More than 9 out of 10 health-care data breaches affecting 500 or more individuals published on the U.S. Department of Health & Human Services website were caused by organizations’ own employees, not hackers. Virtually every complaint of privacy violations investigated by the Office for Civil Rights (OCR), a division of the HHS, and resulting in corrective actions involved unintentional or malicious violations by employees.
While organizations fret over the next cyber attack, more than 50% health-care breaches are due to lost or stolen laptops, backup tapes, and mobile devices containing unencrypted data. Then there are the everyday human errors that happen at companies in every industry, like a worker leaving the door to the server room unlocked and putting passwords on a sticky note under the keyboard.
Even the majority of health data breaches that are categorized as “IT Incidents/Hackers” are the result of employees clicking on phishing messages or succumbing to social engineering.
There are several reasons why these things occur, some of which are unintentional — and some that are very intentional and malicious. On the unintended side, lack of specific training and security awareness is a primary contributor. On the intentional or malicious side, there are financial gains from selling the information or exposing it to the media, not to mention, in health care, the possibility of free medical care and prescription access to narcotics.
What steps can a CFO take to protect against both kinds of incidents?
- Develop specific policies and procedures regarding the handling of proprietary or sensitive information. Have employees sign an acknowledgement form indicating that they have read the policies and understand their responsibilities.
- Improve training. Many organizations think that a general 30-minute online information-security training followed by 10 questions is sufficient for employees to know what they should do in a given situation. However, the lack of specificity to their own responsibilities opens the possibility of unintentional exposure of, or unauthorized access to, protected information.
- Ensure only the minimum necessary access to the information. Organizations need to take the time to assess the functions or roles in the organization that need access to confidential information, and to document the process for initiating and terminating that access. The most damaging impact on an organization can be caused by a disgruntled employee who is terminated from the organization, yet his or her access to information is not cut off in a timely fashion.
- Communicate and apply consistent sanctions for information privacy or security violations. If there is no punishment for accessing or sharing information, people are more apt to do so. For example, rural hospitals and health plans have significant problems with employees snooping into medical records of colleagues, ex-partners, and others in the community. Larger hospitals and rehab centers have to address the improper snooping into the medical records of celebrities and prominent public figures. An organization can suffer significant financial and reputational damage if steps aren’t taken when bad behavior occurs.
- Monitor employee activity. Doing so ensures appropriate access and can unearth any unusual activity. Take the time to review or randomly sample usage reports to identify any potential problems early and initiate remediation activities.
- Ensure adequate oversight or governance of information security programs. This is necessary to evaluate the causes of security or privacy incidents, apply consistent sanctions, monitor training activities, provide resources for mitigation and remediation of impermissible disclosures, and make information security part of the organization’s culture.
Ninety percent of an organization’s data breaches are due to “friendly fire” – the mistakes and transgressions of the business’s own employees and business associates. By taking the actions outlined above, a company can greatly reduce the likelihood of these internal breaches – both the careless mistakes and the malicious acts.
Mary A. Chaput is CFO of Clearwater Compliance in Nashville, Tennessee.