1^st Talk Compliance features guest Raymond Ribble, CEO and Founder at SPHER, Inc., on the topic of “Employee Snooping & Insider Threats.” Ray joins our host Catherine Short to discuss snooping and insider threats and why user monitoring and ePHI access strategies are vital to the security of sensitive patient information and data protection. With so much attention and money surrounding cybersecurity in the healthcare industry, malicious employees may decide to purposefully disclose patient information. Since employees and contractors may have knowledge of your network setup, vulnerabilities, and access codes, snooping employees with malicious intent hold the key to exposing your organization to a series of unwanted risks and threats. Listen as we identify signs of unauthorized access, provide guidelines to prevent snooping, and offer procedures to detect insider threats.

Subscribe: Amazon Music | Email | RSS | More

Catherine Short:

Welcome, and let’s 1st Talk Compliance. I’m Catherine Short, Manager of Virtual Education at First Healthcare Compliance. Thanks for tuning in. This show is brought to you by First Healthcare Compliance as part of our commitment to provide high quality complementary educational resources. We help create confidence among compliance professionals throughout the United States. Please show your support by taking a moment to provide a review on Google, Facebook or iTunes. You can also follow us on Instagram, Twitter, and subscribe to our YouTube channel.

On today’s episode, we are speaking with Raymond Ribble, CEO and founder at SPHER Inc, a market leading compliance analytics cybersecurity solution addressing HIPAA compliance, state privacy laws and ePHI security threats on the topic of “Employee Snooping and Insider Threats.” Snooping and insider threats are exactly why user monitoring and ePHI access strategies are vital to the security of sensitive patient information and data protection. With so much attention and money surrounding cybersecurity in the healthcare industry, malicious employees may decide to purposefully disclose patient information. Since employees and contractors may have knowledge of your network setup vulnerabilities and access codes, snooping employees with malicious intent hold the key to exposing your organization to a series of unwanted risks and threats. Listen, as we identify the signs of employee and contractor unauthorized access, provide guidelines to prevent employee snooping, and offer procedures to detect insider threats.

So thank you, Ray, for joining me on First Talk Compliance. It’s a pleasure to have you on.

Raymond Ribble

Thank you for having me today. It’s great.

 

Catherine Short

Yes, always wonderful to talk to you. So Ray, I have a question for you to start off. I know when people think about threats to their organization, they worry often about external risks such as hackers. Would you say that this is the right focus?

 

Raymond Ribble  2:15

For an organization, it’s not the wrong focus. It’s what we read about in the press the most. We’re online looking at some healthcare rag, what they’re talking about is some type of external threat that impacts the organizations. And I think from a cost perspective, it is the most impactful. Somebody coming in from the outside, a hacker to use the term, can cause hundreds of thousands if not millions of dollars in damage to an organization. Ransomware would be a perfect example of that. You or I don’t want to have to pay some X number of bitcoins in order to get access back to our data knowing that now that they’ve done that, that they’re probably going to come back and do it again. Having said that, I think the equal component of that is what we talked about in terms of snooping and the insider threat, because an individual snooping and then taking that information that they get through snooping and sharing it through social media, or in gossip to somebody on the outside, potentially could have a financial impact to an organization more so today in 2022, than say 20 years ago, or 30 years ago. So are hackers real? Yes, they are. Is the hacker the thing that you should stay awake at night worrying about? Not as much as you think. 26% of the breach events that are captured by most organizations that are responding to our surveys out there, IBM Parliament being the best, indicate that snooping and insider threats are much more detrimental to the business than the hackers on the outside. I think they’re more prevalent. I think that 67%, if I remember the number correctly, is what we have in terms of the percentage of healthcare breach types come from inside the organization, not outside. I think we tend to focus on what that cost is to the organization if we get caught, when we get caught and so therefore, hackers are more prominent because we use that word as a catch all for everything from phishing, to ransomware to XYZ. Does that make sense?

 

Catherine Short

It does. So all the time in the news and media and everything we hear about ransomware, ransomware there’s a cyber attack. So if you were talking about ransomware and cyber attacks, versus insider snooping, which is one of the topics here and employees snooping, what would you say then? Could you expand on that just a little bit more?

 

Raymond Ribble

I’m more worried about the insider threat personally, I think that there are things that we can do from a technology perspective to significantly limit our exposure to ransomware type events. So if we can educate our end users to not click on anything that comes up on their screen, to not look at third party applications or ads, and click on them to go see if that shirt from China is really interesting, and I really can get something for $25 that I’d have to pay $200 for, is worth it. Because when I click on that, what I’m actually doing is opening up a hole into my data system. So if we can educate people not to do those types of actions, through technology and encryption and such, then we can reduce the exposure to a ransomware event through that.

