The healthcare industry experiences many insider breaches every year which calls on covered entities and business associates to take steps to reduce the occurrence of these incidents. There are four ways of categorizing the different approaches to mitigate insider threats:
Educate: It refers to teaching the workforce about the allowable uses and disclosures of PHI, patient privacy and data security.
Deter: It refers to the creation and enforcement of policies that reduce insider risks.
Detect: It refers to technological solutions that allow the rapid detection of breaches and monitoring of access logs.
Investigate: It refers to the prompt investigation of potential privacy and security breaches and taking of steps to prevent a recurrence.
The following are ten specific steps for defending against healthcare insider threats:
1. Do a background check of individuals before hiring as employees. Check by asking previous employees, searching online and looking at social media profiles.
2. Train all healthcare employees as soon as possible to understand their responsibilities under HIPAA and the possible consequences in case of violation. It should be done prior to providing network or PHI access. Equip employees with the skills and knowledge to identify phishing attempts and other web-based threats. This security awareness training should be assessed and regularized.
3. Implement strong anti-phishing defenses to stop phishing emails from reaching employees’ inboxes. It helps to stop employees from providing login credentials to hackers by mistake.
4. Encourage employees to report suspicious behavior and HIPAA Rules violations.
5. Limit access to data to only a few privileged employees and limit access to only the minimum necessary data. By implementing the principle of least privilege, the organization limits the opportunities for viewed or stolen data by employees or hackers that got hold of employees’ login credentials.
6. Encrypt PHI on portable electronic devices, so that in case of theft, the PHI will not be exposed. The incident will not be regarded as a reportable incident and patients’ privacy will remain protected.
7. Strictly require employees to use strong passwords. Set parameters to ensure weak passwords and commonly used ones cannot be set.
8. Implement two-factor authentication which requires a password and a security token for account access. This is a better way to prevent unauthorized access by outsiders and employees using another employee’s account.
9. Delete data or network login access of terminated employees immediately. Delaying this action has been the cause of many data breaches.
10. Monitor the activity of employees who are given access to sensitive data to do their jobs. HIPAA requires audits of PHI access logs to ensure immediate identification of inappropriate accessing of PHI. There are action monitoring software and other tools that can help simplify detection of anomalies in user activities.