Despite being considered the last industry that cyber criminals should target; the healthcare sector is not exempt when it comes to money-driven threat actors. Recently, there has been a noticeable increase in attacks targeting the healthcare industry, with insider threats causing significant concern. Data breaches within healthcare organizations are occurring in record numbers, however, it’s important to note that not all privacy and security threats originate from outside the organizations.
As security strategies have traditionally prioritized the prevention of external attacks, organizations of various sizes and types are now facing the growing necessity of addressing the threats that exist within their own environments. [1]According to Ponemon Institute, between the years of 2020 and 2022, insider threats increased 44%.
Of course, there are different types of insider threat incidents and not all of them are malicious. Only 26% of insider threat incidents are intentional, while 56% of insider threat incidents originate from careless mistakes. Whether intentional or negligent, let’s explore insider threats in healthcare and how healthcare organizations can remain safe.
[1] 2022 Ponemon Cost of Insider Threats Global Report | Proofpoint UK
At times, organizations become so preoccupied with monitoring external threats that they overlook the importance of being vigilant about the potential risks coming from within their own organization. Insiders often have privileges that give them access to systems and networks, placing them in an ideal position to exploit such resources. Additionally, they may possess knowledge about vulnerabilities or the organization's network configuration.
During November 2021, a security incident occurred at the South Georgia Medical Center in Valdosta, Georgia. A former employee decided to download private data from the medical center's systems onto a USB drive the day after he resigned. As a result, the names of patients, test results, and birth dates were leaked.
Because the employee had access to sensitive data and had no issues with carrying out his plan, he was able to maliciously compromise the medical center. This is a great example of a malicious insider threat where the individual harbored feelings of anger or discontent, having personal motivations to harm the organization.
Usually, healthcare organizations invest money in pinpointing malicious insider threats, rarely focusing on the negligent insider threats which are more common. According to the U.S. Department of Health and Human Services (HHS), most healthcare employees lack awareness about security policies and the healthcare organizations fail to provide proper security awareness training.
In January 2023, an employee at DCH Health System in Tuscaloosa was terminated by the organization due to suspicions of unauthorized access to electronic medical records. Reports state that 2,530 individuals were informed by mail that their medical records may have been accessed by the former employee without there being any legitimate reason for the employee to access them.
Although DCH Health System did not believe patient information was used or disclosed, the employee unnecessarily viewed names, addresses, dates of births, diagnoses, vital signs, medications, Social Security numbers, test results, and clinical notes. DCH discovered the breach during a routine privacy audit conducted in December 2022. Upon further investigation, additional breaches were uncovered, dating back to September 2021. This security incident is a great instance of a careless employee being the insider threat. Using your credentials to access data which does not pertain to your role is not only careless but it’s also a violation of privacy.
In February 2023, reports surfaced that Highmark Health, the second largest integrated delivery and financing system in the United States, suffered from a phishing attack affecting approximately 300,000 individuals.
On December 15, 2022, one of Highmark’s employees received a malicious link, resulting in unauthorized access to their email account for a period of two days. Consequently, the threat actor may have gained access to emails containing protected health information (PHI). The compromised email account contained various types of sensitive information, including names, enrollment details, prescription and treatment information, financial data, addresses, and phone numbers. This incident serves as an example of an employee who, lacking sufficient knowledge or awareness, inadvertently clicked on a malicious link, granting complete access to a malicious actor.
Image 1: Insider Threat Damage
Source: HHS.gov
Third party breaches are tricky because they usually happen when business associates compromise security through negligence, improper use, or harmful access. In June 2022, an IT contractor was charged for hacking into a Chicago-based healthcare organization's server in 2018.
At that time, the IT contractor was employed by an IT company that had a contractual agreement with the impacted healthcare organization, granting him access to their network.
Two months prior to the incident, the contractor allegedly was rejected for a role with the healthcare company. Subsequently, a few months later, the contractor’s employment with the IT firm was terminated.
The contractor ended up being accused of intentionally causing damage to a protected computer by knowingly transmitting a program, information, code, and command without authorization. As a result of the cyberattack, the healthcare organization faced disruptions in medical examinations, treatment, and diagnoses. In this case, the contractor was an angry insider threat who wanted to cause harm to the healthcare organization’s system.
Annually, insider threats consistently top the list of the most significant risks to healthcare data. As remote work and telehealth continue, it is crucial for healthcare organizations to adopt a proactive approach in training their employees on the best cybersecurity practices. Additionally, organizations should exercise caution and vigilance in their hiring processes to ensure they are selecting individuals who prioritize data security.
Although it may be somewhat of a challenge, potential insider threats can be detected by paying attention to suspicious behavior and indicators that raise red flags for malicious activity. Some of those indicators include:
To effectively prevent insider threats, healthcare organizations must prioritize deterrence, detection analysis, and post-breach forensics. In addition, here are some vital areas these organizations should focus on:
Related Resource:
2022 Ponemon Cost of Insider Threats Global Report | Proofpoint UK
7 Real-Life Data Breaches Caused by Insider Threats | Ekran System
202204211300_Insider Threats in Healthcare_TLPWHITE (hhs.gov)
Three U.S. data breaches show varied healthcare exposure risks | Reuters
DCH Health System fires employee after medical records security breach (tuscaloosanews.com)
HHS Warns HPH Sector About Insider Threats in Healthcare (hipaajournal.com)
Insider Threat and How to Mitigate It | FTI Consulting
Children's hospital required to improve security in breach settlement | SC Media (scmagazine.com)
Top Emerging Security Threats in Healthcare | RSI Security
How to protect patient data against insider threats? - Polymer (polymerhq.io)
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.
COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.