have far lasting impacts.  In case people do not remember, ProPublica did an expose on the impact of small breaches in December 2015. The individuals who had information accessed frequently faced social impact or other issues not readily visible from a high level. Additionally, inappropriate access of information can form the basis for criminal investigations or outcomes. For example, an insider who accessed information out of curiosity for over two years in Oregon is being investigated by the local District Attorney.

Why are insider threats so high? Likely a number of factors come into play, which may include an increasing amount of data that is accessible, easier means of access (i.e. electronic medical records and other digital health records), potential belief that access cannot or will not be detected, and a myriad number of other reasons. The converging of these factors seems to be creating a perfect storm in terms of inappropriate or unjustified access.

What can organizations do to combat insider threats? First, education and training are essential. This mantra has been repeated often in previous articles, but it is always helpful to provide the reminder. If insiders are not aware of obligations, such as HIPAA, or understand how an organization is implementing protections, then those insiders cannot be expected to do the right thing. Regular education and training make a difference. Arming individuals with knowledge is key.

While education and training are good, the number of insider incidents suggests that it may not be beneficial to extend trust too far. Regardless of the view on trust, HIPAA requires monitoring access to systems and information. From this perspective, organizations must monitor their systems and detect inappropriate access to files. The ability to find people opening files when no needed or even data leakage will mitigate the potential harm or fallout from the inappropriate access.

It will be worth monitoring future breach reports to see if insider continue the unfortunate rise as the primary cause of data breaches. It should be remembered that individuals on the whole try to do the right thing. Do not allow a small percentage to color all perceptions.

About Matt Fisher

Matt is the chair of Mirick O'Connell's Health Law Group and a partner in the firm's Business Group. Matt focuses his practice on health law and all areas of corporate transactions. Matt's health law practice includes advising clients with regulatory, fraud, abuse, and compliance issues. With regard to regulatory matters, Matt advises clients to ensure that contracts, agreements and other business arrangements meet both federal and state statutory and regulatory requirements. Matt's regulatory advice focuses on complying with requirements of the Stark Law, Anti-Kickback Statute, fraud and abuse regulations, licensing requirements and HIPAA. Matt also advises clients on compliance policies to develop appropriate monitoring and oversight of operations.
This entry was posted in Compliance, Health IT, HIPAA and tagged , , , , . Bookmark the permalink.

One Response to Who’s Accessing Your Data?: The Insider Threat

  1. Pingback: HITECH Answers: Meaningful Use, EHR, HIPAA News - Who’s Accessing Your Data?: The Insider Threat

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s