Tuesday, 11 October 2016 13:27

Feds to providers: Prepare for insider attacks on patients records

Written by

In a recent newsletter, the U.S. Office for Civil Rights (ORC) discussed the “insider threat” as one of the largest threats to the security of patient information within organizations. The agency noted that even some cyberattacks may be insider-driven.

According to a recent survey, conducted by Accenture and HfS Research, 69% of organizations surveyed reported experiences with malicious activity on the part of insiders, including current or former employees, contractors and business associates.

According to a survey conducted by the federal government, CSO Magazine, and Deloitte, common e-crimes committed by insiders include:

  • Unauthorized access to or use of organization information
  • Exposure of private or sensitive data
  • Installation of viruses, worms, or other malicious code

OCR says organizations should:

  • Consider insider threats in enterprise-wide risk assessments.
  • Document and enforce policies and controls.
  • Create awareness of insider threats in security training for employees.
  • Monitor and respond to suspicious or disruptive behavior.
  • Anticipate and manage negative issues in the work environment.
  • Implement strict password and account management policies and practices.
  • Enforce separation of duties and necessary-only access to PHI.
  • Define security in all cloud-services agreements, especially relating to access restrictions and monitoring capabilities.
  • Institute access controls and monitoring policies on privileged users.
  • Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions.
  • Monitor and control remote access from all points, including mobile devices.
  • Develop a comprehensive employee termination procedure.
  • Implement secure backup and recovery processes.
  • Formalize an insider threat program.
  • Establish a baseline of normal network device behavior.
  • Be especially vigilant regarding social media.

Read 824 times Last modified on Wednesday, 11 January 2017 13:24

10 Step HIPAA Plan

  • Step 1: Make Sure you Must Comply with HIPAA +

    What's Inside:
    Lists of who is generally covered and who is not, plus contact for inquiries.
  • Step 2: Designate Team Leaders +

    What's Inside:
    • 7-page HIPAA basics
    • 62-page guide to security and privacy of ePHI
    • Compliance Charter Template
  • Step 3: Develop Security Policies & Procedures +

    What's Inside:
    Templates for Security Policies and Procedures
  • Step 4: Conduct a security risk analysis +

    What's Inside:
    • Guides
    • Short videos
    • Interactive quizzes on risk assessment and contingency preparation
    • 10 common myths

    Interactive tutorial – 156 questions with fill-able PDFs for Windows or iPad. All material from federal sources.
  • Step 5: Develop an action plan +

    What's Inside:
    • 11-page overview on ePHI for small practices
    • 4-page Q&A addresses email with patients
    • Checklists

    Toolkit on 45 implementation specifications
  • Step 6: Reduce Risks of a Breach +

    What's Inside:
    • Overview of expectations
    • Annual Work Plan Template
  • Step 7: Train the Team +

    What's Inside:
    • Form for reporting breach notification
    • Links to details on the notification process and what constitutes a breach.
    • Suite of Training Materials
  • Step 8: Customize Privacy Notices +

    What's Inside:
    FOR ALL:
    • Privacy notice templates to help achieve meaningful consent, in English & Spanish.

    • Professionals' guide covering 2013 updates on communications.

    • Electronic toolkit with patient education and meaningful consent sample materials.
  • Step 9: Execute Business Associate Agreements +

    What's Inside:
    • Sample Business Associate Agreement (BAA) provisions
    • Suite of BA Management Tools
  • Step 10: Verify Compliance with HIPAA +

    What's Inside:
    • Tip sheets
    • Short videos
    • Overviews

    • 94-page guide on the EHR incentive program
    • Beginners' toolkit on reporting to the government

    All from federal sources.
  • 1


Member Access