Do You Know Who Your Employees?
Insider threat is becoming one of the largest threats to organizations and some cyberattacks may be insider-driven. Although all insider threats are not malicious or intentional, the effect of these threats can be damaging to a Covered Entity (CE) and Business Associate (BA) and have a negative impact on the confidentiality, integrity, and availability of its electronic protected health information (PHI).
According to a survey conducted by Accenture and HfS Research in 2016, 69% of organization representatives surveyed had experienced an insider attempt or success at data theft or corruption. Further, it was reported by a Covered Entity that one of their employees had unauthorized access to 5,400 patient’s ePHI for almost 4 years.
😱 Would you know if this happened in your practice?
The Center for Health Care Services (CHCS) notified 28,434 patients whose data was apparently stolen when a former employee allegedly took the information after he was fired in 2016, according to a statement issued by the center.
“A former employee of CHCS was discovered to have secretly taken personal health information from CHCS on his personal laptop computer at the time his employment was terminated on May 31, 2016,” the statement says.
“The discovery was made on Nov. 7, 2017, as a result of documents produced in litigation between the former employee and CHCS.”
US CERT defines a malicious insider threat as a current or former employee, contractor, or business partner who meets the following criteria
• has or had authorized access to an organization’s network, system, or data;
• has intentionally exceeded or intentionally used that access in a manner that negatively, affected the confidentiality, integrity, or availability of the organization’s information; or information systems.
Most Common E-Crimes Committed by Insiders
According to a survey conducted by U.S. Secret Service, CERT Insider Threat Center, CSO Magazine, and Deloitte, the most common e-crimes committed by insiders are:
• unauthorized access to or use of organization information;
• exposure of private or sensitive data;
• installation of viruses, worms, or other malicious code;
• theft of intellectual property.
Having trouble knowing how to start your HIPAA Compliance Program? Let HIPAA alli walk you through the confusing compliance process!!