DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Introduction
The HHS 405(d) Program is a collaborative effort between The Health Sector Coordinating Council (an organization representing the primary healthcare subsectors of direct patient care; public health; health plans and payers; pharma, blood and labs; medical technology; health information technology; and funeral homes and mass fatality managers) and the federal government to align healthcare industry security practices.
The 405(d) Task Group developed Health Industry Cybersecurity Practices: Managing Threat and Protecting Patients, its first official Task Group product and publication. Health Industry Cybersecurity Practices are given the acronym HICP.
The Health Industry Cybersecurity Practices: Managing Threat and Protecting Patients document has identified the top five cybersecurity threats facing the healthcare sector.
Threat # 4 is insider, accidental or malicious data loss.This article discusses this threat.
What is Insider, Accidental or Malicious Data Loss?
Insider threats exist within every organization where employees, contractors, or other users access the organization’s technology infrastructure, network, or databases. There are two types of insider threats: accidental and malicious. An accidental insider threat is not malicious and can be caused by honest mistakes, such as being tricked, procedural errors, or a degree of negligence. For example, an employee accidentally emailing large volumes of PHI to an incorrect recipient would be an accidental insider threat. A malicious insider threat is malicious loss or theft caused by an employee, contractor, other user of the organization’s technology infrastructure, network, or databases, with an objective of personal gain, extortion, or inflicting harm to the organization or another individual.
What Can Cause Insider, Accidental, or Malicious Data Loss?
- Lack of training on social engineering and phishing attacks
- Lack of physical access controls
- Lack of adequate monitoring, tracking, and auditing of access to patient information on EHR systems
- Lack of adequate logging and auditing of access to critical technology assets, such as email and file storage
- Lack of adequate logging and audit of third-party/business associate support
- Excessive access provided to employees or third-party affiliates
- Lack of technical controls to monitor the emailing and uploading of sensitive data outside the organization’s network
- Files containing sensitive data accidentally emailed to incorrect or unauthorized addressees
- Server or other storage device not encrypted or configured securely
What Measures Can Help to Prevent Insider, Accidental, or Malicious Data Loss?
- Update Business Associate Agreements (BAA) to include legal safeguards, BAA security review and implement enhanced security processes, and BAA contingency plans
- Train staff and IT users on data access and financial control procedures to mitigate social engineering or procedural errors
- Promptly terminate access when an employee or affiliate no longer requires it
- Limit access to “need to know”
- Implement and use workforce access auditing of health record systems and sensitive data
- Implement and use privileged access management tools to report access to critical technology infrastructure and systems
- Implement and use data loss prevention tools to detect and block leakage of PHI and PII via email and web uploads
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article