In the 2019 summer cybersecurity newsletter, the Office for Civil Rights (OCR) highlighted malicious insider threats to protected health information (PHI). Within the newsletter, the OCR provided ways in which internal threats to PHI data can be mitigated. Additionally, a recent report conducted by Verizon found that 59% of breaches and other security incidents, were the result of insiders.  

Common Reasons for Insider Threats to PHI Data

Employees may access PHI data without authorization for several reasons. Stolen PHI data may be used for financial gain or as retaliation by a disgruntled employee. 

The following are some of the reasons an employee may access PHI data without authorization:

• Curiosity: employees may access PHI data of celebrity patients or patients that they know out of curiosity. They may also access the PHI data of spouse during divorce proceedings or a former spouse during a custody dispute, to use as leverage.  
• Criminal intent: the most common reason employees access PHI data without authorization is for financial gain. By accessing the information of a celebrity or well-known individual, employees can sell the information. Patient information may also be accessed to commit identity theft or fraud. 
• Employees leaving an organization: an employee that has found a job at another healthcare organization may copy PHI data to provide a patient list to their new employer. If the new employer utilizes the list to contact patients, the patients will likely be upset that another provider has their PHI data. The unauthorized disclosure of PHI data may result in a HIPAA fine for the original employer.
• Underperforming employees: employees that are not performing well, and suspect they may be fired, may access PHI as a means to prove their competence. They may download or copy PHI to support wrongful termination claims by providing proof that their level of care was adequate. 

How to Prevent Insider PHI Breaches

Preventing internal breaches can be difficult as the people accessing PHI data are permitted to do so. However, it is imperative that insider breaches are detected quickly to mitigate the effects. As such, the OCR has provided some guidance as to how covered entities (CEs) and business associates (BAs) can quickly detect insider threats.

• Access management: includes several controls that organizations can implement to limit the risk of a PHI breach. Each employee should have unique login credentials enabling organizations to track who accesses what information. Access management also includes physical controls such as locks in areas that contain PHI data.
• Asset management: all devices used for business should be logged and monitored. Organizations should have a list of devices that includes who uses the device and what protections are in place securing PHI data. In addition, healthcare organizations should have a mobile device policy limiting the use on premise.
• Know your data: to best protect data, it is important to know where it is stored and who has access to it. Sensitive information and mission-critical data should be protected with additional security measures such as encryption or multi-factor authentication. 
• Stay aware: it is vital that healthcare organizations continuously monitor their network and devices through: 
• • Logs: organizations should keep and review logs to monitor access reports, application audits, system events, and security incidents.
• Alerts: administrators should have system alerts in place to monitor when users excessively download data, download data to an external device, or access personal sites.
• Access privileges: when an employee leaves the company or changes job roles, access privileges should be immediately adjusted. 
• Terminated employees: employees who are expected to be terminated should have their data access revoked. 

Healthcare organizations vigilant in their efforts to secure PHI and prevent insider PHI data breaches. The OCR recommends that organizations implement access management and asset management to limit the risk of PHI exposure. Healthcare organizations must continually monitor access to PHI data to ensure that is only accessed to perform a job function.