News Feature | April 22, 2014

Study: Greatest PHI Threat Comes From Within

Katie Wike

By Katie Wike, contributing writer

Internal PHI Threats

Another study cites internal threats as the greatest danger to the security of protected health information

In March, Health IT Outcomes reported 3 out of 4 providers considered their employees a security concern. The 2013 HIMSS Security Survey found the motivation behind most cyber attacks was not financial or medical identity theft, but rather snooping employees. Now, The Insider Threat Security Manifesto released by IS Decisions is echoing that concern.

According to the Manifesto, “More often than not, the greatest risk to any organization comes from within. That unhappy employee or rogue insider who will go to any length to gain access to the organization’s crown jewels, share the sensitive data they get their hands on and even put it to some other unscrupulous use such as insider trading.”

Thirty percent of respondents to the study indicated insider threats were in their top three security priorities. Twelve percent of healthcare budgets are dedicated to security, while in other industries, the budget averages 15 percent.

According to Health IT Security, 30 percent of healthcare employees share their passwords which leads to 42 percent of IT departments considering ignorant users the top threat. “IT managers concerns here are not misdirected, ignorant users are a great security risk. Those that are not aware of the dangers of sharing passwords or other sensitive information are most likely to pass it on to malicious users,” explains the report. Why are these ignorant users sharing passwords? According to the report, 25 percent of the time these employees hand over their password simply because a coworker asked for it.

To neutralize insider threats, the report suggests the following:

  • Limit or prevent concurrent logins
  • Limit working hours or maximum session time
  • Limit users to their own workstation or department
  • Monitor use behavior in real time
  • Recognize and respond to suspicious behavior
  • Deactivate computer access following termination
  • Implement a security policy
  • Clearly document policies
  • Consistently remind users of policies
  • Work closely with HR and other departments

“Nearly nine out of 10 (86 percent) of IT professionals told us they did not realize that technology could help solve insider threats, so they seem to understand it as more of a cultural and organizational issue. Which it is, but technology can certainly help mitigate the risks; an optimum strategy should approach the issue from both angles,” concluded the report.