Executive Summary

Despite being considered the last industry that cyber criminals should target; the healthcare sector is not exempt when it comes to money-driven threat actors. Recently, there has been a noticeable increase in attacks targeting the healthcare industry, with insider threats causing significant concern. Data breaches within healthcare organizations are occurring in record numbers, however, it’s important to note that not all privacy and security threats originate from outside the organizations.

As security strategies have traditionally prioritized the prevention of external attacks, organizations of various sizes and types are now facing the growing necessity of addressing the threats that exist within their own environments. [1]According to Ponemon Institute, between the years of 2020 and 2022, insider threats increased 44%.

Of course, there are different types of insider threat incidents and not all of them are malicious. Only 26% of insider threat incidents are intentional, while 56% of insider threat incidents originate from careless mistakes. Whether intentional or negligent, let’s explore insider threats in healthcare and how healthcare organizations can remain safe.

[1] 2022 Ponemon Cost of Insider Threats Global Report | Proofpoint UK

 

tir snapshot

  • Organizations become so preoccupied with monitoring external threats that they overlook the importance of being vigilant about the potential risk coming from within their own organization.
  • Insiders often have privileges that give them access to systems and networks. In November 2021, an employee decided to download data from South Georgia Medical Center to a USB drive the day after he resigned, resulting in patient data theft.
  • Usually, healthcare organizations invest money in pinpointing malicious insider threats, rarely focusing on the negligent insider threats, which are more common.
  • Most healthcare employees lack awareness about security policies and  healthcare organizations fail to provide proper security awareness training.
  • In January 2023, an employee at DCH Health System in Tuscaloosa was terminated by the organization due to suspicions of unauthorized access to electronic medical records. The employee unnecessarily accessed over 2,000 patient records, compromising their data.
  • Annually, insider threats consistently top the list of the most significant risks to healthcare data.
  • Organizations should exercise caution and vigilance in their hiring processes to ensure they are selecting individuals who prioritize data security. There are key indicators of compromise that can help organizations get ahead of insider threats.

 

 

malicious insider threats

At times, organizations become so preoccupied with monitoring external threats that they overlook the importance of being vigilant about the potential risks coming from within their own organization. Insiders often have privileges that give them access to systems and networks, placing them in an ideal position to exploit such resources. Additionally, they may possess knowledge about vulnerabilities or the organization's network configuration.

During November 2021, a security incident occurred at the South Georgia Medical Center in Valdosta, Georgia. A former employee decided to download private data from the medical center's systems onto a USB drive the day after he resigned. As a result, the names of patients, test results, and birth dates were leaked.

Because the employee had access to sensitive data and had no issues with carrying out his plan, he was able to maliciously compromise the medical center. This is a great example of a malicious insider threat where the individual harbored feelings of anger or discontent, having personal motivations to harm the organization.

 

 

careless and uneducated employees

 

DCH

Usually, healthcare organizations invest money in pinpointing malicious insider threats, rarely focusing on the negligent insider threats which are more common. According to the U.S. Department of Health and Human Services (HHS), most healthcare employees lack awareness about security policies and the healthcare organizations fail to provide proper security awareness training.

In January 2023, an employee at DCH Health System in Tuscaloosa was terminated by the organization due to suspicions of unauthorized access to electronic medical records. Reports state that 2,530 individuals were informed by mail that their medical records may have been accessed by the former employee without there being any legitimate reason for the employee to access them.

Although DCH Health System did not believe patient information was used or disclosed, the employee unnecessarily viewed names, addresses, dates of births, diagnoses, vital signs, medications, Social Security numbers, test results, and clinical notes. DCH discovered the breach during a routine privacy audit conducted in December 2022. Upon further investigation, additional breaches were uncovered, dating back to September 2021. This security incident is a great instance of a careless employee being the insider threat. Using your credentials to access data which does not pertain to your role is not only careless but it’s also a violation of privacy.

 

HIGHMARK HEALTH

In February 2023, reports surfaced that Highmark Health, the second largest integrated delivery and financing system in the United States, suffered from a phishing attack affecting approximately 300,000 individuals.

On December 15, 2022, one of Highmark’s employees received a malicious link, resulting in unauthorized access to their email account for a period of two days. Consequently, the threat actor may have gained access to emails containing protected health information (PHI). The compromised email account contained various types of sensitive information, including names, enrollment details, prescription and treatment information, financial data, addresses, and phone numbers. This incident serves as an example of an employee who, lacking sufficient knowledge or awareness, inadvertently clicked on a malicious link, granting complete access to a malicious actor.

 

Image 1: Insider Threat Damage

Insider Threat Damage

Source: HHS.gov

 

 

third parties

Third party breaches are tricky because they usually happen when business associates compromise security through negligence, improper use, or harmful access. In June 2022, an IT contractor was charged for hacking into a Chicago-based healthcare organization's server in 2018.

At that time, the IT contractor was employed by an IT company that had a contractual agreement with the impacted healthcare organization, granting him access to their network.

