The Rx For Healthcare Security: 5 Ways To Mitigate Insider Threats
By Isaac Kohen, founder and CEO, Teramind
When it comes to data breaches, it’s very possible that the threat comes from within your organization:
- A Wall Street Journal article reported that out of 450 data breaches at hospitals, health insurers, and other healthcare-related service providers who house sensitive patient information, 192 were blamed on insiders.
- In the first nine months of 2017, unintended disclosure accounted for 41 percent of data breach incidents reported by healthcare organization clients. Examples of unintended disclosure included an email containing personal health information (PHI) sent to the wrong recipient, discharge instructions given to the wrong patient, or a server containing PHI accidentally left open to the public.
These insiders may be negligent employees who prioritize speed over security, succumb to curiosity, or fall for email phishing scams. Insiders can also be malicious, selling PHI for money or to ‘get back’ at an institution. Regardless of the motive, the insider is often the weakest point within even the most robust security plan.
However, there are several things you can do to ensure employees are security conscious and to mitigate against an insider attack.
Develop An HR-IT Partnership
The human resources team should work closely with IT to monitor for instances of suspicious behavior. Some descriptors of insiders at risk of becoming a threat are greed/ financial need, unexplained financial gain, compulsive and destructive behavior, ethical “flexibility”, and reduced loyalty. HR is likely to get the first indication of suspicious behavior and can alert IT to the need for increased online monitoring.
Put Special Emphasis On Onboarding And Offboarding
Onboarding — beginning at the hiring phase — provides opportunities to properly screen and vet candidates and ingrain safe data practices from day one. Offboarding procedures should include steps to ensure that HR notifies IT in order to revoke access to applications and facilities.
Deliver Initial And Ongoing Security Awareness Training
This training must be mandatory for everyone in a hospital or physician practice who has access to data, and it must go beyond dry Power Point presentations in order to be effective. Phishing simulations, gamification, bite-sized learning, and rich e-learning courses do a better job of gaining attention and ensuring retention. Education sessions can also be used to share the characteristics of malicious insiders so fellow employees know what concerns to raise to management. Here are some innovative — and impactful — approaches to security education:
- UC Irvine Health runs social engineering mock tests where the help desk calls someone in the organization and asks for his or her user ID and password. These tests resulted in departments warning others about the caller and heightened the overall engagement of users in the security process.
- Marin General delivers training that includes games and rewards, coupled with education about the real cost of a breach. The Marin IT team also partnered with marketing to create ads for a bug bounty program called Security Sleuths. The program rewards its staff members who report phishing emails or concerns to the IT team. Marin has less than a .5 percent click rate on malicious emails — down from 63 percent just one year ago.
- Beaumont Health Systems delivers security training in bite-sized chunks – 10-minute interactive sessions using the gamification style.
Conduct A Threat-Response Simulation With Senior Leaders
Today, it’s a matter of when, not if, you will encounter a breach. Develop and conduct a threat-response simulation with your leadership team. Such a simulation helps to ensure that leadership is prepared to respond to a data leak with prompt actions to close the leak, inform those impacted, report to appropriate agencies, and document lessons learned.
Use Online Monitoring Software To Listen For And Alert On Breaches
Such monitoring technology logs access to data and alerts IT staff to suspicious behavior such as data transfers going out of the organization via email, USB devices, or cloud services. Prompt attention to such activity mitigates damage and allows for rapid notification of affected parties.
Finally, remember you’re not alone in the effort around data security. Harness the wisdom of your peers. Resources such as the National Health Information Sharing and Analysis Center, the CDC/Department of Health and Human Services cyber discussion guide, and the Healthcare Information and Management Systems Society (HIMSS) Healthcare Cybersecurity Community can help you stay informed and prepared.
About the Author
Isaac Kohen is the founder and CEO of Teramind, an employee monitoring and insider threat prevention platform that detects, records, and prevents, malicious user behavior in addition to helping teams to drive productivity and efficiency. Isaac can be reached at ikohen@teramind.co.