Healthcare Breaches from Insider Risks: Accidents or Workarounds?

In my last blog, Healthcare Breaches from Loss or Theft of Mobile Devices or Media, I looked at breaches resulting from loss or theft of mobile devices containing sensitive patient data. In this blog I build on this with another very common type of breach that results from healthcare employee accidents or workarounds. In this case a workaround is defined as a well-intended action the employee takes to get their job done but that is out of compliance with the privacy and security policy of the healthcare organization and adds risk.

The Ponemon 2015 Cost of a Data Breach: United States study reveals that 19 percent of all breaches across industries, including healthcare, are caused by human error. A further 32 percent are caused by system glitches that include both IT and business process failures, in which human error can be a key contributing factor. The total average cost of a single data breach event is $6.53 million, or $398 per patient record (the highest across all industries).

In a previous blog Is Your Healthcare Security Friendly? I discussed how if usability in healthcare solutions is lacking, or security is cumbersome, it can drive the use of workarounds. The use of workarounds is further exacerbated with so many BYOD options and apps now available, giving well intentioned healthcare workers amazing new tools to improve the quality and lower the cost of care, but these tools often were not designed for healthcare and add significant additional risk and in a worst case lead to breaches.

An example of this type of breach is shown in the info graphic below where the first failure is ineffective security awareness training for healthcare workers on how to avoid accidents and workarounds. The second failure is usability is lacking in a solution used by healthcare workers, or security is too cumbersome for example too many logins, or the healthcare IT department is perceived by healthcare workers to be too slow or overly restrictive in enabling new technologies. A 2014 HIMSS Analytics Study Curbing Healthcare Workarounds: Driving Efficient Co-Worker Collaboration reveals that 32 percent of workers use workarounds every day, and 25 percent use workarounds sometimes.

Keeping in mind that any one of these could result in a breach this is a staggering finding and highlights how common workarounds are and how significant the associated privacy and security risks are. The third failure leading to breach in this example involves the healthcare worker using a BYOD device such as a smartphone with an app that has a cloud backend, in order to collaborate with a healthcare co-worker. An example of this could be a healthcare worker taking a photo of a patient and attempting to use a file transfer app to share it with a colleague. In step four any data the healthcare worker puts into the app, or data collected by the app itself such as location history, is sent to the app backend or “side cloud” where in step 5 it is accessed by unauthorized individuals leading to a breach.

David_Security sept.png

Security is complex, and there are many safeguards required to effectively mitigate this type of breach. Maturity models have achieved wide adoption and success in healthcare, for example the HIMSS EMRAM (EMR Adoption Model) has been used by 5300+ provider organizations worldwide. Maturity models are a great way to simplify complexity and enable rapid assessment of where you are and what you need to do to improve.

In the infographic above, beneath the sequence of events leading to this type of breach, is a breach focused maturity model that can be used to rapidly assess your security posture and determine next steps to further reduce residual risk. There are three levels in this maturity model, Baseline includes orange capabilities, Enhanced adds yellow capabilities, and Advanced adds green capabilities. Only safeguards relevant to mitigating this type of breach are colored in this maturity model. Other grayed out blocks, while important in mitigating risk of other types of breaches, do not play a significant role in mitigating risk of breaches from insider accidents or workarounds. There are many risks in healthcare privacy and security. This model is focused on breaches. A holistic approach is required for effective security, including administrative, physical and technical safeguards. This maturity model is focused mostly on technical safeguards. Below I briefly review each of the safeguards relevant to this type of breach.

A baseline level of technical safeguards for basic mitigation of healthcare breaches from insider risks requires:

  • User Awareness Training: educates healthcare workers on how to be privacy and security savvy in delivering healthcare, and the risk of accidents and workarounds, and viable safer alternatives
  • Device Control: prevents the unauthorized use of removable media, for example USB sticks that workers may attempt to use to move sensitive patient data unsecured
  • Mobile Device Management: keeps mobile devices secure, including BYOD devices used by healthcare workers, addressing risks including patient data loss or unauthorized access
  • Anti-Malware: detects and remediates malware infections of healthcare worker devices, including malware employees may accidentally encounter on infected websites or apps
  • DLP Discovery: discovers where sensitive patient data is at rest and how it moves over the network, a key first step in an ongoing inventory of sensitive data you need to protect. This can be used to detect unsecured sensitive data and uncover accidents or workarounds leading to it, enabling correction before a breach
  • Vulnerability Management and Patching: involves proactively identifying vulnerabilities and patching them to close security holes before they can lead to a breach. This is particularly important with healthcare worker devices used to access the Internet and at risk of being exposed to malware and attacks
  • Email Gateway:  enables you to catch unsecured patient data attached to emails and also defends against malware attached to emails, and phishing attacks
  • Web Gateway: can detect malware from healthcare workers web browsing the Internet, and defend against attempted drive-by-downloads that may otherwise lead to data loss and breach

An enhanced level of technical safeguards for further improved mitigation of risk of this type of healthcare breach requires addition of:

  • Secure Remote Administration: enables healthcare IT to efficiently, securely and remotely administer endpoint devices so they are up to date with the latest patches and safeguards to defend against breaches from accidents and workarounds
  • Endpoint DLP: Data Loss Prevention enforced on endpoint devices to monitor and address day-to-day end-user risky actions that can lead to accidents, or be used in workarounds
  • Policy Based File Encryption: can automatically encrypt files containing sensitive healthcare data based on policy and protect the confidentiality of those files even if put at risk in an accident or workaround
  • Network DLP Monitor / Capture: enables healthcare security to gather information about data usage patterns, enabling proactive risk identification, and better decisions on how to mitigate

An advanced level of security for further mitigation of risk of this type of breach adds:

  • Network DLP Prevention: ensures that sensitive healthcare data only leaves the healthcare network when appropriate, and helps defend against loss of sensitive healthcare information from accidents or workarounds
  • Digital Forensics: enables you to determine in the event of an accident or workaround whether a breach actually occurred, and if so the nature of the breach, and exact scope of data compromised

Healthcare security budgets are limited. Building security is an ongoing process. The maturity model approach discusses here can be used in a multi-year incremental approach to improve breach security while keeping within limited annual budgets and resource constraints.

What questions on healthcare security do you have?