1st Talk Compliance features guest Raymond Ribble, CEO and Founder at SPHER, Inc., on the topic of “Employee Snooping & Insider Threats.” Ray joins our host Catherine Short to discuss snooping and insider threats and why user monitoring and ePHI access strategies are vital to the security of sensitive patient information and data protection. With so much attention and money surrounding cybersecurity in the healthcare industry, malicious employees may decide to purposefully disclose patient information. Since employees and contractors may have knowledge of your network setup, vulnerabilities, and access codes, snooping employees with malicious intent hold the key to exposing your organization to a series of unwanted risks and threats. Listen as we identify signs of unauthorized access, provide guidelines to prevent snooping, and offer procedures to detect insider threats.

Catherine Short:

Welcome, and let’s 1st Talk Compliance. I’m Catherine Short, Manager of Virtual Education at First Healthcare Compliance. Thanks for tuning in. This show is brought to you by First Healthcare Compliance as part of our commitment to provide high quality complementary educational resources. We help create confidence among compliance professionals throughout the United States. Please show your support by taking a moment to provide a review on Google, Facebook or iTunes. You can also follow us on Instagram, Twitter, and subscribe to our YouTube channel.

On today’s episode, we are speaking with Raymond Ribble, CEO and founder at SPHER Inc, a market leading compliance analytics cybersecurity solution addressing HIPAA compliance, state privacy laws and ePHI security threats on the topic of “Employee Snooping and Insider Threats.” Snooping and insider threats are exactly why user monitoring and ePHI access strategies are vital to the security of sensitive patient information and data protection. With so much attention and money surrounding cybersecurity in the healthcare industry, malicious employees may decide to purposefully disclose patient information. Since employees and contractors may have knowledge of your network setup vulnerabilities and access codes, snooping employees with malicious intent hold the key to exposing your organization to a series of unwanted risks and threats. Listen, as we identify the signs of employee and contractor unauthorized access, provide guidelines to prevent employee snooping, and offer procedures to detect insider threats.

So thank you, Ray, for joining me on First Talk Compliance. It’s a pleasure to have you on.

Raymond Ribble

Thank you for having me today. It’s great.

Catherine Short

Yes, always wonderful to talk to you. So Ray, I have a question for you to start off. I know when people think about threats to their organization, they worry often about external risks such as hackers. Would you say that this is the right focus?

Raymond Ribble  2:15

For an organization, it’s not the wrong focus. It’s what we read about in the press the most. We’re online looking at some healthcare rag, what they’re talking about is some type of external threat that impacts the organizations. And I think from a cost perspective, it is the most impactful. Somebody coming in from the outside, a hacker to use the term, can cause hundreds of thousands if not millions of dollars in damage to an organization. Ransomware would be a perfect example of that. You or I don’t want to have to pay some X number of bitcoins in order to get access back to our data knowing that now that they’ve done that, that they’re probably going to come back and do it again. Having said that, I think the equal component of that is what we talked about in terms of snooping and the insider threat, because an individual snooping and then taking that information that they get through snooping and sharing it through social media, or in gossip to somebody on the outside, potentially could have a financial impact to an organization more so today in 2022, than say 20 years ago, or 30 years ago. So are hackers real? Yes, they are. Is the hacker the thing that you should stay awake at night worrying about? Not as much as you think. 26% of the breach events that are captured by most organizations that are responding to our surveys out there, IBM Parliament being the best, indicate that snooping and insider threats are much more detrimental to the business than the hackers on the outside. I think they’re more prevalent. I think that 67%, if I remember the number correctly, is what we have in terms of the percentage of healthcare breach types come from inside the organization, not outside. I think we tend to focus on what that cost is to the organization if we get caught, when we get caught and so therefore, hackers are more prominent because we use that word as a catch all for everything from phishing, to ransomware to XYZ. Does that make sense?

Catherine Short

It does. So all the time in the news and media and everything we hear about ransomware, ransomware there’s a cyber attack. So if you were talking about ransomware and cyber attacks, versus insider snooping, which is one of the topics here and employees snooping, what would you say then? Could you expand on that just a little bit more?

Raymond Ribble

I’m more worried about the insider threat personally, I think that there are things that we can do from a technology perspective to significantly limit our exposure to ransomware type events. So if we can educate our end users to not click on anything that comes up on their screen, to not look at third party applications or ads, and click on them to go see if that shirt from China is really interesting, and I really can get something for $25 that I’d have to pay $200 for, is worth it. Because when I click on that, what I’m actually doing is opening up a hole into my data system. So if we can educate people not to do those types of actions, through technology and encryption and such, then we can reduce the exposure to a ransomware event through that.

On the other hand, if I have people in my office, who are snooping or worse, in a malicious sense, stealing the credentials, and giving those credentials to somebody else in order to create havoc, that cost is exponential to our organization. That goes back to a major breach, it goes back to being measured in hundreds of thousands, if not millions of dollars. The impact to your organization from a cybersecurity insurance perspective, is significant. The reason we have that feeling, Catherine is because what articles we typically see out there in the press, whether it’s online or in print are stories about ransomware, a hospital being shut down, not being able to access their files. It’s rare that we see a story about a snooping incident, such as say, the Justice Mueller in Chicago, where it makes it to the point of news that’s worthy of being talked about. So it’s kind of a hidden crime in an organization that a lot of people think well is really causing the damage?

Catherine Short

So right. Can you give me some examples of what you’re talking about? When you mentioned insider threats or employee snooping?

Raymond Ribble

Yeah, the worst one that we’ve had with our organization where we work with a client, was an incident where they were brand new to our technology, we implemented the system for them. And maybe a little bit of background. It is a rural hospital. You and I both know that we love to talk about others. I mean, TV is loaded with shows about other people’s lives and reality TV, but what’s more reality than snooping that what’s happening in my community, viz a viz their healthcare and what they’re coming in, what type of ailments they have. This organization went live with SPHER and in the first month of using the system, they had 1800 snooping alerts. 1800.

Catherine Short   7:50

Wow, that was from one organization

Raymond Ribble

That was for one place, it was the hospital and when we sat down with that team, and investigated the 1800s, they were all legitimate. There was no false positives, everything was legitimate. They were they had a very, very bad problem in this hospital.

Catherine Short

That was in a month?

Raymond Ribble

That was in one month.

Catherine Short

Oh, my gosh, there must be a lot of gossiping going on there.

Raymond Ribble  8:22

Yeah. I’m not gonna say where it was, other than it was a rural hospital. It would be bad. But let’s just say yeah, there was a lot of gossiping in an area that’s famous for gossip like that. Everybody listening can say, now that’s my area. But now though, this is one that we probably would all agree upon. We sat down with them and this is where once they understood this was real, then they said, Okay, how are we going to solve this problem? And it really came down to the CIO. In this case, the CISO, saying, Okay, we’re clearly not educating our users on security and we don’t have a culture of compliance in this organization. So she decided to make it very public what they had found, to share some of the analytics without calling anybody out since it was everybody and saying, Okay, this is g