On the other hand, if I have people in my office, who are snooping or worse, in a malicious sense, stealing the credentials, and giving those credentials to somebody else in order to create havoc, that cost is exponential to our organization. That goes back to a major breach, it goes back to being measured in hundreds of thousands, if not millions of dollars. The impact to your organization from a cybersecurity insurance perspective, is significant. The reason we have that feeling, Catherine is because what articles we typically see out there in the press, whether it’s online or in print are stories about ransomware, a hospital being shut down, not being able to access their files. It’s rare that we see a story about a snooping incident, such as say, the Justice Mueller in Chicago, where it makes it to the point of news that’s worthy of being talked about. So it’s kind of a hidden crime in an organization that a lot of people think well is really causing the damage?

 

Catherine Short

So right. Can you give me some examples of what you’re talking about? When you mentioned insider threats or employee snooping?

 

Raymond Ribble

Yeah, the worst one that we’ve had with our organization where we work with a client, was an incident where they were brand new to our technology, we implemented the system for them. And maybe a little bit of background. It is a rural hospital. You and I both know that we love to talk about others. I mean, TV is loaded with shows about other people’s lives and reality TV, but what’s more reality than snooping that what’s happening in my community, viz a viz their healthcare and what they’re coming in, what type of ailments they have. This organization went live with SPHER and in the first month of using the system, they had 1800 snooping alerts. 1800.

 

Catherine Short   7:50

Wow, that was from one organization

 

Raymond Ribble

That was for one place, it was the hospital and when we sat down with that team, and investigated the 1800s, they were all legitimate. There was no false positives, everything was legitimate. They were they had a very, very bad problem in this hospital.

 

Catherine Short

That was in a month?

 

Raymond Ribble

That was in one month.

 

Catherine Short

Oh, my gosh, there must be a lot of gossiping going on there.

 

Raymond Ribble  8:22

Yeah. I’m not gonna say where it was, other than it was a rural hospital. It would be bad. But let’s just say yeah, there was a lot of gossiping in an area that’s famous for gossip like that. Everybody listening can say, now that’s my area. But now though, this is one that we probably would all agree upon. We sat down with them and this is where once they understood this was real, then they said, Okay, how are we going to solve this problem? And it really came down to the CIO. In this case, the CISO, saying, Okay, we’re clearly not educating our users on security and we don’t have a culture of compliance in this organization. So she decided to make it very public what they had found, to share some of the analytics without calling anybody out since it was everybody and saying, Okay, this is going to change immediately. We’ve implemented the system to monitor so I’m looking at you, just know that from today. Within two months, the snooping dropped from 1800 to five, five incidents, and those five incidents she told us, could all be explained. So you know, in essence, she said, Yeah, they did look, but here’s the reason they looked and she could accept that so basically, zero. Once people knew that somebody was looking at them looking at other people’s data, they stopped. Maybe they found a new way to do it, but they weren’t using the EHR system or the EMR system as their main source of Office gossip. How’s that?

 

Catherine Short

Wow. So when you have an incident where someone is looking at someone’s medical records, say like an ex spouse or the ex spouses new wife or something like that, what do you do?

 

Raymond Ribble

So we have to be very careful. I think I mentioned this to many people. At SPHER, we’re not the HIPAA police. My tool that I make available to my clients, the SPHER dashboard and the alerts that you get, that’s where you start. We do the hard job of identifying areas that might be worthy of an investigation, you’re then looking at that data and determine is this meaningful information that SPHER is giving me and should I take action on it? Yes, or no. If it’s a normal action, you tell the system it’s normal and you won’t see that again. That becomes part of that person’s profile. However, in many instances, when people do identify and do the investigation, they’ve called us to say, hey, look, I just saw something here, I did an investigation, can you look at it with me, we have their permission to do so. And then we’re just looking with them to make sure that they’re interpreting the data correctly. Final decision is theirs, not ours. And as I say, whenever I speak, this is where they want to reach out to an organization like yours, Catherine, and have a conversation with somebody who’s like a HIPAA consultant, or like Rachel Rose, somebody who is a HIPAA law attorney, and have a discussion about how should I handle this going forward? We’ve had incidents where physicians have gone into the system and taken data that was so random that it showed up in the alert, and they were giving that data it turns out, to somebody else that used it, as part of your example, in a divorce proceeding for custody of the children. And the only way that that data could have been gotten on the wife in this instance, was through the medical record, because it was very private. How did he get it? Of course, somebody else took it out of the system, gave it to him, and he used it in a court of law. That was a no, no, and they should have thought about that before they did it but they did it anyways and so they got busted for that. I mean, think about the ramifications of a doctor in that in court.

