Latest report highlights insider threat to health plans’ data

Last year was a significant one for health plans when it came to data breaches and breach settlements.

For example, the largest health data breach settlement in history was paid out in October, when Anthem, surrendered $16 million in fines to the Office for Civil Rights (OCR) for the breach of 79 million patient records in 2014-2015.

And at the end of last year, OCR named three health plans among the top 10 breaches it was investigating, including one involving the alleged unauthorized access or disclosure of 1.2 million records by the Employees Retirement System of Texas Health Plan. Also under investigation was CNO Financial Group for allegedly exposing more than half a million records , by unauthorized access and disclosure.

Those health plan breaches are increasing introspection about current vulnerabilities of protected health information. The latest Verizon latest Data Breach Investigations Report provides insight, warning that most healthcare breaches often come from internal sources.

Internal actors pose a threat because they have already been granted access to a system to do their jobs. This explains why privilege abuse is among the top five breach types within the healthcare sector, Verizon’s report says. To prevent against this attack, Verizon recommends that healthcare organizations know where major data stores are, limit necessary access and track all access attempts. “Start with monitoring the users who have a lot of access that might not be necessary to perform their jobs, and make a goal of finding any unnecessary lookups,” the study says.

“Effectively monitoring and flagging unusual and/or inappropriate access to data that is not necessary for valid business use or required for patient care is a matter of real concern for healthcare organizations,” Verizon says.

Lord-Robert2-CROP.jpg
SONY DSC

"Unfortunately, when one looks at the entirety of 2018, you see a tripling of breached records versus 2017, suggesting a continuation of the trend we've seen year after year—the health data breach landscape continues to get worse," says Robert Lord, president and co-founder of Baltimore-based Protenus, a healthcare compliance analytics company that issued its own breach report earlier this year. "Payers and health plans, while discussed less often in the context of data breaches, remain prime targets due to the amount of [personal health information] that they consolidate and process,” Lord adds.

Protenus’s quarterly report, the Breach Barometer, published with DataBreaches.net, found that healthcare has continued to suffer from insider incidents, and 2018 was no different. Protenus characterized “insider incidents” as either insider-error or insider-wrongdoing, which included employee theft of information, snooping in patient files and other cases where employees appeared to have knowingly violated the law.

Lord warns that insiders remain a particular threat, one that is not easily detected. “The average time that it takes to detect such events averages 255 days, with some events going on for up to four years,” he says.

Another top vulnerable spot for breaches within the healthcare industry is derived from phishing emails sent to trick users into clicking and entering their email credentials on a phony site. This was the case with Anthem, according to OCR. Anthem issued a statement acknowledging no wrongdoing.

In a phishing breach scheme, once the login information is stolen, data thieves access the user’s cloud-based mail account and any patient data stored there. Verizon recommends that organizations work on improving how quickly the organization raises an alarm when a phishing attack is underway, helping to prevent users from clicking and revealing their credentials.

Verizon’s breach report can be accessed here. Protenus’s Breach Barometer can be found here.

For reprint and licensing requests for this article, click here.