New data security guidance from HHS targets insider threats
The Department of Health and Human Services’ Office for Civil Rights has issued guidance for managing malicious insider threats to protected health information.
The guidance targets the security risks of Individuals within healthcare organizations—they are trusted to securely protect health information, but if employees become disenchanted, they could become a malicious insider who could harm the organization.
Malicious insiders, HHS advises, can be anyone and include IT staff, customer service representatives, managers and senior executives, and they can leak or destroy information. A malicious insider also can use available information to assess medical records of celebrities for financial gain, or use patient data to commit fraud or identity theft.
Exfiltration of data can be done by transmitting information in encrypted messages, copying information to a mobile or storage device such as a cell phone or USB device, physical removal of information or theft of equipment.
The harm also extends directly to the patients and families served by a provider that has been compromised with a data breach, and now the family may face identity theft, fraud or blackmail.
“An organization should understand where its data is located, the format in which it resides and where its data flows throughout the enterprise,” HHS explains.
The agency also has tips for access control of facilities and networks. “Network access controls can limit access to networks or specific devices on the network, and role-based access controls can limit access to certain devices, applications, administrator accounts or data stores to only a defined group of users.”
HHS urges providers that are establishing and implementing access controls to conduct a risk analysis. The agency has been pushing hard for healthcare companies to conduct rigorous risk analyses across their enterprises, and it has heavily sanctioned multiple provider organizations that have been breached as an example for the rest of the industry.
HHS additionally supports real-time visibility and situation awareness being built in at provider organizations.
“The migration to cloud computing, increased use of mobile devices, and the adoption of Internet of Things technology can greatly reduce an organization’s ability to detect anomalous user behavior or indicators of misuse by either a trusted employee or a third party who has access to critical systems and data.”
Consequently, providers and vendors are urged to consider employing safeguards that detect suspicious user activities such as traffic to an unauthorized website, or the downloading of data to an external device such as a thumb drive.
Finally, HHS advises that security is a dynamic process. “Good security practices entail continuous awareness, assessment and action in the face of changing circumstances. The information users can and should be allowed to access may change over time. Organizations should recognize this in their policies and procedures and in their implementations. “If a user is promoted, demoted or transfers to a different department, the user’s need to access data may change. Data access privileges should be re-evaluated and modified to match the new role.”