How prepared is your provider organization against cyber threats? A recent special report, “Cyber Security and Investigations,” released by Kroll Inc., a New York-based corporate investigation and risk assessment firm, points to often-overlooked areas of data security, and offers practical tips for bolstering security in those areas.
One area the report focuses on is inside threats from employees, joint venture partners and other third parties. I think this has special significance in light of the final omnibus regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), compliance of which will be required in September. The rule extends certain requirements to business associates of covered entitities.
While the report is not focused on any particular industry, some of its conclusions are relevant to healthcare. As noted by Kroll managing director Michael DuBose, one of the report’s authors, it often takes a surprisingly long time before the victim organization to discover fraud. According to a 2012 insider threat study of the financial sector by Carnegie Mellon University’s Software Engineering Institute, an average of 32 months elapsed from the beginning of the fraud and its detection, and that the threats were not particularly sophisticated. This suggests that many organizations need to beef up their monitoring of illicit cyber activity within their networks and the deficiency is not necessarily due to the skills of malicious insiders.
The report says that organizations need to get better at profiling employees who are likely to comit such crimes. It cites CSO Magazine’s 2012 CyberSecurity Watch Survey, which says that organizations that have experienced cybercrime in the last 12 months reported that 51 percent of those insiders violated IT security policies and 19 percent were flagged by a manager for behavioral or performance issues. It suggests that closer monitoring of those characteristics can be effective in preventing or quickly detecting cybercrimes.
It also says that when an employee leaves an organization for any reason, strict termination procedures should be in place to ensure that all network access privileges should be terminated immediately. Organizations need effective, internal monitoring of their networks to better identify unusual or suspicious user patterns. IT security should use centralized, system-wide logging to track data access, and log retention policies should ensure accessibility for a meaningful period of time, it notes.
In a published Q&A also included in the report, DuBose makes the point that the organization’s senior executive leadership needs to appreciate the magnitude of cyber threats and give it adequate prioritization and resources. He adds that mere compliance with industry regulations is insufficient by itself to ensure acceptable data and network security.
DuBose also notes that the size of the organization no longer matters: small and mid-sized organizations are being attacked with greater frequency, perhaps because their network security is perceived as lagging behind that of larger organizations. Thus, he says, a smaller healthcare provider may be at equal or greater risk than the largest hospital.