Final
Issued by: Office for Civil Rights (OCR)
Summer 2019 OCR Cybersecurity Newsletter
In 2019, OCR moved to quarterly cybersecurity newsletters. The purpose of the newsletters remains unchanged: to help HIPAA covered entities and business associates remain in compliance with the HIPAA Security Rule by identifying emerging or prevalent issues, and highlighting best practices to safeguard PHI.
Managing Malicious Insider Threats
Individuals throughout an organization have the ability to expose their organization to a wide range of security threats simply because they are considered trustworthy or have access to sensitive data like health information.1 These individuals can be customer service representatives, IT staff, managers, and senior executives. Malicious insiders can succeed in harming an organization by intentionally leaking or destroying sensitive information. Examples of insider misuse of health information include accessing the medical records of celebrities for financial gain and using patient information to commit fraud and identify theft. The exfiltration of sensitive information stored within an organization's IT systems can be accomplished by malicious insiders in several ways such as transmitting information in encrypted messages, copying information to a mobile or storage device (e.g., cell phone, USB drive), or unauthorized physical removal or theft of equipment. Transmitted or copied data could be further hidden using subtle means such as by embedding data within other data to hide it (i.e., steganography2).
The harm can take various forms, including loss of data, damage to the organization's reputation, civil liability exposure, and potential federal and state regulatory enforcement actions. In addition to organizational harm, individuals affected by a data breach could be at risk for identity theft, fraud, or even blackmail.
The 2019 edition of Verizon's Data Breach Investigations Report (DBIR)3 found that trusted insiders were responsible for 59% of all security incidents and breaches (both malicious and inadvertent) analyzed in the report. The report also indicated that the primary motivation for incidents and breaches perpetrated by insiders was financial gain. In 2017, the HHS Office for Civil Rights (OCR) reached a resolution agreement to settle potential HIPAA violations with an entity whose employees' inappropriate access of health information "led to federal charges relating to selling protected health information (PHI) and filing fraudulent tax returns."4
Detecting and preventing data leakage initiated by malicious authorized users is a significant challenge facing security professionals today. Identifying potential malicious activity as soon as possible is key to preventing or mitigating the impact of such activity. To identify potential suspicious activity, organizations should consider an insider's interactions with information systems, including:
- The where, who, what, and how of safeguarding critical data.
- An organization should understand where its data is located, the format in which it resides, and where its data flows throughout its enterprise. This knowledge is crucial to conducting an accurate and thorough assessment of the risks to the confidentiality, integrity, and availability of an organization's critical data. Once these risks are understood, policies and procedures can be developed or updated and security measures implemented to reduce these risks to a reasonable and appropriate level. See 45 CFR §§164.308(a)(1)(ii)(A)-(B) (risk analysis and risk management), 164.316 (policies and procedures and documentation requirements).
- An organization should establish who is permitted to interact with its data and what data those users are permitted to access in determining appropriate access controls. Access controls can take many forms. For example, physical access controls as simple as doors that need keys for opening can limit an unauthorized person's ability to enter sensitive facilities or locations; network access controls can limit access to networks or specific devices on a network; role based access controls can limit access to certain devices, applications, administrator accounts, or data stores to only a defined group of users. Organizations should leverage their risk analysis when establishing and implementing access controls. See 45 CFR §§164.308(a)(3) (workforce security) and (4) (information access management); 164.310(a) (facility access controls), (a)(2)(iii) (access control and validation), and (c) (workstation security); and 164.312(a) (access control), (d) (person or entity authentication), and (e) (transmission security); 164.316 (policies and procedures and documentation requirements).
- Another important consideration is how an organization's users will interact with data. Do the duties of the user's job require the capability to write, download or modify data or is read-only access sufficient? Do users need to access data from laptops, smart phones, or mobile storage devices (such as thumb drives)? Such devices are more difficult to safeguard and control, especially if they are "personal" devices owned by the user. An organization should consider limiting unnecessary mobile device use and implementing security controls to prevent copying sensitive data to unauthorized external devices. If users are given access to mobile or storage devices, the organization must implement appropriate security controls to safeguard the data when using such devices. See 45 CFR §§164.308(a)(4) (information access management); 164.310(a) (facility access controls), (b) (workstation use), and (d) (device and media controls); 164.312(a) (access control) and (e) (transmission security); and 164.316 (policies and procedures and documentation requirements).
- Real-time visibility and situational awareness. The migration to cloud computing, increased use of mobile devices, and the adoption of Internet of Things (IoT) technology can greatly reduce an organization's ability to detect anomalous user behavior or indicators of misuse by either a trusted employee or third party vendor who has access to critical systems and data. To minimize this risk, an organization may employ safeguards that detect suspicious user activities, such as traffic to an unauthorized website or downloading data to an external device (e.g., thumb drive). Maintaining audit controls (e.g., system event logs, application audit logs) and regularly reviewing audit logs, access reports, and security incident tracking reports are important security measures, required by the Security Rule, that can assist in detecting and identifying suspicious activity or unusual patterns of data access. See 45 CFR §§164.308(a)(1)(ii)(D) (information system activity review), and 164.312(b) (audit controls).
- Security is a Dynamic Process. Good security practices entail continuous awareness, assessment, and action in the face of changing circumstances. The information users can and should be allowed to access may change over time; organizations should recognize this in their policies and procedures and in their implementation of those policies and procedures. For example, if a user is promoted, demoted, or transfers to a different department, a user's need to access data may change. In such situations, the user's data access privileges should be re-evaluated and modified to match the new role, if needed. See CFR §164.308(a)(4)(ii)(C) (access establishment and modification). Organizations should be particularly sensitive to the risk of insider threats in cases of involuntary separation. Organizations should have policies and procedures in place to terminate physical and electronic access to data, before any user leaves the organization's employ. Such actions should include disabling all of the user's computer and application accounts (including access to remote and administrative accounts if applicable), changing or disabling facility access codes known to the user, and retrieving organization property including keys, mobile devices, electronic media, and other records, etc. See 45 CFR §§164.308(a)(3) (workforce security), (ii)(B) (workforce clearance procedure), (ii)(C) (termination procedures); 164.310(a) (facility access controls); and 164.316 (policies and procedures and documentation requirements).
The healthcare sector is a tempting target for malicious insiders who seek to disclose or steal an organization's sensitive information. However, by recognizing the risks and implementing appropriate safeguards, organizations can manage this risk and comply with the law.
* This document is not a final agency action, does not legally bind persons or entities outside the Federal government, and may be rescinded or modified in the Department's discretion. Noncompliance with any voluntary standards (e.g., recommended practices) contained in this document will not, in itself, result in any enforcement action.
Footnotes
- 1.↩ This newsletter is focused on malicious threats that insiders can present, but unintentional or inadvertent actions by insiders can also introduce cybersecurity threats.
- 2.↩ Steganography is the art and science of communicating in a way that hides the existence of the communication; for example, one image could be hidden inside another graphic image file, audio file, or other file format. https://csrc.nist.gov/glossary/term/steganography
- 3.↩ https://enterprise.verizon.com/resources/reports/dbir/
- 4.↩ https://www.hhs.gov/sites/default/files/memorial-ra-cap.pdf - PDF
Frequently Asked Questions for Professionals - Please see the HIPAA FAQs for additional guidance on health information privacy topics.
HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the guidance@hhs.gov.
DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.