One of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) pillars is protection against external threats. Many of its considerations concern cybercriminals seeking to attack your company from a position outside your perimeter. But too often these attacks happen from within healthcare companies. Healthcare data security must prioritize internal threats too.
Top Internal Healthcare Data Security Challenges
One challenge plaguing healthcare businesses in 2021 and beyond is the extent to which threats assumed to be exterior are interior. We’ll break down everything you need to know about solving internal patient data privacy issues, including:
- A breakdown of the most significant internal healthcare data management challenges and risks
- A detailed guide to how compliance can simplify patient data security risk management
Biggest Internal Threats to Patient Data Privacy
Internal threats have traditionally plagued healthcare more than external ones. As recently as 2018, a whopping 58 percent of attacks in healthcare were internal. However, this has changed slightly in recent years. Per Verizon’s Data Breach Investigations Report (DBIR), in 2021, internal threats are not the most common in healthcare.
Despite not being the most prevalent of attacks, they’re still incredibly dangerous because of the nature of data they target. Covered entities who need to be HIPAA compliant harbor a vast amount of protected health information (PHI). Attackers who seize PHI can victimize both patients and providers, and it can be significantly easier for an attacker who’s already inside the organization to take control of PHI.
Illusory Insiders, or Threat Actors Posing as Staff
The first internal healthcare data security challenge stops external attackers who infiltrate systems by disguising themselves as insiders.
The methods attackers use to gain unauthorized internal access include but are not limited to:
- Guessing logins using generic passcodes or through data on users (birthdays, etc.).
- Cracking passwords or employing software to exhaust endless possible combinations.
- Stealing credentials directly through hacking or interception of physical mail or email.
Using a rigorous identity and access management program to shore up your defenses against these would-be attackers can help strengthen login security and provide extra layers of protection beyond user credentials.
Disgruntled Employees or Third-Party Contractors
The subsequent significant threat to patient data in security risk management comes from bona fide internal attackers: individuals who are genuinely part of a company’s interior and yet turn against the company due to a dispute. In most cases, these are current or former employees who may feel the company has wronged them. They may have been fired or demoted or not given something they thought they deserved. These individuals may work with other outside attackers or launch an attack themselves.
Monitoring the behaviors and attitudes of all staff and recently dismissed employees is one step toward preventing these issues. But insider threats may also extend out across your network of third parties, such as vendors and contractors. Third-party risk management (TPRM) is critical to identifying these threats before they actualize into events.
Risky Behavior From Personnel and Risks of Work From Home
The third internal challenge facing healthcare organizations—and likely the most critical one moving forward—involves employees’ lack of procedural knowledge or follow-through and the vulnerabilities of their home or remote networks. On one level, good-faith mistakes and misunderstandings made by staff can be dangerous regardless of their intent. On the other, some staff may decide to neglect some individual rules or protocols they find unnecessary. In either case, all stakeholders may suffer the consequences.
On another level, even well-meaning staff may work from a remote environment that is uniquely dangerous. For example, an employee who follows all rules and avoids risky behavior may still live with another individual who uses their devices in unsafe ways, with or without their knowledge.
HIPAA Compliance and Internal Risk Mitigation
The direct losses from internal attacks aren’t the only costs they incur. Companies that fail to catch internal threats early enough may also fall into non-compliance. This failure can result in civil monetary penalties of up to $1.7 million annually, per the Enforcement Rule. The Department of Health and Human Services (HHS) works with the Department of Justice (DoJ) to enforce criminal penalties in the worst cases.
Avoiding these penalties, along with all other potential risks of cybercrime, requires following HIPAA’s Privacy Rule and Security Rule. If an internal or external attack does occur, companies need to report it per the specifications in the Breach Notification Rule. Let’s take a look at each.
The HIPAA Privacy Rule: Defining a Safe Interior
The Privacy Rule defines the basic conditions under which PHI can be used or disclosed by all internal or external parties. Its primary distinctions, per HHS’s Privacy Rule Summary, include:
- Permitted uses and disclosures – Covered entities must limit all access to and use or disclosure of PHI unless it: is requested by the subject; is to the subject; is for healthcare operations; occurs after an opportunity for the subject’s rejection; is incidental to other uses; is undertaken in the public interest or benefit, or is of a limited set for approved research.
- Minimum necessary principle – Covered entities must ensure that all disclosures, except required ones (to the subject or government), meet minimum necessary criteria.
Optimizing these controls for internal threats requires visibility and scanning for all personnel and third parties with access. The Security Rule adds safeguards to extend the Privacy Rule’s reach.
The HIPAA Security Rule: Safeguarding the Interior
The Security Rule ensures confidentiality, integrity, and availability of electronic PHI (ePHI) with risk analysis and safeguards to be implemented. Per HHS’s Security Rule Summary, these are:
- Administrative safeguards, such as establishing top-level security management processes and personnel, along with procedures for monitoring access to ePHI, training the workforce on required behaviors, and assessing the efficacy of all security measures.
- Physical safeguards to restrict physical and proximal access to the specific endpoints on which ePHI is stored or processed and to the general vicinity in which they’re located.
- Technical safeguards, software and programmatic controls for access to ePHI, audits and audit logging, monitoring for changes or deletions to ePHI, and transmission safety.
These rules apply across all internal and external parties and are potentially optimized for internal challenges by tailoring the administrative safeguards to your company’s particular needs.
HIPAA Breach Notification: Reporting Internal Events
Finally, the HIPAA framework requires swift reporting on any breach of the above two rules by internal or external parties. Specifically, three notices may be required:
- Notice to the parties impacted by the data breach within 60 days of breach discovery.
- Notice to the HHS Secretary within 60 days if 500 or more people are impacted by it.
- Notice to local media outlets if 500 or more people within a defined area are impacted.
Internal threats can make these rules harder to follow, as determining the exact date of the breach and breach discovery can be more challenging for a threat that’s undetectable inside the company. The HIPAA advisory services RSI Security offers simplify this and all the challenges detailed above.
Prevent Internal Security Threats Professionally
To recap from above, the top challenges to healthcare data security involve external attackers masquerading as insiders, actual attackers from within, internal workers, and other parties whose negligence leads to security breaches. HIPAA compliance is just the first step in prevention. Contact RSI Security today to see how powerful your interior cyber defenses can be!
Download Our Complete Guide to Navigating Healthcare Compliance Whitepaper
Not sure if your HIPAA or healthcare compliance efforts are up to snuff? Unsure about where to even start? Download RSI Security’s comprehensive guide to navigating the HIPAA and healthcare compliance labyrinth. Upon filling out this brief form you will receive the whitepaper via email.