HIPAA compliance to protect patient health information (PHI) on physical or electronic media is essential for healthcare organizations. Failing to comply with HIPAA threatens organizations’ financials due to potentially heavy fines—ranging from $100,000 to $16,000,000 in total fine per entity, depending on its nature and gravity—and the reputation due to broken trust of patients who feel that their information may be in danger.
Failure to comply with HIPAA can be classified as typical data breach incidents since it involves confidential data being exposed accidentally or maliciously by internal or external factors. However, HIPAA violations show distinct characteristic when discussing their causes: insider breaches are a major problem in healthcare, yet many insider breaches go undetected. According to Protected Health Information Data Breach Report by Verizon, 58% of incidents involved insiders—healthcare is the only industry in which internal actors are the biggest threat to an organization.
Insiders in healthcare can be labeled as individuals with authorization to access healthcare resources that include electronic medical records, networks, email accounts, or documents containing PHI. Unfortunately, some healthcare insiders are known to be unaware of the HIPAA rules and the repercussions for breaching the rules. A healthcare survey by Veriphyr, HIPAA compliance solution developer, found that 35% of healthcare “insiders” had snooped into medical records of fellow employees, and 27% had accessed the medical records of family and friends. Here are some of the eye-opening, insider-involved HIPAA violation that caused organizations considerable damage.
- A health organization was fined $3,000,000 for making ePHI-containing files accessible over the internet without the need for a username or password after it accidentally removed the protection on servers. ePHI of 62,500 patients were exposed.
- A private dermatology clinic group was fined $150,000 and required to install a corrective action plan for losing an unencrypted USB drive that contained protected ePHI.
- A cardiology group paid $100,000 settlement for disclosing surgical and clinical appointments for patients on the cloud-based, internet-accessible calendar.
- A surgeon at UCLA School of Medicine was sentenced to 4 months in prison and fined $2,000 after he illegally accessed medical records system over 300 times, viewing ePHI of his colleagues and high-profile celebrities.
These cases show that HIPAA violations caused by insiders happen without the organizations suspecting, under their noses. In a review of 306 data breaches in healthcare, shown to be caused by insiders, 48% were financially motivated, and 31% were motivated by fun or curiosity, according to the Verizon report. Interestingly, another 10% were motivated by convenience. When insiders do something that will make it easier for them to get their work done, it also carries a possibility of putting confidential ePHI at risk.
To prevent these insider-caused violations, organizations follow the three safeguards—administrative, physical, and technological—of the HIPAA Security Rule. Among the three, technological safeguards are considered to be most difficult, thus making organizations focus on the administrative and physical safeguards instead for these reasons below.
- For healthcare staff, protection of ePHI and other HIPAA-related issues are not as important as their daily routine; they may make unethical or careless choices that lead to HIPAA violations.
- IT security gaps in healthcare are difficult to reduce, due to the complex combination of past and future—large volume of accumulated data, legacy medical or information processing systems, and implementation of the modern technologies.
- Following all three safeguards is expensive, and not all organizations can cover the costs, especially the smaller, local clinics or other health care businesses. Therefore, organizations may opt to prioritize in educating and training the staff about HIPAA and ePHI protection.
Common administrative and physical safeguards include organizations conducting thorough background checks when hiring new staff or contractors, holding periodic training programs to educate their employees about HIPAA and to instruct them to report suspicious activities, or limiting physical access to data points (PCs, mobile devices, medical equipment, and more).
However, there are instances for which these two safeguards cannot fully prepare—employees forgetting the rules, human mistakes, outside influences, and more. Therefore, organizations must look to technological safeguards and implement appropriate measures that will be added to aforementioned administrative and physical safeguards. Identifying the right measures is not easy for all organizations, especially for the smaller ones. Then what are the appropriate measures that will help healthcare organizations of all sizes prevent insider-caused HIPAA violations?
- Access control to sensitive ePHI – Giving minimum privileges for employees is the best way to ensure that none of ePHI gets into the hands of irrelevant individuals. One of the most well-known data security principles, ‘the principle of least privilege’ or PoLP in short, should be the key focus. PoLP involves implementing encryption on folders and files that contain ePHI, meaning that only the people with correct encryption keys can access those confidential files.
- Limiting the usage of sensitive ePHI – In addition to careful control of access to ePHI, organizations must look to integrate the second layer of defense that will ‘stop’ insiders from illegally deleting, copying, or stealing the ePHI while using it. The core data security solution is digital rights management (DRM), a commonly used solution in various organizations and industries. DRM is a response to a potentially critical scenario where trusted employees with access to ePHI turn rogue, whether driven by financial or personal motivation.
- Password and authentication management – Organizations must have a solid password policy that dictates specific requirements regarding password difficulty and update frequency. High password difficulty protects ePHI from not only hackers but also the employees who might be snooping around. With the added security of two-factor authentication, organizations can enforce enhanced password policy.
- Monitoring and auditing of employee activities – When employees access and use ePHI, it is difficult to differentiate whether they are doing so with legitimate reasons or malicious intent. HIPAA demands organizations to collect system and event logs regarding the actions taken on computer systems like operating systems, office computers, electronic health record (EHR) systems, printers, routers, and more. With the logs in check, organizations can preemptively detect anomalies to prevent insiders from causing HIPAA violations. Furthermore, audits can be performed to maintain the HIPAA-compliant security level and to identify wrongdoers if HIPAA violations have occurred.
- Data minimization through destruction – Essentially, less data means less possibility of HIPAA violation. Organizations can achieve data minimization by enforcing responsible data destruction policy—if certain ePHI is no longer required, or is requested to be deleted by patients, it must be completely deleted. For PHI on electronic media, HIPAA requires more than simple deletion commands or disk formatting: certified data overwriting, and disk degaussing or physical destruction are the three major data destruction methods.
Insider-caused HIPAA violations are a clear and present danger for healthcare organizations, and the common approach to tackle such danger have been only about educating the employees or practicing policies through legal documents. However, when insiders access or use ePHI, their actions are unpredictable and even worse, wrongdoings may not go undetected, under the nose of the organizations. Therefore, it is highly recommended that technological measures, which will actually ‘stop’ insiders from causing HIPAA violations, are enforced.
With so many data security solutions available in the market, organizations can find it hard to implement technological measures that fit their needs and requirements. With the five appropriate measures listed above, organizations can set HIPAA-compliant data security architecture that can respond to insider threats that may be undetectable and unpredictable.