Employees can be like friends, some may even be like family. You celebrate birthdays with them, mourn the deaths of their pets, and chat about weekend plans. It is human nature to let down your guard because friends and family shouldn’t do anything to hurt you or your business. That natural trust is often the basis for relaxing and shortcutting safeguards. New remote access technology compounds the temptation to ignore basic business security practices.
Julius Caesar also trusted and depended on his colleagues. In Shakespeare’s play, Caesar underestimated the threat to his power by senate insiders, including by those he considered to be his friends. As the murderous senators gathered around him, Caesar at first fought back. However, when he saw that even his trusted confidante Brutus was also raising the knife to him, he gave up. He breathed his last words, “Et tu Brute?”, or "Even you, Brutus?"
Since then, Et tu Brute has been used as literary device to signify pathos and surprise at betrayal by a friend. Healthcare is an industry likely to experience an Et tu Brute moment.
Breaches are not always accidents. Current and former healthcare employees are the biggest threats to patient HIPAA privacy. Protected Health Information (PHI) can be monetized. Nearly half of insider breaches of PHI are for money, and healthcare data brings real cash. In a 2018 survey, almost one in five surveyed employees said they would steal data for the right price. One in four said he or she knew of a healthcare employee who had already sold PHI or passwords to an unauthorized outsider.
An intentional HIPAA breach may also represent the vengeance of a disgruntled employee. An intentional PHI breach is one of the more effective methods of retribution. Big, expensive breaches sometimes get management fired. On the discussion website, Reddit, a recent poster described how he created havoc when he changed all his business’ passwords to 100 random characters and then altered the WiFi and router passwords just before he was fired.
Watch for these employee behaviors that signal a change in routine and perhaps something nefarious:
- Lots of take-home paperwork. The printed paper containing PHI would not likely leave an electronic trail directly back to the employee.
- Unusual employee hours. If an employee starts routinely staying late or coming in very early, the extra unsupervised time could be used to copy PHI to sell for profit.
- Never taking vacation time. The employee may never take vacation time because a replacement employee could discover the illicit mechanism used to harvest the valuable information.
- Excessive absences in a formerly reliable employee. Sensing that the fraud is about to be uncovered, the employee does not want to be around.
- Suddenly asking how to access files. Previously uninterested in the company technology, an employee now wants to know all the details.
- Significant change in employee spending or lifestyle. Financial pressures may create a greater incentive to find an easy source of cash. In the same way, luxury cars or a new interest in exotic vacations unexplained by the employee’s known income could signal a problem. New activity in casinos or gambling is also an important risk factor.
If you notice these behaviors, further investigation may be necessary to determine if something malicious is occurring. If after an investigation it becomes clear that you need to terminate an employee, LAMMICO can assist you. Terminating an employee requires more than just a call to HR. Contact the LAMMICO Risk Management & Patient Safety Department at 504.841.5211 for a sample employee separation policy and checklist to ensure that your business’ IT security practices are updated when there is an employee separation.