The 2018 Protected Health Information Data Breach Report found that 58 percent of security incidents resulted from insiders rather than outsiders, such as hackers.
Discussing the report, Health IT Security noted the following insider threats:
- Employees misusing or abusing their access privileges. Two-thirds of all incidents involving unapproved or malicious use of organizational resources came from privilege abuse.
- Data mishandling (21.6 percent).
- Possession abuse (16.9 percent).
- Knowledge abuse (4.2 percent).
See https://healthitsecurity.com/news/58-of-healthcare-phi-data-breaches-caused-by-insiders.
The updated 2019 saw a slight increase to 59 percent. It noted that, although some breaches resulted from mistakes by insiders, a significant percentage were malicious, such as the misuse of data for financial gain. This finding is consistent with an analysis of the convictions for violation of HIPAA’s criminal statute, the majority of which have involved identity theft.
The Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) is hardly unaware of the risks posed by insiders—that is, workforce members, which includes not only employees but also other insiders that may have access to protected health information (“PHI”), such as students, volunteers, and independent contractors. Consequently, in its 2019 Summer Cybersecurity Newsletter, OCR has issued the following guidance to covered entities and business associates on how both to reduce the threat of insider breaches and to detect them if they occur:
- Know all locations where patient information is stored and how that information flows throughout the organization. Unless you do, you cannot conduct a thorough and accurate risk analysis to determine all risks to the confidentiality, integrity, and availability of patient data and reduce those risks to a reasonable and appropriate level.
- Implement physical, technical, and administrative access controls to protect against unauthorized access from within. Use role-based access controls to limit access to the minimum necessary information required to perform one’s duties.
- Control what individuals are able to do with patient data. If view-only access is required, users should not be able to modify, delete, or download data. Implement controls to prevent access from such devices as smartphones and the copying of data to portable storage devices, such as zip drives.
- Security personnel must regularly check system, event, application, and audit logs to quickly detect suspicious activity and unusual patterns of data access. Insider breaches must be identified and corrected promptly.
- Remember that security is a dynamic process. Safeguards, policies, and procedures need to be regularly evaluated (consistent with the Security Rule’s Evaluation Standard) to ensure that they continue to be effective. The entity must monitor access rights and change them as appropriate when workforce members change roles or transfer to a different department. Entities must also terminate access to data when workforce members leave the organization.
Read the Newsletter at https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-summer-2019/index.html.
As always, keep good written documentation of the risk analysis and updates thereof, your policies and procedures based on the results of your risk analysis and updates thereof, and who attended training that you provided on HIPAA in general and on these policies and procedures in particular.
Alice here: Yes, once again, I am here to try to sell things to keep you and us in business. Surely, after having read Jon’s blog items all these years, and especially today’s blog item, you recognize that you must keep your risk analysis up to date. If you need help with your risk analysis, either initially or for an update, Jon Tomes has written a Risk Analysis ToolKit to provide the structure and tools to help you complete the requirement under HIPAA. You and your risk analysis team can fill it out and document your decisions as to what is reasonable and appropriate for you to adopt in the way of policies and procedures and be done with it. Or you could send your completed risk analysis to Jon to review and render his professional opinion as the country’s leading HIPAA expert (IMO) as to whether it is sufficient to keep you from getting that free trip to Leavenworth or that very expensive trip to the bank. If you have Jon’s Compliance Guide to HIPAA and the DHHS Regulations, 6th edition, with the accompanying HIPAA Documents Resources Center CD, also 6th edition, you can find the Risk Analysis ToolKit on the CD. It is also available with a review by Jon at https://www.veteranspress.com/product/hipaa-risk-analysis-toolkit. Also, Jon Tomes presented a webinar recently on “How to Do a HIPAA and HITECH Risk Analysis.” You can buy a recording of it at https://www.complianceiq.com/trainings/LiveWebinar/2255/how-to-do-a-hipaa-and-hitech-risk-analysis. Jon is also writing a Risk Analysis Update ToolKit, which will be available for you in the near future on the Premium Member section of our website. (I promise. I am almost done editing and formatting it for you.) Please stay tuned for our announcement when it is up and running for you there. Also, include in your risk analysis the lack of a business associate agreement if you are considering hiring a business associate or a downstream business associate.
If you need guidance on how to draft the policies and procedures that your risk analysis or your newly updated risk analysis has shown are reasonable and appropriate for your organization, Jon has also written The Complete HIPAA Policies and Procedures Guide, with the accompanying CD of several dozen HIPAA policies and procedures templates for you to adapt to your situation. That book also contains a chapter by me on how to write in general, but more specifically on how to write a good policy. Also, Jon Tomes is presenting a webinar through complianceiq.com on Thursday, September 12, 2019, at noon CDT on the topic “How to Write and Adopt HIPAA Policies and Procedures.”
Make sure that you train your entire workforce on HIPAA in general and on the HIPAA policies and procedures according to who needs to know what in order to perform their duties for you. If you need handy HIPAA training in general, consider Jon’s training video and training manual in either of two forms available here: https://www.veteranspress.com/product/basic-hipaa-training-video-dvd-workbook or https://www.veteranspress.com/product/online-hipaa-training-video-certification. Or you could hire Jon to present HIPAA training onsite to your workforce. Just contact him at jon@veteranspress.com or 816-527-3858.
Keep your written documentation of all of these HIPAA compliance efforts where you can find them easily and quickly if HHS shows up demanding your HIPAA compliance documentation. We recommend keeping all of it in Your Happy HIPAA Book. Jon included tabs in the three-ring binder for everything that you need to document and a checklist for each tab. I recommend adding the date that you check off each item in each checklist, as one of our clients suggested to us.
If you have had a security incident that you were unsure as to what exactly to do about, or if you are concerned that you may have one, consider reading Jon’s book How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know.
A sample business associate agreement policy and a sample business associate agreement are posted in the Premium Member section of our website at www.veteranspress.com.
As always, thanks for reading Jon’s blog, buying his books and other HIPAA compliance tools, attending our seminars and webinars, and hiring Jon for HIPAA consulting and training. We wish you every success with your HIPAA compliance efforts, especially those malicious workforce threats from within your organization.