Dealing with Insider Threats to HIPAA Security

by Leonardo M. Tamburello and Robert C. Scrivo

While most Covered Entities rightly orient cyber security efforts against external threats, there has been a recent uptick in the intentional theft of protected health information (PHI) by employees and others from inside organizations. Although so-called “insider threats” are not the most common security problem, they are among the most costly and damaging. Because they originate from individuals who are trusted and therefore have a legitimate level of access to confidential data, they are also especially difficult to detect.

Illustrating this problem, in February 2015 a former hospital employee in Texas was sentenced to 18 months in federal prison after improperly obtaining PHI with the intent to use it for personal gain. More recently, a Blue Cross Blue Shield of Michigan (BCBSM) employee (and ten others in multiple states) was indicted on multiple counts of identity theft related crimes based on her alleged theft of BCBSM subscriber information.

According to the indictment, the BCBSM employee shared subscribers’ personal identifying information and distributed it to others who used it to apply for credit in subscribers’ names and make purchases across the country. Co-conspirators were arrested in Texas, Ohio and Michigan in possession of BCBSM subscriber information, counterfeit identification cards, and credit cards that were fraudulently obtained in the names of BCBSM subscribers. At other suspects’ homes, agents recovered BCBSM subscribers’ names, dates of birth and Social Security numbers in addition to counterfeit and re-encoded credit cards and gift cards. The indictment alleges that three of the co-conspirators used counterfeit credit cards at different stores and fraudulently obtained more than $742,000 worth of merchandise from Sam’s Club alone.

While indictments and prison sentences send a strong message from law enforcement about HIPAA protections, employers can also take important preventative steps to deter, thwart and detect potential insider threats. At a minimum, outbound data flows including email systems, printers, USB drives or other forms of removable media should be monitored for suspicious activity. This would not have necessarily stopped a group like those recently indicted in Michigan who used the low-tech method of taking screen shots of subscriber information, but it could detect other types of unauthorized data movements, such as those where data is removed directly from servers or corporate networks.

Most technological defenses, like passwords and other forms of user authentication, are designed to keep unauthorized users out, and consequently are of no use against insiders who, by definition, are authorized to access the systems that they target. As a result, combating insider threats requires a multidisciplinary approach. In addition to technological measures, employers should focus on deterrence by educating their workforce about security measures to detect unauthorized data exfiltration and possible consequences including jail time. Businesses should also think about who from the outside might target their data, which of their employees has access to that information, and how those individuals might pose a risk of data theft.   Employers should also get to know their employees’ regular workflows and routines. If someone who never accesses certain information or databases is suddenly doing so, that should be automatically flagged and investigated; so too if an employee is suddenly sending twice or three times the amounts of emails or data which could suggest that data theft is underway. From a HIPAA compliance standpoint, Covered Entities should consider the insider threat possibility as part of their regular risk assessment process and develop appropriate protocols in response.

While the insider threat, like many others, can never be completely eliminated, an active deterrence and monitoring strategy coupled with intelligent technical solutions can reduce it significantly.