More news on the insider front makes it necessary to point out, again, how susceptible healthcare is to insiders failures.

HIPAA For MSPs by David Sims Insiders - Don't Accept Candy From Strangers
00:00:00 00:00:00

In a second we will cover the topic for today.  There have been some recent news stories about what insider threats you should be worrying about today. Yes, we have talked about this many times, insiders are the number one problem in healthcare. These news stories fill us in on just how bad the problem really is for the industry.

First, let’s start with some listener questions and comments:

We begin with one from a Twitter.  The first one is a question a listener sent in about Alexa and paramedics after seeing a story about the Massachusetts ambulance company that plans to put Amazon Echo Dots in all of their WiFi enabled ambulances.  They have a new Alexa Skill added to them where she can tell them everything in the drug manuals.  The paramedics say “Alexa, we have a patient”.  Then they ask the question.  Alexa then tells them what she knows about it.

Sybil (@shaines12) wanted to know our thoughts on the idea.  Donna replied:

Great idea! I want to see the ambulance service SRA. Sounds like “we have a patient” makes them think no PHI. But every word could be recorded on Amazon cloud.

We also got an email question from one of our regular listeners. This time, there were two questions in one request.

1. Can you explain on a podcast “Is there an exemption or safe harbor” in regards to breach notification?

Safe harbor is a legal term.  The most common case where it is applied in a breach case relates to encryption.

A laptop with PHI on it is stolen.  But, you have confirmed that it was properly encrypted and the encryption keys were not with it.  You have a reasonable belief that due to that safeguard, no one can actually do anything with the data.

Even though you still have a breach, there is no need to report it because of your encryption in place and you can reasonably prove it is protecting that laptop.

Breach is the storm and encryption is your safe harbor!

Other exemptions may apply when it comes to notifications.  Things like a clinician accidentally opened the wrong John Smith chart and immediately closed it once they realized the mistake.

It was accessed inappropriately but you have a good faith belief that the person will not disclose anything they saw nor did they access with the intent to see it.

2. NC State Statute (N.C. Gen. Stat. 75-60) – says that substitute notice may be given to a patient by telephone if you talk to the person directly (3rd option). I don’t think HIPAA has this and would be stricter. Is a CE allowed to do this?

HIPAA notification requirements are a good bit different than that.  The statute reads:

In any case, deemed by the covered entity to require urgency because of possible imminent misuse of unsecured protected health information, the covered entity may provide information to individuals by telephone or other means, as appropriate, in addition to notice provided under paragraph (d)(1) of this section.

So, they can call someone but they still have to send the written notice which is outlined in (d)(1).

Finally, a note from a listener, Mary Hribar.

You have become my friends while I am on the road traveling between offices to do software training and coaching. I’ve been a good disciple and have been spreading the news! Much Like the gospel, I believe that each practice/vendor/staff person should have a personal relationship every day with their risk management policies and procedures to ensure that they don’t end up in HIPAA hell.

THANK YOU for all you do. Anytime HIPAA is brought up on a social media group I am a member of, I give a shout out to the podcast. Heck, I even do it when HIPAA isn’t brought up!

Thanks again! Keep spreading the WORD! Lord knows us heathens need it 😉

Insiders: Don’t accept candy from strangers

insidersCarolina Digestive Health Associates – Police let them know that an employee has at least 100 patients data that she handed over to suspects in a fraud ring.

Ex-Berkeley Medical Center employee to pay more than $22K in restitution in patient-ID theft –

Letters were mailed to more than 7,000 patients informing them of the breach after the health care provider discovered the female employee had accessed the information without authorization

That employee was suspended Jan. 19 after an internal investigation linked her to the victims, who police notified immediately.

The employee, who began working for University Healthcare in March 2014, was fired Jan. 27, 2017, hospital-system officials said.

The employee scheduled patients at Berkeley Medical Center and Jefferson Medical Center in Ranson, W.Va., for outpatient procedures and pre-surgical testing, hospital officials said.

Roberts obtained the patients’ information by writing it on sheets of paper, and printed copies of the patient’s driver’s licenses when available, court records said.

Accenture posted results of their 2018 Healthcare Workforce Survey on Cybersecurity.  About 900 employees of providers and payers in both the US and Canada answered the online survey.  The article they published about the survey starts with one very important quote:

The data show that employees are a significant weak link in healthcare organizations’ cyber defenses. Some are behaving badly intentionally. Others are simply not complying with policies, even though many say they understand them.

The harsh reality is that healthcare employees are willing to put patients’ medical data at risk. This is despite the fact that 99 percent said they feel responsible for the security of this data. We learned that 21 percent of healthcare employees write down their usernames and passwords near their computer. And a jaw-dropping 18 percent are willing to sell confidential patient data to an unauthorized outsider! This could be in the form of selling their login credentials or downloading sensitive data onto a portable device, for example. Those who would sell their access most commonly expect to be paid between $500 and $1,000. And perhaps most shocking of all: About a quarter of employees know someone in their organization who has already done this!

There is plenty more in there but here are a few more that got my attention:

Seventeen percent of healthcare employees who received training still write down their usernames and passwords and 19 percent of trained employees are willing to profit by selling their credentials or access to an unauthorized third party. Surprisingly, these numbers actually go up for employees who have had more frequent training.

The point Accenture makes is that training isn’t the only thing that matters.  Yes, training must be done but the culture of the organization also matters.  Building a workforce that has a security mindset is more than just training.  The good news is that 81% were not willing to sell out.

If an organization builds a strong security first culture, hopefully, those honest folks could influence the those just across the line into the dark side back to our side.  That, in turn, could reduce the likelihood that the remaining ones would even get the opportunity to turn to the dark side completely.

We still need the technology in place to prevent as much as possible.  Then, address those remaining insider issues with monitoring behaviors and catching them in the act.  When someone gets caught it also reinforces security first!

There are several reports and articles that review these issues.  US healthcare is very bad at security.  Everyone knows it.  We just talked about it in a previous episode that we called Does Healthcare Suck at Cybersecurity?  Our answer, yes.  This is clear.