Month: January 2021

network services

How to Counter the Insider Threat to Stay HIPAA Compliant

How to Counter the Insider Threat to Stay HIPAA Compliant

Published

Written by

Filed under

The insider threat security risk is a prevalent challenge to the healthcare industry, not just in the US, but globally. A study by Verizon in 2018 suggested that more than half of healthcare breaches were caused by the insider threat, and in 2019 this figure was 34%. Although there has been some improvement, these figures are still worryingly high compared to other industries.

US healthcare organizations have become a prime target for hacking communities, not because they have weak security, but because the data they protect has considerable value. HIPAA compliance was created to ensure mandatory safeguards were being observed to reduced this risk. Some of the biggest risks to healthcare IT are ransomware (malware), poor security management (eg. weak passwords), and the insider threat.

According to the Ponemon Institute, insider threats are defined as “ a careless or negligent employee or contractor, a criminal or malicious insider or a credential thief”. There was a staggering 4,700 reported insider security breaches in 2020. It is likely the real figure is much higher than this because non-healthcare industries are not bound by regulation to disclose this information.

What causes insider data breaches?

Not all insider actors intentionally seek to damage the healthcare institution they work for, and there are many different reasons why confidential information may have been leaked. The breach could be the result of human error. Everyone makes mistakes, and it is possible that employees rushing to meet deadlines may inadvertently share protected health information (PHI) – perhaps they emailed the wrong client.

Other personnel might simply not be aware that sharing PHI is considered a breach of HIPAA regulations. The accidental sharing of PHI may have been triggered by inadequate training, or non-compliant security tools, such as an email client missing email encryption protection.

That being said, employees may also deliberately leak information to harm their employers, such as sharing confidential data with rival healthcare practice. Some may steal it for personal financial gain, others may do it to demonstrate known internal security risks, almost acting like a vigilante for the greater good.

Other risks might include employees transferring confidential information to a new employer when they move jobs, either deliberately or not. Some employees have been discovered leaking data to cybercriminals, or even selling data to a competitor. There is also a risk when employees share data on their personal devices, for example, emailing themselves, copying files to their phone, etc. Something that may seem innocent is a major breach of HIPAA compliance.

Why is healthcare a target?

Healthcare is a heavily regulated industry. HIPAA compliance was introduced in 1996 to protect the integrity of protected health information (PHI), essentially any data that can be used to identify an individual. There have been subsequent amendments to the rules as technology has evolved, notably the Security and Privacy rules of 2003, and the Final Omnibus Rule of 2013.

These safeguards are enforced by the U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR). The rules are designed to protect the patient data, any personally identifiable information such as personal addresses, bank accounts, payroll numbers, insurance information, and so on.

If any of this data got into the wrong hands it would likely cause much distress to the victim, and potentially have significant ramifications to the healthcare organization at fault. The impact of a data breach will likely cause substantial reputational damage, a loss of customers, deep financial losses to remediate the problem, and perhaps a loss of intellectual property.

What can be done to counter this threat?

The Ponemon Institute identified three key areas for Insider threat management. These are a “program that combines people, processes, and technology to identify and prevent incidents within the organization”.

Healthcare organizations and their business associates have a joint responsibility to protect PHI. Outsourcing key technology to a HIPAA compliant hosting partner is an easy win to secure PHI. Leveraging a provider’s hosting service that is built to the highest specifications, to meet and exceed the administrative, physical, and technical safeguards of HIPAA will help to create a secure ecosystem that will greatly reduce the risk of human error.

Safeguards that can track, trace, and report upon unexpected user activity and monitor user behavior analytics. Organizations must create access controls based upon the principle of least privileged, introduce strict access control management, and operate privileged access management (PAM) to servers or databases that contain restricted information. This is usually a Multi-Factor Authentication (MFA) service, similar to what you might use for online banking.

Threat detection platforms, such as an intrusion protection system (IPS) can be used to scan networks for suspicious activity and monitor network traffic for intelligent data loss prevention (DLP). Detailed logging capabilities introduce security incident and event management operations, and procedural incident response safeguards should be in place, explaining how to react if any threats are identified.

Moderate monitoring and surveillance should be conducted on employee activity, this is not a big brother scenario, instead of having checks and balances in place that can be called upon if needed. For example, detailed logging can be used to track system administrator activities, this is common practice within the industry, warnings are often displayed directly to users upon logging into a business domain using a customized interactive message.

Any investigation into insider threats can easily identify the culprits. Each user has a unique login, and event logging on servers is so detailed, it is easy to work out user activity. If suspicious activity is suspected, the appropriate escalation paths should be available within the organization to report to.

If an insider has breached information then it is important to have containment and remediation planning in place. This could be as simple as changing passwords on a user account, or it could mean powering down part, or all of a production system, or even invoking disaster recovery, which is one of the key requirements of HIPAA for this very reason.

Employees of business associates should receive regular training on data security and compliance, training is one of the best ways to protect healthcare organizations. Most breaches are not malicious and are usually the result of an honest mistake. This can be countered by offering regular employee training.

