In a recent newsletter, the U.S. Office for Civil Rights (ORC) discussed the “insider threat” as one of the largest threats to the security of patient information within organizations. The agency noted that even some cyberattacks may be insider-driven.
According to a recent survey, conducted by Accenture and HfS Research, 69% of organizations surveyed reported experiences with malicious activity on the part of insiders, including current or former employees, contractors and business associates.
According to a survey conducted by the federal government, CSO Magazine, and Deloitte, common e-crimes committed by insiders include:
- Unauthorized access to or use of organization information
- Exposure of private or sensitive data
- Installation of viruses, worms, or other malicious code
OCR says organizations should:
- Consider insider threats in enterprise-wide risk assessments.
- Document and enforce policies and controls.
- Create awareness of insider threats in security training for employees.
- Monitor and respond to suspicious or disruptive behavior.
- Anticipate and manage negative issues in the work environment.
- Implement strict password and account management policies and practices.
- Enforce separation of duties and necessary-only access to PHI.
- Define security in all cloud-services agreements, especially relating to access restrictions and monitoring capabilities.
- Institute access controls and monitoring policies on privileged users.
- Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions.
- Monitor and control remote access from all points, including mobile devices.
- Develop a comprehensive employee termination procedure.
- Implement secure backup and recovery processes.
- Formalize an insider threat program.
- Establish a baseline of normal network device behavior.
- Be especially vigilant regarding social media.