According to the Protected Health Information Data Breach Report of Verizon, 58% of healthcare data breaches are caused by insiders. The problem is the difficulty of detecting insider breaches. 75% of insider threats go unnoticed. For instance, a healthcare employee at a Massachussetts hospital was accessing healthcare records without authorization for 14 years. When he was discovered, he already viewed the records of more than 1,000 patients.
Insider threats come from within an organization. They are individuals who are authorized to access healthcare resources, such as EMRs, email accounts, healthcare network and files containing PHI. Sometimes these resources are accessed with malicious intent, but sometimes it is accidental. Both can be harmful to the organization, patients and employees. Insider threats do not refer to employees only. Business associates, subcontractors of business associates, former employees, volunteers and researchers who are given access to healthcare resources to complete certain tasks can become potential insider threats.
Insider breaches found to have violated the HIPAA rules and patient privacy can be fined heavily. It can also cause damage to the organization’s reputation, loss of patient confidence and filing of lawsuits. The cost insider breaches is twice as much as external threats.
There are two categories of insider threats : Malicious and Non-malicious.
Malicious insider threats involve deliberate attempts to cause harm to the healthcare organization, patients, employees or other individuals. Acts such as theft of PHI, theft of intellectual property, theft of data sold to new employers and sabotage are examples of malicious insider threats. Verizon’s research study shows that the intent of 48% of insider breaches is financial gain. A 2018 Accenture survey reports that one in five healthcare employees is willing to steal and sell confidential data if priced right. 18% of 912 surveyed employees would do it for $500 to $1,000. It’s alarming that 24% of the respondents knew somebody who was involved in the selling of stolen data or login credentials to unauthorized outsiders. Terminated disgruntled employees may also sabotage IT systems or steal data.
Non-malicious insider threats include snooping on medical records, accidental loss/disclosure of sensitive information, sharing of login credentials and responding to phishing messages. Snooping on medical records is very common. Employees may be tempted to look at the medical records of a celebrity, their friends or family members who are admitted to the hospital.
The largest healthcare data breach in history involving the theft of 78 million healthcare data records from Anthem Inc was possible because of stolen login credentials. Many data breaches each year are caused by non-malicious insider threats like emailing PHI to the wrong recipient, misdirection of fax messages and stolen data from unattended portable electronic devices with ePHI. You can see many data breaches due to stolen laptops, smartphones and portable hard drives posted at the Department of Health and Human Services’ Office for Civil Rights’ breach portal.