HIPAA Compliance for Medical Practices
76.3K views | +0 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

How responsible are employees for data breaches and how do you stop them?

How responsible are employees for data breaches and how do you stop them? | HIPAA Compliance for Medical Practices | Scoop.it

Data breaches have very quickly climbed the information security agenda and that includes the data breach threat posed by employees and IT professionals.

Now a new report says the insider problem is far worse than we had previously imagined. The Verizon Data Breach investigations report claims that 14% of breaches are due to insiders and that’s not counting the further 12% of breaches that come from IT itself.

Examining the motives of employees with malicious intent, the Verizon report identified two main reasons insiders choose to cause so much trouble:

  1. They are looking for financial gain, perhaps via selling confidential data; or
  2. It’s an act of revenge by disgruntled workers or angry ex-employees who still have network privileges.


On the other hand, CompTIA, an association representing the interests of IT resellers and managed service providers, has a far different point of view. It says more than half of all breaches – some 52% – are due to human error or malice, and the rest arise from technology mistakes. Research from the SANS Institute reaches the same conclusion – employee negligence is a huge source of data breaches. Social engineering is one such element, so this once again shows the importance of training employees in basic IT security.

According to CompTIA, technical solutions are not enough. IT vigilance is always necessary as too many organisations don’t even know there is an insider threat. Resigning yourself to the fact that the human error factor is a problem with no solution is neglectful, especially when it accounts for such a high percentage of breaches. Ultimately, employees are the strongest security layer. Of course, it is just as important to make sure all updates and patches are installed, firewalls are turned on and anti-malware is up to date.

Organisations also need to consider adding tools that can spot and stop data leakage amongst other breaches. Email security too is a top measure to take as many breaches and leaks come through or from the employee’s inbox.

What precautions can you take?

But what should an organisation do when users, whose roles require access to sensitive data, misuse that access? What precautions can they take to reduce both the risk of this happening, and the damage that can result from insider activity?

There is no single answer to these questions, and there is no silver bullet that can solve the problem. A layered approach that includes policy, procedure and technical solutions is the right approach to take. GFI Software has identified 10 precautions in particular that organisations should consider.

1.Background checks

Background checks should be carried out on every employee joining the organisation, even more so if those employees will have access to privileged data. While not foolproof (Edward Snowden had security clearance) they can help to identify potential employees who may have a criminal record or had financial problems in the past. They may also uncover some details of their employment history that bear closer inspection and further checks.

2.Acceptable Use

Acceptable Use Policies (AUP) do more than simply define what users should and should not do on the Internet. They also define what is acceptable and unacceptable when using customer and business proprietary data. While it will not stop those with clear intent, it will warn employees that there are consequences if they are caught including disciplinary action and possibly dismissal.

3.Least Privilege

The principal of least privilege states that users should only be granted the minimum amount of access necessary to complete their jobs. This should include both administrative privileges and access to data. By limiting access, the amount of damage an insider can cause is limited.

4.Review of Privileges

Users’ access to systems and data should be reviewed regularly to ensure that such access is appropriate and is also still required. As users change roles and responsibilities, any access they no longer need should be revoked.

5.Separation of Duties

When possible, administrative duties should be divided up so that at least two users are required for key access or administrative functions. When two users must be involved, any malicious or inappropriate access requires collusion, reducing the likelihood of inappropriate actions and increasing the likelihood of detection.

6.Job Rotation

Many insider threats develop over time and may go undetected for months or years. Often boredom is a cause. One way to counter both problems and at the same time improve the skills and value of key employees, is to rotate users through different roles. Job rotation also increases the likelihood that inappropriate activities will be detected as the new role holder must by definition examine what the previous role holder was doing.

7.Mandatory Time Away

All users need a holiday, a break and time away to recharge. This is not only good for users, it’s good for the organisation. Just like job rotation, when a privileged user is on leave, another person must cover their duties and has the opportunity to review what has been done.

8.Auditing and Log Review

Auditing is imperative. All actions and access must be audited, both for successes and failures. You will want to investigate failures as they may indicate attempts to access data, but you will also want to review successes and ensure that they are in support of appropriate actions, rather than inappropriate ones. While log review only detects things “after the fact”, they can detect repetitive or chronic actions early, and hopefully before too much damage is done.

