Is Your Own Staff Your Biggest Cybersecurity Threat?
September 3, 2019
A recent posting by the Office of Civil Rights 2019 OCR Cyber Security Newsletter suggests that the individuals in your organization should not be overlooked when trying to prevent the exposure of your patient’s protected health information. Too often, health care providers and organizations consider their staff to be “trustworthy,” leading organizations to be lax about their security. Anyone who has access to health information has the ability to expose an organization to security threats.“Malicious insiders” do exist and can harm your organization by intentionally leaking information. We have all heard of examples in the news: the employee who accessed the medical records of celebrities for financial gain, using patient information to commit fraud and identity theft; accessing information for their own legal issues. Malicious insiders may copy information to a storage device (hard drive, USB), send it to their personal email, steal/remove equipment, and transmit information in encrypted messages. Have you ever heard of steganography? Look it up if you haven’t.The harm a malicious insider can bring to your organization varies and it usually it not just the loss or disclosure of the data, but other harms such as reputational harm, civil liability, not to mention the federal and state regulatory enforcement responses.OCR cited data from the 2019 edition of Verizon’s Data Breach Investigations Report that reveals 59% of all security incidents and breaches (malicious and those without malice) were from “trusted insiders.” Financial gain was the primary motivator.So how can you identify malicious activity quickly and in time to prevent or mitigate the effects of these actions? The following tips and suggestions are taken directly—word for word—from the OCR’s Newsletter[1]:The where, who, what, and how of safeguarding critical data.An organization should understand where its data is located, the format in which it resides, and where its data flows throughout its enterprise. This knowledge is crucial to conducting an accurate and thorough assessment of the risks to the confidentiality, integrity, and availability of an organization’s critical data. Once these risks are understood, policies and procedures can be developed or updated and security measures implemented to reduce these risks to a reasonable and appropriate level. See 45 CFR §§164.308(a)(1)(ii)(A)-(B) (risk analysis and risk management), 164.316 (policies and procedures and documentation requirements).An organization should establish who is permitted to interact with its data and what data those users are permitted to access in determining appropriate access controls. Access controls can take many forms. For example, physical access controls as simple as doors that need keys for opening can limit an unauthorized person’s ability to enter sensitive facilities or locations; network access controls can limit access to networks or specific devices on a network; role based access controls can limit access to certain devices, applications, administrator accounts, or data stores to only a defined group of users. Organizations should leverage their risk analysis when establishing and implementing access controls. See 45 CFR §§164.308(a)(3) (workforce security) and (4) (information access management); 164.310(a) (facility access controls), (a)(2)(iii) (access control and validation), and (c) (workstation security); and 164.312(a) (access control), (d) (person or entity authentication), and (e) (transmission security); 164.316 (policies and procedures and documentation requirements).Another important consideration is how an organization’s users will interact with data. Do the duties of the user’s job require the capability to write, download or modify data or is read-only access sufficient? Do users need to access data from laptops, smart phones, or mobile storage devices (such as thumb drives)? Such devices are more difficult to safeguard and control, especially if they are “personal” devices owned by the user. An organization should consider limiting unnecessary mobile device use and implementing security controls to prevent copying sensitive data to unauthorized external devices. If users are given access to mobile or storage devices, the organization must implement appropriate security controls to safeguard the data when using such devices. See 45 CFR §§164.308(a)(4) (information access management); 164.310(a) (facility access controls), (b) (workstation use), and (d) (device and media controls); 164.312(a) (access control) and (e) (transmission security); and 164.316 (policies and procedures and documentation requirements).Real-time visibility and situational awareness. The migration to cloud computing, increased use of mobile devices, and the adoption of Internet of Things (IoT) technology can greatly reduce an organization’s ability to detect anomalous user behavior or indicators of misuse by either a trusted employee or third party vendor who has access to critical systems and data. To minimize this risk, an organization may employ safeguards that detect suspicious user activities, such as traffic to an unauthorized website or downloading data to an external device (e.g., thumb drive). Maintaining audit controls (e.g., system event logs, application audit logs) and regularly reviewing audit logs, access reports, and security incident tracking reports are important security measures, required by the Security Rule, that can assist in detecting and identifying suspicious activity or unusual patterns of data access. See 45 CFR §§164.308(a)(1)(ii)(D) (information system activity review), and 164.312(b) (audit controls).Security is a Dynamic Process. Good security practices entail continuous awareness, assessment, and action in the face of changing circumstances. The information users can and should be allowed to access may change over time; organizations should recognize this in their policies and procedures and in their implementation of those policies and procedures. For example, if a user is promoted, demoted, or transfers to a different department, a user’s need to access data may change. In such situations, the user’s data access privileges should be re-evaluated and modified to match the new role, if needed. See CFR §164.308(a)(4)(ii)(C) (access establishment and modification). Organizations should be particularly sensitive to the risk of insider threats in cases of involuntary separation. Organizations should have policies and procedures in place to terminate physical and electronic access to data, before any user leaves the organization’s employ. Such actions should include disabling all of the user’s computer and application accounts (including access to remote and administrative accounts if applicable), changing or disabling facility access codes known to the user, and retrieving organization property including keys, mobile devices, electronic media, and other records, etc. See 45 CFR §§164.308(a)(3) (workforce security), (ii)(B) (workforce clearance procedure), (ii)(C) (termination procedures); 164.310(a) (facility access controls); and 164.316 (policies and procedures and documentation requirements).See, U.S. Department of Health & Human Services, Summer 2019 OCR Cybersecurity Newsletter.If you need help implementing appropriate safeguards and strategies that comply with the law, contact Shuttleworth & Ingersoll’s Health Law Group.[1] With the following caveat: “This document is not a final agency action, does not legally bind persons or entities outside the Federal government, and may be rescinded or modified in the Department’s discretion. Noncompliance with any voluntary standards (e.g., recommended practices) contained in this document will not, in itself, result in any enforcement action.”