Each employee is the first line of defense, and they have a duty to uphold HIPAA regulations. Therefore the employer must ensure adequate training is provided as well as refresher courses.

To summarize, the insider threat is definitely a threat to be taken seriously by healthcare organizations, but studies have shown that the bad actor does not always breach information on purpose. Most data breaches are accidental and human error. Human error can be addressed by debriefing employees on the incident and offering training to ensure mishaps do not happen in the future.

We understand that rogue insiders do exist, but certainly to a lesser scale. The only way this can be improved upon is to firm up the selection process when hiring employees, offer ethics and security training, and ask managers to keep an eye on their employees. It would be ethically wrong to closely monitor all employee activity as trust must always exist to create a productive working environment.

The best way to counter the insider threat is to outsource healthcare IT systems to a HIPAA compliant hosting partner. Both organizations work together to secure the platform, and the business associate has a duty of responsibility to hire diligent and trustworthy employees.

Read More from this Author

secure network

VPLS Now Authorized to Participate in Cisco NASPO Indirect Fulfillment Program

VPLS Now Authorized to Participate in Cisco NASPO Indirect Fulfillment Program

Published

Written by

Filed under

We are excited to announce that VPLS is now authorized to participate in Cisco’s National Association of State Procurement Officials (NASPO) Indirect Fulfillment Partner Program under Cisco’s NASPO NVP Data Communications Products and Service Master Agreement #AR233 for the state of Hawaii. The NASPO ValuePoint contract allows public entities to purchase Cisco’s industry-leading wireless and network solutions from VPLS via a pre-negotiated cooperative contract.

“Our team is thrilled to be approved by NASPO as one of the few select reseller partners for Cisco in the state of Hawaii,” states John Minnix, VP of Sales and Marketing at VPLS. “VPLS has been a proud partner of Cisco for over 8 years, and this designation further enables VPLS to effectively serve the Hawaii’s state, local, and educational agencies with the wireless and network solutions they need to achieve their IT goals.

“We look forward to this exciting opportunity to extend our services to our local government agencies,” remarks Ricky Zheng, VP/GM of Hawaii and the Pacific Islands. “Now, we can ensure best-in-class network services to the organizations supporting and providing for the people of Hawaii.”

In addition to network and wireless solutions, VPLS also offers other cloud-to-edge technologies, such as storage infrastructure, hosting, cloud, and security. VPLS is also a NASPO-approved vendor for HPE, Aruba Wireless, RUCKUS, Extreme Networks, Cradlepoint, and other industry-leading technology partners.

Read More from this Author

security system management

VPLS Ranks #26 Among Elite Managed Service Providers on Inaugural NextGen 101 List

VPLS Ranks #26 Among Elite Managed Service Providers on Inaugural NextGen 101 List

The NextGen 101 List Honors Partners Building MSP Practices

Published

Written by

Filed under

We are excited to announce that VPLS has been named as one of the world’s premier managed service providers on the prestigious new 2020 Channel Futures NextGen 101 rankings.

The NextGen 101, an MSP 501 list, features resellers, system integrators, consultants, and other partners with recurring revenues from business models that are diversified beyond managed or cloud services.

The NextGen 101 recognizes diversified partners with growing MSP practices. These partners offer managed services, but they’re also resellers, system integrators and shops that do project work. These diversified shops deserve to be recognized for what they are in their own list, not just grouped together with pure-play MSPs.

Channel Futures is pleased to name VPLS to the NextGen 101.

"We are honored to be recognized on the inaugural NextGen 101 list. VPLS’s diverse and comprehensive portfolio of offerings enables our team to serve clients across a broad range of industries and sizes, with many different technology needs. Staying nimble allows VPLS to help our clients address many new business challenges last year. We look forward to continuing to offer our services where our valued customers and partners need them most.”

Channel Partners and Channel Futures always wants to ensure that their partner communities are being recognized for what they do best and are therefore creating programs targeted toward their needs. The Nextgen 101 represents that effort.

“The NextGen 101 is designed specifically to honor partners dedicating resources to building out their practices — all while maintaining the integrity of their core businesses,” said Allison Francis, editor and content producer at Channel Partners and Channel Futures. “Maybe these partners will become the MSP powerhouses of the future. Maybe they’ll continue to expand their managed services capabilities while also devoting resources to core competencies. Or maybe they’ll become a new kind of hybrid partner that isn’t yet even on our radar. We can’t wait to see what these companies will do next, and we’re excited to honor them in a list of their very own.”

The data collected by the annual MSP 501 program drives Channel Partners’ and Channel Futures’ market intelligence insights, creating robust data sets and data-based trend reports that support our editorial coverage, event programming, community and networking strategies, and educational offerings. It serves as a lynchpin to dozens of programs and initiatives.

The complete 2020 NextGen 101 list is available at Channel Futures.

Read More from this Author

Scroll to Top