Many spy movies begin with the suspected antagonist being an outside enemy or threat only to find – plot twist – it was an inside job all along. The purported hero is actually the villain who broke the code by posing as a trusted insider.
Healthcare can work the same way. The threat within can be just as malicious as outside hackers. The fact that healthcare cybersecurity breaches are on the rise is not new news. In 2019 alone, the number of data breaches has reached close to 25 million patient records breached. In our 2019 survey of healthcare organizations, more than 50 percent already felt confident in their efforts and controls to prevent unauthorized access to personally identifiable information (PII). Clearly, there is a disconnect somewhere.
Data Breaches Resulting from Unauthorized Access
According to Becker’s Hospital Review, 15 percent of security breach incidents were caused by insider misuse. Hospitals or clinics may not always have control over the hiring practices or identity authentication for outside vendors like HVAC or telephones. And they may not keep as tight a reign on the protection of access as they do for, say, employees. Likewise, with mergers and acquisitions, understaffed IT teams are trying to blend disparate EMR systems and may not have the resources to focus on identity authentication for the many new physicians that came with the merger. Also according to our survey, in nearly 70 percent of organizations, the IT teams are responsible for security efforts and access.
In addition, for many smaller and rural health systems with limited IT staffing or infrastructure, the challenge to secure systems from insider access systems can be even more daunting. Think about how many outside vendors access PII every day – from lab vendors to supply chain. Threats from supply chain vendors are often overlooked, but from pharmaceutical vendors to laundry services, vendors are in and out of hospitals systems every day.
If you look at the healthcare data breaches reported between 2009 and 2018, many were due to hacking, but a large number were also due to what the Office of Civil Rights, which tracks cybersecurity incidents in healthcare as “unauthorized access/disclosure.”
Identification with Fewer Risks
Let’s look at real-world example. One of our customers, a multi-hospital system was faced with protecting over half a million unique identities that included vendors, employees, contractors, preferred providers and physician office staff with a help desk and call center staff of thousands to help them.
For many years, their solution to protecting these identities was to use an individual’s social security number. If someone needed to reset their password or access the system, they had to call the help desk and identify themselves with their social.
That meant thousands of help desk staff had access to highly sensitive information. Their goal was to reduce the risk of identity theft and insider threat. They partnered with LexisNexis to deploy our knowledge based authentication solution to confirm identities in real time without using sensitive PII and without extra burden on help desk staff. The number of people with access to the millions of unique identities went from the thousands to less than 10.
A Layered Approach
According to the HIPAA Journal, while many healthcare organizations are getting better at detecting internal threats, it is still a major cause of data breaches. In 2010, there were eight breaches from unauthorized access. In 2018, 143 recorded. We can attribute the increase to the rise in digital health technologies and access points at which vendors, physicians and employees can access protected health information (PHI). Among those 143 breaches, more than 300,000 records were exposed. The internal threat poses a serious challenge.
The key is combating the threat within with a consistent, robust identity authentication strategy that can be deployed across all systems and for all individuals attempting to access systems, including a layered approach like multifactor authentication (MFA). Sixty-five percent of those asked in our survey have deployed some kind of MFA, but still 35 percent had not, even when MFA is considered a mere baseline for many organizations.
A strategic security strategy should include tailored levels of verification across workflows and platforms. Healthcare organizations have to ensure that all individuals and companies accessing their systems are who they claim to be across all systems, devices and locations.
Real life can be like a spy movie, but it can have a positive outcome and ending. It just takes the right hero or in this case the right cybersecurity and identity verification approach.
To learn more, read our “State of Identity Management” report.