The Threat from Within

Potential threats can also come from inside your own office. These come in two basic flavors: mistakes… and malice. Mistakes often lead to the inadvertent disclosure of PHI or other sensitive data. This can take place via misdelivery, publication errors, lost media and disposal errors.

Misdelivery primarily relates to mistakes made when sending out emails containing sensitive information. An incorrectly typed email address can easily lead to the disclosure of sensitive information. This sort of thing can also happen with paper records, x-rays, etc. if mailing addresses aren’t checked carefully (and yes, that still constitutes a breach). There is a big risk for this sort of disclosure when office personnel are doing mundane tasks involving sensitive data. Small mistakes can lead to big problems.

Publication errors involve posting non-public information on a public resource, like PHI on social media or your office website. Have rules in place regarding which information can be posted publicly and be sure to double-check the work before it goes live.

Lost media underscores importance of encryption and is discussed in more detail in the sections in Part I covering computers and mobile devices.

Disposal errors involve failing to properly purge an electronic device or shred paper data containing PHI or other sensitive data before throwing it away. Proper data disposal is covered in detail in the sections on computers, mobile devices and network security in Part I.

There is also a significant risk of business partners making any of these types of errors (since business associates are staffed by people and can make these mistakes just as easily as anyone else can).

Moreover, much of the time, the office suffering the breach is not the first one to find out about it. The majority of these errors are discovered externally, either by customers (or patients, as the case may be) or other external entities.13 That type of publicity is definitely best avoided.

What should you do? A few steps can help.

Data Loss Prevention (DLP) software can catch sensitive data (credit card numbers, PHI, billing info, etc.) before it leaves the system. While there are ways for a skilled hacker to get around it, DLP software can help prevent inadvertent disclosures of sensitive data on its way outside the network (before it gets away).

Put procedures in place to prevent inadvertent disclosures. This can include saving patient and vendor email addresses into your email contacts instead of manually typing each email address when sending outgoing email, and double-checking addresses on outgoing paper mail. Also, keep in mind if the information inadvertently disclosed is encrypted, that disclosure does not constitute a breach under HIPAA and most state breach notification laws. A simple rule that could save your office some serious potential headaches: no emailing unencrypted PHI, regardless of recipient.

Proper disposal of electronic and paper PHI is covered in Part I in the sections on computers, mobile devices and network security.

Malicious insiders are just what they sound like – people with legitimate access to your system who mean to do harm to you and/or your office. This can mean someone looking to quietly sell PHI for profit or a disgruntled current or former employee seeking revenge for a perceived offense.

While nothing is foolproof, there are a few measures that can help reduce the potential threat. Employee background checks are a simple step that can literally nip the problem in the bud. In addition, access to your network should always be as restricted as possible. Current employees should not have any system access beyond that which they actually need. A security or IT professional can easily set up employee accounts that control each employee’s degree of access to certain files or parts of your office network. Moreover, when any employee leaves your office – regardless of reason – their access to the system should be rescinded immediately (including keys and building entry badges).

Technological measures that can help include network monitoring and the DLP software noted above. Network monitoring essentially involves keeping an eye on who accesses what and where data is moving within your network. It can be outsourced or there are a number of software packages available to do it in-house. These measures are covered in more detail in the network security section in Part I.