9.Data Loss Protection

Data Loss Protection (DLP) technologies cannot prevent a determined attacker from taking data, but it can prevent many of the accidental data leakages that can occur.

10.Endpoint Protection

Endpoint protection technologies can greatly reduce the risk of data loss and also detect inappropriate activities by privileged users. Endpoint protection can help you secure BYOD devices, and search files for key data like account numbers. The technology also helps to enforce policies that restrict users from transferring data to unapproved USB devices and encrypt those devices that are approved.

Insider threats can be prevented if a detailed and layered strategy is adopted. Every organisation needs HR, legal and IT to work together to cast a protective net that will proactively identify threats or at least minimise the impact of insider threat. No organisation is safe but we can all lower the risk by acknowledging that the problem exists and taking a range of simple precautions.


more...
No comment yet.
Scoop.it!

FTC suggests stronger data privacy law, HIPAA not enough for health data

FTC suggests stronger data privacy law, HIPAA not enough for health data | HIPAA Compliance for Medical Practices | Scoop.it
This week the Federal Trade Commission published a report focused on privacy and security issues related to the massive Internet of Things (IoT) trend, which includes the growing number of connected health devices. The report summarizes the discussions that took place at an FTC-hosted workshop in November 2013, and it also includes recommendations for the industry from FTC’s staff, which they put together based on the workshop’s discussion.

The workshop’s health panel included five people: Scott Peppet, a professor at the University of Colorado Law School; Stan Crosley, director of the Indiana University Center for Law, Ethics, and Applied Research in Health Information, and counsel to Drinker, Biddle, and Reath; Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology; Jay Radcliffe, a senior security analyst for InGuardians; and Anand Iyer, president and COO at WellDoc. A full transcript of the entire workshop can be found here (PDF) — the health-related discussion starts on page 164.

Notably, one FTC Commissioner — Jeffrey Wright — filed a dissenting opinion and argued that the FTC should not have published recommendations for IoT companies based on one workshop and public comments.

“If the purpose of the workshop is to examine dry cleaning methods or to evaluate appliance labeling, the limited purpose of the workshop and the ability to get all relevant viewpoints on the public record may indeed allow the Commission a relatively reasonable basis for making narrowly tailored recommendations for a well-defined question or issue. But the Commission must exercise far greater restraint when examining an issue as far ranging as the ‘Internet of Things’ – a nascent concept about which the only apparent consensus is that predicting its technological evolution and ultimate impact upon consumers is difficult. A record that consists of a one-day workshop, its accompanying public comments, and the staff’s impressions of those proceedings, however well-intended, is neither likely to result in a representative sample of viewpoints nor to generate information sufficient to support legislative or policy recommendations,” Wright wrote.

He goes on to argue the FTC should have researched a rigorous cost-benefit analysis prior to offering its recommendations — and not just acknowledge in passing that the FTC recommendations would carry potential costs and benefits.

The report notes that, in general, IoT brings up a number of security risks for consumers.

“IoT presents a variety of potential security risks that could be exploited to harm consumers by: (1) enabling unauthorized access and misuse of personal information; (2) facilitating attacks on other systems; and (3) creating risks to personal safety. Participants also noted that privacy risks may flow from the collection of personal information, habits, locations, and physical conditions over time. In particular, some panelists noted that companies might use this data to make credit, insurance, and employment decisions. Others noted that perceived risks to privacy and security, even if not realized, could undermine the consumer confidence necessary for the technologies to meet their full potential, and may result in less widespread adoption.”

Some of the FTC staff’s recommendations include a push for Congressional action related to general data security regulation — not specific to IoT — and a broad-based approach to privacy legislation: “Such legislation should be flexible and technology-neutral, while also providing clear rules of the road for companies about such issues as when to provide privacy notices to consumers and offer them choices about data collection and use practices,” the write.

While it is pushing for a broad-based law, the agency specifically cited health-related data and that HIPAA doesn’t cover all health-related data.

“Workshop participants discussed the fact that HIPAA protects sensitive health information, such as medical diagnoses, names of medications, and health conditions, but only if it is collected by certain entities, such as a doctor’s office or insurance company,” the wrote. “Increasingly, however, health apps are collecting this same information through consumer-facing products, to which HIPAA protections do not apply. Commission staff believes that consumers should have transparency and choices over their sensitive health information, regardless of who collects it. Consistent standards would also level the playing field for businesses.”
more...
No comment yet.