Find out what an insider breach is and how it involves HIPAA compliance.
When people hear about a health care breach, they tend to think of an external hacker gaining access to a large amount of information. However, the insider threat is just as, if not more, insidious.
The insider threat comes from employees accessing protected health information (PHI) for reasons other than a business need. As the employees already have a business need to access PHI, it can be very difficult to detect a breach. Often, it’s brought to the attention of the health care organization by a patient who has experienced identity theft. Other times, the issue is discovered after conducting an audit of system use.
Remember: HIPAA compliance requires health care organizations to monitor logs.
One example of the insider threat occurred at St. Charles Health System in Oregon when an employee improperly accessed the health information of approximately 2,500 patients. The employee reviewed files out of curiosity between October 8, 2014 and January 16, 2017. The investigation was initiated on January 16, 2017 and the employee stated that she did not share any of the information she viewed with anyone else.
Another example is from Chadron Community Hospital and Health Services in Nevada. An employee there accessed patient information for more than five years before it was discovered, affecting more than 700 patients. The individual is no longer employed at the facility, and it is currently unclear if information was accessed out of curiosity or malicious use.
A third example comes from the Multnomah County Health Department, where an employee automatically forwarded work emails to a personal account. Some of the emails contained PHI, which could have constituted a HIPAA breach. An investigation was conducted and it appears that the information was not misused, however about 1,700 patients were affected.
These examples show how the threat of a breach by an employee is just as high as the threat of an external hacker gaining access to PHI. Often, the issue comes down to lack of training, lack of employee sanctions, or lack of auditing users’ actions.
To learn what you can do to protect against these types of breaches, sign up with HIPAAgps and start using the online HIPAA compliance tool to train yourself and your team on how to better protect PHI!