Medical data is under attack. Both patients and healthcare providers are becoming increasingly aware of the threats to information stored within the industry. And the trust in organizations’ ability to protect this highly sensitive data isn’t keeping pace. In a 2014 Ponemon Institute study, of the people who said their healthcare providers outlined the measures used to protect patients' medical records, 68 percent of those respondents revealed they weren't confident the measures would actually keep their medical data secure. By Lisa J. Berry-Tayman, senior privacy and information governance advisor, IDT911 Consulting
By Lisa J. Berry-Tayman, senior privacy and information governance advisor, IDT911 Consulting
Medical data is under attack. Both patients and healthcare providers are becoming increasingly aware of the threats to information stored within the industry. And the trust in organizations’ ability to protect this highly sensitive data isn’t keeping pace. In a 2014 Ponemon Institute study, of the people who said their healthcare providers outlined the measures used to protect patients’ medical records, 68 percent of those respondents revealed they weren't confident the measures would actually keep their medical data secure.
Medical records, with information such as names, Social Security numbers, birth dates, addresses, and sometimes even payment data, are becoming a primary target for identity thieves. In addition, sensitive medical information can be valuable for blackmailing individuals or for selling on the underground market. With the incredibly high value associated with medical information, some of this cyber crime is perpetrated by employees and others with inside access. With the exceptionally high stakes in healthcare, organizations can use these five flags to help spot malicious insiders.
- Actions out of the ordinary. Every function at a healthcare provider has a baseline of normal operations. When employees begin to act outside those norms, that’s when you should start to pay attention. Is this someone who needs access to the Electronic Health Record system or not? Do they have a legitimate business need to be in specific places within the hospital or clinic setting, or don’t they? It could be chalked up to simply getting lost the first time someone ends up in the wrong area. But if you have an administrative person who’s constantly appearing in the nursing area of a particular medical floor, it should raise suspicion. The same holds true for digital areas of the organization’s network. If a physician is requesting payment information for a patient, he is outside his job function. Once you know what normal looks like for each position, it’s easier to spot inconsistent activities.
- Inappropriate inquisitiveness. Like Oscar Wilde’s musings on the “insatiable curiosity to know everything,” malicious insiders may demonstrate curiosity that extends beyond mere nosiness. They might ask questions outside their job duties, such as someone in payroll querying nurses about where clinical information is stored. Or it could be a doctor who treats adults asking a little too much about someone in pediatrics. And malicious insiders aren’t interested in generalities; they want specifics. Where do you store this data? Do you have a login? How many places can you go to access this application? If it seems like too much, that’s a red flag.
- The invisible person. While an individual may be excessively curious and they may ask a lot of questions about you—what you do, who you are, your work duties, etc.—you will likely know little or nothing about them. They don’t share details about their life, their families or their friends. They may not have personal items on their desk (a particularly important indicator in work environments where that’s outside the norm), or their work space could have a distinctive lack of personal photos or even plants. Malicious insiders might even be hesitant to discuss their own jobs or they might be vague about their work history. These traits should prompt greater scrutiny.
- Open dissatisfaction. Most workers grumble now and then, but truly unhappy workers call for increased attention. Their level of displeasure may vary from somewhere slightly above the garden variety to outright stating they plan to take action against the organization. They may even allude to stealing and selling protected information. And with medical information fetching more money on the black market than credit card data—a recent article gave a figure of $251 per medical record versus only $0.33 for a credit card number—it may take less than ever before to push someone to that level.
In an Infosecurity Europe study, 37 percent of respondents said they would consider turning over corporate data. Ten percent of those indicated it would require that their mortgage be paid off, while 5 percent said that a better job would be enough to make it worthwhile. If you have a dissatisfied employee who’s on the fence, remember that it may not take much to tempt them.
- Strange time off or on. Requests for vacation and sick leave usually make sense. But, if an employee begins to develop unusual travel patterns or they request PTO at weird times that could be an important indicator. Likewise, when you don’t have any major projects going on, is there an employee who’s still the first person in every day? Are they always the last one to leave? This gives them a lot of time alone. If your team is swamped, then overtime makes sense. But if nothing is going on, this behavior may be downright odd, warranting a closer look.
About The Author
Lisa Berry-Tayman is senior privacy and information governance advisor for IDT911 Consulting.