Share this article on:
Healthcare data breaches are occurring in record numbers, but not all privacy and security threats come from outside the organization. The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HCC) has recently issued a warning about the threat from within.
Insider Threats in Healthcare
Nation-state hacking groups, cybercriminal gangs, and lone hackers have long targeted the healthcare industry, but there is also a significant threat of data breaches due to insiders. Insider threats are those involving individuals within a healthcare organization, such as employees, but also contractors and business associates that have been provided with access to healthcare assets and systems. These individuals may be aware of the security practices employed by the organization and have awareness of the network, computer systems, and the location of sensitive data. Oftentimes they will have been provided with access to sensitive data to complete their work or contracted duties.
According to the Verizon 2021 Data Breach Report, there was a decline in external threats between 2017 and 2020 and a corresponding rise in internal threats. Insider threats include healthcare employees who abuse their access rights to steal patient data to commit identity theft and financial fraud, inside agents that steal sensitive data and provide that information to third parties, and disgruntled employees that wish to cause harm to their employers.
Data breaches involving these kinds of insider threats are often covered by the media and healthcare organizations often commit significant resources to protect against and identify these threats. Monitoring systems are employed to monitor for unauthorized accessing of healthcare records to identify employees who have been snooping on patient records or stealing sensitive data; however, the Ponemon Institute’s 2020 Insider Threats Report suggests these incidents only account for a relatively small percentage of insider threat incidents – around 14%.
Other insider threats include negligent and careless workers that act inappropriately and individuals that accidentally put IT systems and data at risk without their knowledge. The Ponemon Institute’s report suggests 61% of insider threat incidents are due to negligent insiders, with credential theft due to negligent insiders accounting for 25% of insider threat incidents.
Negligent insider incidents can be caused by employees not being aware of security policies, which is often a training issue. Employees should be made aware of the organization’s security policies during the onboarding process and should be periodically reminded about those policies thereafter as part of regular security awareness training.
Insider threats often involve data theft, fraud, or system sabotage, all of which can cause harm to the organization and patients/plan members. The Ponemon Institute’s study suggests global organizations lose $11.45 million annually as a result of insider threats.
Insider Threat Prevention, Detection, and Response
“Deterrence, detection analysis, and post-breach forensics are key areas of insider threat prevention,” suggests HC3, which also recommends revising and updating cybersecurity policies and guidelines, limiting privileged access and establishing role-based access control, implementing zero-trust and MFA models, backing up data and deploying data loss prevention tools, and managing USB devices across the corporate network.
Detecting threats requires constant monitoring of user activity and regular audits of access and activity logs. A security information and event management (SIEM) system should be considered to help with the logging, monitoring, and auditing of employee actions.
Insider threat awareness should form a part of security awareness training, which should be provided to employees during onboarding, with refresher training provided periodically thereafter. Employees should only be given access to the resources they need to complete their work duties, and strict password and access management policies and practices should be implemented. A formal insider threat mitigation program should also be developed along with an incident response plan to ensure prompt and effective actions can be taken when insider threats are identified.
You can view the HC3 Insider Threats in Healthcare Report here (PDF).