Privacy Experts: Beware of the Inside Job
In the world of protecting your patients' private data, you need more than the fancy equipment, the best encryption software on the market, and firewalls galore.
Take, for instance, The Virginia Prescription Monitoring Program (VPMP). A computer hacker reportedly removed more than 8 million patient records and 35.5 million prescriptions from the state-run VPMP Web site last week and demanded $10 million to return the information.
What happened and how can your company protect against a future problem? Lou Nardo, vice president of product management for Netcordia, a network configuration and management solutions company in Annapolis, MD, that specializes in HIPAA compliance, says IT folks worry too much about firewalls and security products rather than internal processes and controls.
"This may not have been a hacker," Nardo says about the VPMP case. "This may have been internal."
Netcordia surveyed clients recently about internal systems and networks. More than 40% said they were worried about internal IT folks leaving a "back door" way into a system inappropriately.
A third said their greatest threat to network availability is from the outside, but 49% said from the inside, though inadvertently.
VPMP's greatest threat may not have been a hacker across the globe. It could have been the coworker in the next cubicle at the VPMP.
"A disgruntled employee. That's the classic case," says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA, who specializes in HIPAA privacy and security. "The insiders know where your vulnerabilities are and where your assets are. Someone in the IT department could have done a bunch of things there. Set up bogus accounts, all kinds of things. It's pretty easy to do and get away with."
So how do you not let that happen?
Borten says you should make sure your internal database is buried deep inside your internal network with lots of firewalls behind it.
If the potential Virginia hackers "deleted the database, that shows some serious flaws," she said. "Leaving the database out front is a huge security mistake."
Naturally, if you encrypt the data well enough, "you're home free," Borten said. For Netcordia experts, it always comes back to internal processes.
Yama Habibzai, vice president of marketing for Netcordia, says facilities need to have systems in place that track who makes changes, when they were made, and why. And constant monitoring and auditing is key.
Also crucial, Borten says, is configuring a system that has strong protections in the "buffer zone," or the area between your internal network and the Internet.
"How we configure and manage that buffer zone is very critical," Borten says. "It's something we call hardening the server. You need to make sure you know how it's being set up."
In other words, to avoid a potential historic breach of patient privacy:
- Know your internal system.
- Monitor it.
- Audit it.
- Protect that database.