So we do see real instances of people at very high levels going in and snooping or maliciously exfiltrating data for the purposes of something that might be legal in nature or monetary in nature. And we see that more often than you’d like to believe.

 

Catherine Short 

If you’re just tuning in, you’re listening to 1st Talk Compliance brought to you by First Healthcare Compliance as part of our commitment to provide high quality complimentary educational resources. We help create confidence among compliance professionals throughout the United States. My guest today is Raymond Ribble, CEO and Founder at SPHER, Inc., on the topic of “Employee Snooping & Insider Threats.” Please show your support by taking a few minutes to provide a review of First Healthcare Compliance on Google or Facebook. You can also follow us and subscribe on all forms of social media.

I have a question then. How do you recommend to administrators and managers for balancing and creating a culture of compliance and then balancing this with the feeling for employees? When a new system is implemented, that they might feel like they’re being micromanaged.

 

Raymond Ribble

They’re very concerned, the administrators and the senior managers CISOs that we work with, they’re really concerned about that question that you’re asking. I want to do this but I don’t want to send a negative message to my employees. I don’t want to tell them I don’t trust them. I don’t want them to think that. Oh, you know, we’re watching everything they did – we are. How do I do this proactively? And so we’ve had some really creative organizations that have shared with us what they did do. That’s how I’ll answer your question, by sharing with you what I heard people do that I thought was very innovative

So they have a regular lunch, or they have a regular session that’s scheduled every month or every couple of months in the organization. They take some of the analytics that they’ve learned from SPHER and integrate that into the learning process. They talk about, hey, we’ve noticed over the last couple of years in the United States, that the threat vector in terms of breaches through phishing, and hackers and even insider threats, is increasing and as an organization, we want to do what we can to protect ourselves, protect our patients. So it’s a bit of a manipulation of the words, but they come up with a very creative way of saying, We’re doing this to protect the people who come in here in order to get healthy and you know, this is a team effort. It’s not a me looking at you effort. It’s us looking at what’s happening effort in order to make sure that we’re protecting our patients from any external threat. The byproduct is the internal threat gets addressed as well.

 

So they take it from a negative message to a positive message and they use different vehicles like team training, or the company lunch or some type of a newsletter that they have in the organization to start making that a regular part of the presentation, and maybe introducing incidents that happened in the past and the corrective action that the organization took. It sends a secondary message of, hey, I am looking and we are aware of these things, and if that happens to you, you might be the person or at least the incident’s going to be highlighted in the next newsletter or the next company meeting. So let’s watch our P’s and Q’s let’s be better at how we access data and what we share.

 

Catherine Short   15:44

I think that’s very helpful for everyone.

 

Raymond Ribble

You know, we always talk about penalties, we never talk about rewards. So if employees were to come to us with ideas on how we could improve our security posture, maybe there should be reward for them doing that versus penalties for somebody who does something wrong.

 

Catherine Short

Right, everyone likes to be rewarded. No one likes to feel like they’re a bad dog, you know, with a smack with a newspaper or worse, obviously

 

Raymond Ribble

I think it gets viewed by the team, the employees in a much more positive light, if this is something we’re doing together. Hey, and if you have an idea on how we can improve it, I’d love to hear it. We sat down with the doctors and I’m thinking about who we work with a lot of clinics that are somewhere in the range of say 100 to maybe 1000 employees. So they’re always looking for creative ways to incentivize everybody doing better, it’s performance based. So security becomes a performance metrics as well and providing better security and doing a better job of creating that culture should be something that can be rewarded within the organization.

 

Catherine Short

True. I have a question again about audit. So what’s the probability that someone would get audited? What are your thoughts on that?