Two months prior to the incident, the contractor allegedly was rejected for a role with the healthcare company. Subsequently, a few months later, the contractor’s employment with the IT firm was terminated.

The contractor ended up being accused of intentionally causing damage to a protected computer by knowingly transmitting a program, information, code, and command without authorization. As a result of the cyberattack, the healthcare organization faced disruptions in medical examinations, treatment, and diagnoses. In this case, the contractor was an angry insider threat who wanted to cause harm to the healthcare organization’s system.

 

 

defense

Annually, insider threats consistently top the list of the most significant risks to healthcare data. As remote work and telehealth continue, it is crucial for healthcare organizations to adopt a proactive approach in training their employees on the best cybersecurity practices. Additionally, organizations should exercise caution and vigilance in their hiring processes to ensure they are selecting individuals who prioritize data security.

Although it may be somewhat of a challenge, potential insider threats can be detected by paying attention to suspicious behavior and indicators that raise red flags for malicious activity. Some of those indicators include:

  • Behavioral
    • Instances of inappropriate or unprofessional conduct
    • Cases of harassment or bullying towards fellow employees
    • Personality clashes or conflicts
    • Misuse of resources such as travel, time, or expenses
    • Disputes or conflicts with colleagues or supervisors
  • IT Sabotage
    • Establishing unauthorized backdoor accounts
    • Modifying passwords to prevent data access by others
    • Disabling system logs to conceal activities
    • Installing remote network administration tools without authorization
    • Deploying malware onto systems
    • Illegitimately accessing the systems or devices belonging to other employees
  • Data Theft
    • Engaging in excessive downloading of confidential corporate data
    • Sending sensitive information to personal, non-corporate email addresses
    • Transmitting emails with large attachments to non-corporate email addresses
    • Misusing corporate printers for personal purposes
    • Illegitimately accessing servers remotely outside of working hours

 

 

avertium's recommendations

 

PREVENTION

To effectively prevent insider threats, healthcare organizations must prioritize deterrence, detection analysis, and post-breach forensics. In addition, here are some vital areas these organizations should focus on:

  • Review and revise cybersecurity policies and guidelines to ensure they are up to date.
  • Restrict privileged access and establish role-based access control mechanisms.
  • Implement the zero-trust model and utilize multi-factor authentication (MFA) for enhanced security.
  • Regularly back up data and employ data loss prevention tools to safeguard sensitive information.
  • Implement measures to manage and monitor USB devices across the corporate network to minimize risks associated with their use.

MITIGATION

  • Integrate insider threat awareness as a part of regular security training sessions for all staff members.
  • Enforce stringent password and account management policies and practices.
  • Establish clear security agreements for any cloud services, emphasizing access restrictions and monitoring capabilities.
  • Restrict access to sensitive information strictly to authorized personnel.
  • Employ a log correlation engine or a security information and event management (SIEM) system to capture, monitor, and audit employee activities.
  • Establish a comprehensive insider threat mitigation program, formalizing strategies to address and mitigate potential risks.

 

 

how avertium is protecting our customers

  • Avertium offers user awareness training through KnowBe4. The service also includes Incident Response Table-Top exercises (IR TTX) and Core Security Document development, as well as a comprehensive new-school approach that integrates baseline testing using mock attacks.
  • Avertium offers Zero Trust Network as a Service (ZTNaaS) for any organization that wants to control their attack surface. The zero-trust security model delivers exactly what the name promises: it is an IT security concept that specifies no access is allowed until the successful completion of authentication and authorization processes. 
  • Avertium offers VMaaS to provide a deeper understanding and control over organizational information security risks. If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap.
  • Fusion MXDR is the first MDR offering that fuses together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.

 

Related Resource:

 

 

SUPPORTING DOCUMENTATION

Addressing Insider Threats: Strengthening Security Strategies | Healthcare Digital (healthcare-digital.com)

2022 Ponemon Cost of Insider Threats Global Report | Proofpoint UK

7 Real-Life Data Breaches Caused by Insider Threats | Ekran System

202204211300_Insider Threats in Healthcare_TLPWHITE (hhs.gov)

Three U.S. data breaches show varied healthcare exposure risks | Reuters

DCH Health System fires employee after medical records security breach (tuscaloosanews.com)

HHS Warns HPH Sector About Insider Threats in Healthcare (hipaajournal.com)

IT Specialist Charged in Healthcare Cyberattack Highlights Insider Threat Risks (healthitsecurity.com)

Insider Threat and How to Mitigate It | FTI Consulting

Children's hospital required to improve security in breach settlement | SC Media (scmagazine.com)

Top Emerging Security Threats in Healthcare | RSI Security

How to protect patient data against insider threats? - Polymer (polymerhq.io)

 

APPENDIX II: Disclaimer

This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.

Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.

 

COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.
Chat With One of Our Experts



Threat Report healthcare insider threat Healthcare risk Blog