Insider Threats, HIPAA, and What Banks Need To Keep in View
Insider threats are growing in frequency, cost, and impact. In a recent RMA Journal article, Stephany Head—a strategic legal and policy professional who has advised federal agencies—notes that, according to the “2024 Insider Threat Report” by Cybersecurity Insiders, “83% of organizations reported at least one insider attack in 2024.” Insider threats are the primary cause for 60% of data breaches, and DeepStrike reports that “the average annual cost of insider threats has surged to $17.4 million per organization.” For banks, the stakes rise further when protected health information (PHI) and electronic PHI (e-PHI) are involved.
When banking work unexpectedly falls under HIPAA
Head explains that a bank can be deemed a HIPAA “business associate” when it goes beyond basic payment processing for a health-care client. Citing U.S. Department of Health and Human Services guidance, she notes that “a ‘business associate’ is a bank that preforms certain functions or activities that involve the use or disclosure of protected health information on behalf of (or provides services to) ‘covered entities’…” That can include claims processing, data analysis, billing, benefit management, practice management, and more—bringing HIPAA privacy and security rules squarely into scope.
Breach response has extra layers when PHI is in play
Once an insider-driven breach is identified, Head stresses immediate notification to the board, inside and outside counsel, and senior leaders responsible for cybersecurity, privacy, and HIPAA. For public companies, Securities and Exchange Commission rules require disclosure of any material cybersecurity incident, generally within four business days of determining materiality. If PHI is involved, organizations must notify affected individuals and the U.S. Department of Health and Human Services “without unreasonable delay” and within 60 calendar days—and, for breaches affecting more than 500 individuals, notify prominent media in the affected state.
Insider risk management has to be systematic
Head’s framework emphasizes governance and discipline more than one-off fixes. That includes dedicated HIPAA compliance and security roles; documented, regularly updated policies and procedures; defined processes for investigating violations; periodic risk assessments; and annual HIPAA internal audits. Technical expectations are also clear: privileged-account controls, integrity protections for data, and encryption for e-PHI in line with NIST guidance. As DeepStrike puts it, “Proactive detection is critical, as the average incident still takes 81 days to contain, with delays dramatically increasing costs.”
Why it matters for bank leadership
For banks that touch PHI—even indirectly through health-care clients—insider threats sit at the intersection of cybersecurity and HIPAA enforcement. Head’s bottom line is that banks need a repeatable way to react to insider breaches and a long-term program to “minimize and reduce future insider threats and breaches,” especially where PHI and e-PHI are part of the data mix.
