In April of 2022, the Department of Health and Human Services (HHS)’ Office of Information Security issued a 27-page publication, entitled “Insider Threats in Healthcare.” The publication covers a significant trend in cybersecurity: More and more, healthcare organization data breaches are being caused by internal (employee) action as opposed to actions from outside third parties.
HHS defines an “Insider threat in the Healthcare and Public Health (HPH) Sector” as “a person within a healthcare organization, or a contractor, who has access to assets or inside information concerning the organization’s security practices, data, and computer systems, [who] could use this information in a way that negatively impacts the organization.” Insider threats can cause data breaches. The subject of insider data breaches is discussed below.
There’s Negligence Inside: HHS Warns of Increases in Insider Data Breaches
As HHS notes, there are several types of insider threats.
These include:
- Careless or negligent workers
- Malicious insiders
- Inside agents
- Disgruntled employees
There is a mismatch between the amount of money healthcare organizations spend to prevent data breaches from each group and the amount of harm each group causes. Most companies invest more money on insider threats from actors with malicious intent than they do on insider threats caused by someone acting negligently.
This focus might be misplaced. According to Ponemon’s 2020 Insider Threats Report, 61% of insider data breaches are unintentional, caused by negligent insiders.
The Why of “Why Me?” Leading to Insider Data Breaches
Negligent insider data breaches occur for a number of reasons. The main reason is employees’ lack of awareness about employer security policies and a failure to provide security awareness training.
The numbers in the Insider Threats Report HHS paint a stark picture:
- 27% of employees view security policies less than once a year
- 39% of employees receive security awareness training less than once a year
Lack of awareness of basic security principles can cause unintentional loss of IT assets or protected health information (PHI). For example, an employer who has not trained employees on mobile device security may find that an employee has carelessly left an unencrypted laptop unattended. The device may then be stolen, or its data may be copied. Or, an organization that fails to train employees on the concept of automatic logoff, may discover that a remote employee left their computer running unattended for a full two hours – ample time for an intruder to get inside.
The Enemy Within
On the other side of the insider threat spectrum of negligent actors are malicious actors. Malicious insiders account for 14% of all threat incidents.
Insider threats include:
- Healthcare employees who misuse access rights to steal patient data to commit identity theft
- Healthcare employees who misuse access rights to steal patient data to commit some other form of financial fraud
- Healthcare employees who steal sensitive data and provide it to third parties for money
- Disgruntled or dissatisfied employees who want to cause harm to their employers. Disgruntled employees may believe that their employer owes them something. When this expectation is unmet, the disgruntled actor will take action
Insider data breaches caused by malicious actors make for good copy. These actors steal data, commit fraud, or sabotage systems. The news media dutifully report these events, and healthcare employers who read the papers then decide to devote significant resources to identify and guard against such breaches. Typically, these employers institute monitoring systems to identify unauthorized access and to detect employees who engage in suspicious activity like snooping on patient records.
As intriguing to the public as malicious insider data breaches may be, such breaches only account for 14% of all threat incidents.
What Can Healthcare Employers Do to Prevent Insider Data Breaches?
To prevent insider data breaches caused by negligence, HHS recommends that healthcare organizations institute and operationalize robust security awareness training programs, which should include – you guessed it – information raising awareness about insider threats. Security awareness training programs should also cover periodic security updates, protection from malicious software, log-in monitoring, and password management.
HHS also recommends periodic refresher training and that organizations revise and update cybersecurity policies and procedures to limit access privileges and establish role-based control.
HHS recommends that healthcare organizations protect against malicious insider threats by:
- Implementing zero-trust and multifactor authentication (MFA) measures
- Deploying data loss prevention controls
- Regularly auditing access and activity logs
- Implementing a security information and event management (SIEM) system to assist with logging, monitoring, and auditing employee actions
Finally, HHS recommends that healthcare organizations develop a formal insider threat mitigation program and an incident response plan. Insider threat mitigation programs can enhance organizational readiness against insider data breaches, whether caused by negligence or ill-intent.