 

Raymond Ribble

Yeah, broad question. I’m going to attack it based on just what I’ve seen. I live in California, Catherine. So last year, I think was last year, I lose track now, we passed the California Consumer Privacy Act. My understanding is within the next two years, if not all, almost all of the 50 states and territories will have some type of Consumer Privacy Act in place. In many instances, like in California, some of that law supersedes HIPAA, in terms of reporting, in terms of having to grant access to patient data to the consumer, to the patient, and that could result in punitive actions and or investigation. So when we think about audit, you and I, we probably focus more on OCR related,  health and human services related activities. I think what’s happened is the landscape has changed. It’s gone from a Federal HHS issue, to include state level, privacy and security laws that now in many instances, again, can supersede what we have in terms of accountability, record keeping, documenting, and being able to prove that somebody did or didn’t do something within an organization. I think the probability of an audit today is much higher than the probability of an audit, say, two years ago or five years ago. It’s not a real number for you. That’s what people are faced with today. So I can’t give you a specific number. I don’t know one. But I know that that threat vector for us as organizations is increasing, not decreasing, because now we have federal and state that impact us. Does that make sense to you in the way that I’m stating that?

 

Catherine Short   18:45

Absolutely, actually, yes. And I’m glad you mentioned California, because California I know, I always think of being kind of like Europe with the GDPR and having more stringent laws, than federal

 

Raymond Ribble

A lot of other states flew into Sacramento and sat down with the state of California to see how they put that consumer privacy act together and in many instances, the other states, it’s a derivative of the California Privacy Act.

 

Catherine Short

Right. I have another question concerning security. What are your thoughts on the security of automatic logins on the computer like if it asks you if you want to save the password, and then you can just log in automatically next time? And then following up on that isn’t a problem when it asks you show your password? I always feel like I’m suspicious that someone out there might be capturing my screen. I might be extra paranoid, but at that, I think maybe not. I don’t think so. I feel like somebody’s watching

 

Raymond Ribble

Good question. I hate passwords. I bet you hate passwords too passwords. I’m a big advocate for at some point, I think we are going to move away from them, I think we’re going to move more towards biometrics, which I think is a better way to secure the data anyways, then whether it’s a fingerprint or a voiceprint, or an eyeball, whatever the case may be, I think they’re coming up with some really innovative solutions that we can incorporate. And I think we’re gonna see the MacBooks in the  Microsoft workstations out there start to incorporate that technology in the years to come. That will allow us to move away from passwords. So your question is about having those passwords saved? Because I know that in a Microsoft and in an Apple world, you find online they will say, Oh, do you want to save this password? and it gives you the username and the password and boom, it’s sitting there. So if somebody were to break into your PC, they can go find that file, it’ll tell them every application that you have access to and what the login and password is. So is that dangerous? Yes, it is.

 

I guess if you’re really smart, you know what you’re using? Don’t do it. Your question, you kind of answered your question in the way that you asked it, don’t do it. Is it a risk? Yes, it’s a risk. I would start by saying, make sure your PC is encrypted, make sure you actually have a sophisticated login process to get into your PC itself. Because there’s only a few barriers of deterrent between your PC and all that data that we’re talking about. So please make sure you have a real stringent password in place that you can remember, that’s not written down, by the way that one doesn’t get saved into that file, and you’re gonna have to remember that, right? otherwise, you’d have to do a jailbreak to get into your own machine. So you know, you’ve probably had those instances, and they’re like, well,  you don’t know the password and we’ve got to break into it, kind of a thing. So that’s a real problem.

 

The first part of my answer is, yeah, I think that is a risk. I know I have some there, I tried to think about which ones I want to have saved on there versus the ones that do. So I don’t want my bank information on there. I don’t want access to any sensitive materials on there. I don’t even want my Amazon account on there because God forbid somebody gets on Amazon and my cards already loaded into Amazon and they go on a shopping spree right? It might seem innocuous, but it actually can be very damaging to you. If you if you can avoid doing it, please do. And your applications on whether you’re using Chrome or whatever says, hey, do you want to store it? And you’re like, sure why not? That way, one more, I don’t have to remember. The problem is, the bad guys know how to find that file probably faster than you and I could.

