Case Points to Need to Mitigate the Risks Posed by Insiders
Unity Health Toronto’s St. Michael’s Hospital patient records allegedly were held for ransom by a vendor’s ex-employee.
A recent incident at a Canadian hospital involving a vendor’s former employee who allegedly stole patient records in an attempt to extort money after being laid off illustrates the complex insider threats organizations face.
Unity Health Toronto is notifying about 150 patients treated at its St. Michael’s Hospital in Toronto that their data may have been compromised in the alleged extortion incident involving a former worker at medical transcription vendor Nuance Communications.
In a statement provided to Information Security Media Group, Unity Health Toronto notes: “St. Michael’s Hospital is working with Nuance Communications, the outside vendor responsible for this incident, to learn more about what happened and what steps they are taking to fix it.”
Further, a Unity Health Toronto spokesperson says: “The employee tried to use patient records to extort their employer – Nuance – not Unity Health Toronto.”
The Insider Threat
Data compromises involving insiders are an ongoing problem across all industries, says retired FBI agent Jason G. Weiss, an attorney at law firm Faegre Drinker Biddle & Reath LLP.
“In just the last year, it is estimated that almost 70% of cyberattacks against businesses have had an insider component, and these insider cyber incident attacks have risen by almost 50% in the last year,” he notes.
“While most businesses are rightfully concerned about external cyberthreat actors, they must not take their eye off the fact that the greatest threat from cyberattacks and loss of data actually lies from within the company itself in many cases.”
Unity Health Toronto has notified all patients affected by the security incident at Nuance.
“We apologize for any distress this may cause to the roughly 150 patients affected,” the organization says. “We understand that law enforcement authorities are involved and that legal proceedings have been initiated. We are also investigating the matter independently, and it is being reported to the Information & Privacy Commissioner of Ontario.”
Nuance did not immediately respond to ISMG’s request for further information about the incident.
In a letter sent to affected St. Michael’s Hospital patients, Unity Health notes that the incident involved “an outside company that transcribes clinical notes” dictated by hospital physicians.
“On May 13, we learned that a former employee of the company had taken and kept copies of several reports that he had transcribed,” the notification letter states. “The reports that he took included a dictated note about the care you received at the hospital. The former employee held onto the reports improperly after his employment with the company ended. On March 9, 2020, he used these reports in an effort to get the company to pay money to him.”
Information contained in the allegedly stolen reports includes patient names and medical and treatment information, such as chief complaints, medical and family history, clinical diagnoses, treatment assessments and plans, and medications, the letter says.
Unity Health notes in the letter that police have seized the computer on which the reports are believed to be stored.
“The courts have issued an injunction preventing the individual from further accessing or sharing any information from these reports,” the notification letter states. “The company has also told us that they have enhanced their information security practices to prevent this type of incident from recurring and have re-educated their staff on patient confidentiality and the appropriate use of patient information.”
Unity Health has not indicated whether the accused former Nuance employee worked on-premises at the hospital, in a Nuance office or remotely from home or another location.
“The challenging part of a situation such as this is that technology-based [access] controls only go so far,” says Keith Fricke, principal consultant at security consultancy tw-Security.
“Options may exist to prevent someone from printing patient information from within an application or even preventing a screen print. However, nothing can stop someone with authorized access to patient information from using a smartphone to take pictures of patient data displayed on a computer monitor,” he notes.
Worker behavior cannot be fully controlled, Fricke says. “When someone makes poor choices, the best a healthcare provider can often do is provide evidence that workers receive training on policies and understand expected behaviors and responsibilities as part of their employment.”
Auditors investigating such infractions look for evidence that the affected organization “did all the right things” in making investments in people, processes and tools to protect sensitive information, Fricke adds. “Doing that may minimize or eliminate fines and penalties and shift the consequences to the former employee.”
‘Classic Insider Attack’
Former FBI agent Weiss notes that the Toronto incident “has all the appearances of a classic ‘insider’ attack and, in reality, these are very hard to prevent and secure against when the employee is ‘trusted’ and behind the company’s IT security apparatus.”
If an employee needs certain documents to do their work, Weiss says, “it is borderline impossible to know or even prevent an insider from then copying or printing these documents for later nefarious use.”
“It is difficult to determine if a terminated employee has kept unauthorized copies of records they would have had access to as an employee, short of actually searching the employee or their home during the termination process.”
—Jason G. Weiss, Faegre Drinker Biddle & Reath LLP
While IT teams can “lock out” employees who don’t need access to certain information, controlling what authorized individuals do with data is tougher, even when employees sign agreements about permitted use, Weiss notes.
Remote Worker Risks
Healthcare entities and their vendors are facing challenging insider risk management issues because so many employees are working remotely during the COVID-19 pandemic.
“Planning for the worst-case scenario goes a long way when addressing remote work and employee termination when sensitive data is involved,” says Dustin Hutchison, president of security consultancy Pondurance.
“Data retention requirements should be addressed at the individual local storage and entity level, which becomes more complicated with a third-party vendor,” he notes.
It’s important to understand the vendor’s practices and ensure that the storage and use of data matches the expectations of the healthcare entity, he says. “In a remote work situation, removing access and retrieving assets creates more steps than a traditional situation.”
To help prevent insider incidents, healthcare entities should minimize the amount of data vendor employees can access, Hutchison says.
“Healthcare entities need to treat vendors the same way they treat systems from a risk assessment and risk management standpoint prior to … sharing any data,” he says.
Healthcare entities should spell out their security expectations for vendors and review implementation of security measures, he notes.
“Local storage of sensitive data should be minimized, which should be addressed by policies and procedures and technical controls,” he adds.
Meanwhile, a recent study conducted by three universities found that, under the “right” circumstances – such as facing financial problems – or for the “right price,” at least 10% of prospective healthcare sector workers admitted they’d be willing to unlawfully obtain and disclose patient information (see: Price is Right: When Insiders Are Willing to Violate HIPAA).
“Urgent money needs related to family and friends encourage respondents to break the regulations,” notes Chul Woo Yoo, co-author of the study and a professor at Florida Atlantic University.
“The recent study illustrated that, even with the perception of high punishment certainty, some insiders show willingness to violate regulations for the monetary incentives,” he says.
To help prevent malicious insider incidents, Weiss says organizations need to perform due diligence during the initial employee hiring process.
“Once the employee is working and has access to patient data, especially as a transcriber, this makes security and accountability much harder to enforce, especially if the employee is working from home,” he notes.
Organizations need to “spend the time and effort before the employee is hired to make sure the personnel you are hiring are as vetted and researched as possible,” Weiss adds. “This must include a background check and references.”
Once an employee is terminated, certain forensic techniques can be used to determine if documents were printed or copied to unauthorized external media, Weiss notes.
“But as a general rule, it is difficult to determine if a terminated employee has kept unauthorized copies of records they would have had access to as an employee, short of actually searching the employee or their home during the termination process – which is difficult … if there is no ongoing criminal investigation to give you the legal authority to use these techniques.”