The thought of a data breach often brings images of Hollywood-style hackers or lost laptops. Most would never think of a trusted coworker as a malicious perpetrator of a data breach. To the contrary, data breaches often can be and are “inside jobs” committed by employees with authorized access to protected health information (PHI).
Such was the case with a group of Texas pediatric clinics where one clinic employee was recently found to have taken business documents home from the office and not returned them. The employee also logged in to patient records, then provided screenshots of those records to a disgruntled ex-employee. As you can surmise, the records contained protected health information such as patient names, birth dates, diagnoses, and treatments.
This insider breach potentially affected 16,000 patients and triggered costly incident response and mitigation actions, the need for legal counsel, and mandatory notification to Health and Human Services (HHS) as required by HIPAA breach notification rules.
Insider threats like these are very difficult to detect and often go unnoticed for longer periods of time. They can be even harder for smaller practices and providers to uncover because staffing is stretched thin and employees must take on a number of roles, requiring access that usually violates separation of responsibility requirements. To make things even more challenging, our natural human tendency is to trust one another, especially our coworkers.
Such was the case in the Texas clinics. The employee who perpetrated the breach was trusted and authorized to access patient information and had undergone HIPAA training. However, by forwarding sensitive information to a third party (the disgruntled ex-employee), such access became unauthorized, leading to a breach of PHI.
The lesson here is that relying solely on compliance activities to detect insider threats is an inadequate solution. (Obviously, compliance activities did not catch this Texas clinic employee). So what’s the solution?
Before offering preventive measures, it’s important to reemphasize what an insider threat is. An insider threat is a malicious threat to an organization that comes from people within the organization. This can include employees, former employees, and contractors or business associates who have inside information concerning the organization's security practices, data, and computer systems, along with the authorization for access (and sometimes elevated access) of PHI and other privileged information.
Here are eight preventive measures in addition to compliance that will help deter and reduce insider threats.
1. Implement separation of responsibilities.
This is an absolute, fundamental component of internal control. When an employee or group of employees (opportunity for collusion) are placed in positions to both perpetrate and conceal fraud in the normal course of their duties, it’s like putting the fox in charge of the henhouse.
2. Implement “role-based access.
” Basically, the more an employee has access to, the higher the risk of inappropriate access, and the harder it is to manage minimum necessary access. Create roles based on position responsibilities with no more access than what is needed to perform assigned duties. Some adaptations may be needed, but such adaptations should never be the norm, nor should they be granted without some type of risk analysis to understand and validate the need as well as assess risk.
3. Execute a quick removal of access when warranted.
Any time employees leave or simply change positions in your organization, make sure their access privileges cease or change also. Strive to avoid inappropriate or excessive access.
4. Periodically monitor behaviors, conduct random audits, and promote these practices.
Some employees who engage in dishonest and illegal activity can do it all within the parameters of their access. That’s why it’s important to monitor behaviors or randomly audit the patterns of their access to uncover irregularities that might signal inappropriate activity. And simply promoting the random-audit policy can be a further deterrent. When employees know that their access can be reviewed at any time, it adds another layer of dissuasion.
5. Consider technology tools.
Data loss prevention (DLP) software can not only monitor activity, but restrict it as well. DLP can control what data employees can copy, transmit to outside entities/accounts, download to portable media and other computing devices, or upload to websites. Keep in mind that technology is only a tool and needs to be used in conjunction with employee education, training, and awareness; formal policy; and other manual security-related activities.
6. Be observant of behaviors and listen to language.
Managers in particular can learn to recognize warning signs such as life changes that might motivate someone to do something he or she wouldn’t ordinarily do. When a friend and coworker has been fired, for instance, those left behind may feel sympathetic toward the former employee and want to help out, or they may feel angry and spiteful toward the organization. Either emotional response 2 can trigger a “rationalization” to commit fraud or breach data. Managers should strive to know their employees and tune in to any employee who begins acting out of character. 7. Set the tone from the top and ensure a strong policy framework. Your organization should have well-documented policies in place, reinforced by leadership. They should include acceptable use, personal device use, and social media use policies.
8. Offer education, training, and awareness—ongoing and frequently!
Having policies won’t help if employees aren’t familiar with or don’t remember what’s contained in them. Therefore, training is a crucial line of defense against insider threat. Education, training, and awareness set expectations and reinforce the right behaviors. Likewise, expecting employees to properly identify misdeeds, fraud, and potential breaches can’t occur if they don’t know what to look for. Insider threat vigilance includes repeatedly reminding employees of what’s acceptable and what’s not.
The simple act of continued training and ongoing awareness, beyond orientation or annual training sessions, can be your best defense.