Fulfilling our Promise to our Patients…Dealing with the Insider Threat in Healthcare Organizations

Posted on December 2, 2010 by

Today I want to talk a little about insider threat. For the healthcare industry, this is something that can be hard to think about. The healthcare setting is all about care delivery – in agreeing to help the patient, we establish a covenant, or a bond of trust and obligation, with the patient. We want them to entrust themselves into our care. In return we, consistent with the Hippocratic Oath[1], promise to do only good for the patient, protect privacy and confidentiality and practice medicine following ethical principles.

While the fundamental elements of our bond with the patient remain the same, some aspects of the actions we take to fulfill our covenant must evolve. Already, we have seen efforts to empower patients with data and knowledge to enable them to take responsibility for their health and to be involved in an active partnership with the caregiver. Clearly, we see benefit from the empowerment to both the patient and the caregiver – an informed and knowledgeable patient can lead to better outcomes. We are helping patients in evolving their part of the covenant – to be a participant in their care.

Huh?  How does this relate to security?

Security? For those who work in the care delivery setting, the term “security” can be a foreign, and even, an upsetting concept. We’ve always shared information, and, anyway, isn’t that someone else’s responsibility – someone in the IT, network administration or compliance department?

With regard to how information security can be interpreted by the caregiver, the care delivery institution and its employees, I often make this short statement in talks that I give:

“Taking care of patients includes taking care of their data.” 

This usually results in audience head-nodding – something that I always like to see, so that I know that they are awake.  All kidding aside, I think it resonates. 

What can we do as participants in the healthcare care delivery sector? 

All right, then. Clearly, the balance between protecting patient privacy and increasing efficiency, reducing costs and other factors is being discussed in the policy arena.  Meanwhile, what can we do as participants in the healthcare care delivery sector?  Based on what we know about how insider threat is most often manifesting itself in the breaches reported to HHS, we see most of the breaches attributed to loss of theft or mobile computing or storage devices.[2]  From this and other data, it is fairly obvious that technical safeguards alone are not sufficient to address insider threats.

Therefore, ensuring that all staff assumes responsibility for information security as part of their job function is a practical solution to the problem of insider threats.

For healthcare entities, particularly those charged with responsibility for IT and/or security:

  • Perform periodic security risk assessments as the basis of your security program, including physical and administrative aspects, and including audits/assessments of employee practices,
  • Use the results of the security risk assessment activity to adjust security controls, including updates to policies and procedures relating to employee practices and sanctions if necessary, and
  • Educate and involve the employees in this process.  View them as a partner in the job of protecting the patients’ data as part of their care.

Here are some excellent resources (data on insider threat and information on threat assessment) to help with these activities, available from the Computer Emergency Response Team or CERT at the Software Engineering Institute (SEI) at Carnegie Mellon University.

For employees:

  • Take your part in security seriously
  • Educate yourself on information security, and your organization’s policies and procedures
  • Understand your particular role in the organization and what data you can/cannot legitimately access and/or disclose to others
  • Report any anomalies that you see, whether they be in other employee’s actions, or lack of clear policies, procedures, tools or educational materials that will help you make good decisions.
  • View yourself as a partner in the process of protecting patient data

See the HIMSS Privacy and Security Toolkit for a comprehensive set of tools and resources on privacy and security.

Question for our Readers…

Each time I write a blog post, I hope to get a dialog started among the readers. So, tell us:

  • What is the general level of awareness and/or climate in your organization with respect to insider threats?
  • What steps is your organization actively taking to dealing with insider threats?
  • What other tools and resources you have found that would be beneficial for others?

[1] Ref: http://en.wikipedia.org/wiki/Hippocratic_Oath

[2] Also, see my blog post of October 7, 2010, “What HHS Breach Reports Tell Us…And What They Don’t!”

About Lisa A. Gallagher, BSEE, CISM, CPHIMS

Lisa Gallagher, BSEE, CISM, CPHIMS, is HIMSS Senior Director, Privacy and Security.
This entry was posted in Patient-Centered Systems, Public Policy. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s