Data Breach Insider Threat

In April of 2022, the Department of Health and Human Services (HHS)’ Office of Information Security issued a 27-page publication, entitled “Insider Threats in Healthcare.” The publication covers a significant trend in cybersecurity: More and more, healthcare organization data breaches are being caused by internal (employee) action as opposed to actions from outside third parties.

HHS defines an “Insider threat in the Healthcare and Public Health (HPH) Sector” as “a person within a healthcare organization, or a contractor, who has access to assets or inside information concerning the organization’s security practices, data, and computer systems, [who] could use this information in a way that negatively impacts the organization.” Insider threats can cause data breaches. The subject of insider data breaches is discussed below.

There’s Negligence Inside: HHS Warns of Increases in Insider Data Breaches

As HHS notes, there are several types of insider threats. 

These include:

  • Careless or negligent workers
  • Malicious insiders
  • Inside agents 
  • Disgruntled employees 

There is a mismatch between the amount of money healthcare organizations spend to prevent data breaches from each group and the amount of harm each group causes. Most companies invest more money on insider threats from actors with malicious intent than they do on insider threats caused by someone acting negligently.

This focus might be misplaced. According to Ponemon’s 2020 Insider Threats Report, 61% of insider data breaches are unintentional, caused by negligent insiders. 

Let’s Simplify Compliance

HIPAA compliance helps to prevent insider data breaches. Become compliant today!

Learn More!
HIPAA Seal of Compliance

The Why of “Why Me?” Leading to Insider Data Breaches

Negligent insider data breaches occur for a number of reasons. The main reason is employees’ lack of awareness about employer security policies and a failure to provide security awareness training. 

The numbers in the Insider Threats Report HHS paint a stark picture: 

  • 27% of employees view security policies less than once a year
  • 39% of employees receive security awareness training less than once a year

Lack of awareness of basic security principles can cause unintentional loss of IT assets or protected health information (PHI). For example, an employer who has not trained employees on mobile device security may find that an employee has carelessly left an unencrypted laptop unattended. The device may then be stolen, or its data may be copied. Or, an organization that fails to train employees on the concept of automatic logoff, may discover that a remote employee left their computer running unattended for a full two hours – ample time for an intruder to get inside.

The Enemy Within

On the other side of the insider threat spectrum of negligent actors are malicious actors. Malicious insiders account for 14% of all threat incidents. 

Insider threats include:

  • Healthcare employees who misuse access rights to steal patient data to commit identity theft
  • Healthcare employees who misuse access rights to steal patient data to commit some other form of financial fraud
  • Healthcare employees who steal sensitive data and provide it to third parties for money
  • Disgruntled or dissatisfied employees who want to cause harm to their employers. Disgruntled employees may believe th