 

Catherine Short

Right. That’s why I’m asking

 

Raymond Ribble

But the reality is, no, you don’t want to use it. If you can avoid using it, you want to create sophisticated passwords, which I think is the solution to that. Your username is usually your email, I mean, it’s almost 90% of the bar. And then sophisticated passwords, I always use the example and is just an example. I like the Boston Red Sox count that out in terms of the number of characters, anything longer than 12 characters, is really sufficient at defeating the algorithms that the hackers or a malicious insider might use in order to run against your machine to break the password code and get in. Most of the algorithms that they use are looking for an eight character based password. Once you move from eight to nine, nine to ten, ten to twelve, twelve to whatever, the time it takes for it to break into your machine grows exponentially. We’ll come back to why it’s taking too long, I don’t want to get into it. Now if they’re really hell bent on breaking into your PC or into your server, they’re going to do it because they’re happy to sit there hours, days, weeks to break into your PC will, you’re dead in the water. But most incidents are not that way. Another thing I might throw in here, just as a side note, Catherine, don’t use your PC at Starbucks or the local coffee shop because there are too many unscrupulous people out there using very simple $20 devices that can hack into your machine while you’re logged in. So, you know, if you’re on your phone, be careful what you’re looking at. Don’t do that kind of work, and don’t access those applications when you’re out in public. Keep that to your house and again, make sure you encrypt your PC and to the extent that you can avoid putting those passwords on your PC. There’s a long answer to an easy question, but sorry.

 

Catherine Short

Okay, very sound advice. I very much appreciate that. Well, I think that we are just about out of time here. Have you thought of any words of advice that you wanted to leave with our listeners?

 

Raymond Ribble

No, I don’t think so. I think what I try to do in my presentations, Catherine is the salient points that I’m trying to get across. I think for me, it’s upgrading your systems and making sure that the patches are properly up to date. It’s talking to your teams about security, I think it’s that simple. If they know that you’re thinking about it, they’ll think about it. If you don’t talk about it, they’re not going to be worried about it, talk about security, start talking about what can we do to improve security and work with my IT team to make sure that we have systems in place that allows us to regularly and properly monitor what’s happening within our system, not about trusting or not trusting your employees, we don’t know who’s surrounding them, we don’t know what’s happened in their life in terms of some life changing incident, that may move them from being the regular employee to be willing to do something that we might judge as malicious. And it could be again, for that personal gain but more importantly, it could be a reason for financial gain. If somebody is in a situation where they need to get money really fast, and the wrong person approaches them and tells them that, hey, some of those medical records would be worth thousands of dollars to me, you go from a very good employee to a very bad employee and sadly, it happens a lot. I’ve sat down with the FBI, I’ve sat down with OCR investigators, and they’ve heard enough stories about those types of situations, to know that it’s very real, that it’s that one incident that’s kind of broke the camel’s back and allowed or encouraged somebody to go do something that for many, many years they’ve never done before. So yeah, we trust our employees. I think we all do I do, I trust all the employees in my office, but having some type of regular and appropriate system that’s documented, that I can demonstrate to an outside party, defense lawyer during an audit or during a deposition that, hey, we do these things to protect our office and therefore, it’s not about not trusting my employees, it’s just making sure that we’ve done everything to protect our patients, I tend to look at it that way, Catherine

 

We had an organization who, using our technology, identified a user who had been with them for 17 years, who is going in and modifying records after the fact during lunch. Now, they were new to SPHER so they caught this with SPHERE. They radically looked at it, they started going back in the records, and they found that she’d been doing it for 10 years. Why? for financial gain. She was taking a little bit off the top and when we sat down with the doctor as part of the investigation, they indicated that Oh, wow, every year, we always seem to be coming up short in different areas and we thought it was really bad. We even changed our organization that did our collections for us a couple of times thinking that they were the ones doing it wrong. We never once considered there might have been somebody internally that was doing this.

 

Catherine Short

Oh, wow! that’s actually very sad. You never know.

 

Raymond Ribble

You never you never know. I don’t think you should feel bad about monitoring your end users. We’re just protecting our business from some event that could be catastrophic in terms of everybody losing their jobs because of a breach. With SPHER, we look at 100% of all the activity of all the users every day because you couldn’t possibly do that. Our users can read easily, and intuitively say oh, yeah, that’s a problem. I can see why SPHER flag that and let me investigate that. Bam. Make sense?

 

Catherine Short  28:22

Yes. Okay. Well, I think we’re about ready to wrap up our presentation then. So I wanted to thank you again, so much for sharing your time with us and your expertise. So thank you for being with us today.

 

Raymond Ribble

Thank you for having me today. It’s always a pleasure and good luck to everybody out there.

 

Catherine Short 

And thanks to our audience for tuning in to 1st Talk Compliance. You can learn more about the show on the program’s page on healthcarenowradio.com and lend your voice to the conversation on Twitter @1sthcc or #1stTalkCompliance. You can also email me at catherineshort@1sthcc.com. I’m Catherine Short of First Healthcare Compliance. Remember, compliance is the key to achieving peace of mind.