Insider threats are security risks that originate from within a network. Insider threats could be employees or vendors acting with malicious intent, former employees who still retain their access privileges, employees whose credentials are compromised, and so on. They have become increasingly rampant over the years with the number of people impacted reaching 45 million in 2021.
The healthcare sector in particular has been a major target in recent times. For example, in November 2021, a disgruntled employee of South Georgia Medical Center downloaded the protected health information (PHI) of patients to his personal storage device and quit the next day. This breach was identified due to a security alert, but by that time, the data had already left the premises. The perpetrator was apprehended before the data could be used, but it's not hard to imagine how costly this act could have been to South Georgia Medical Center.
According to a study. by the Software Engineering Institute of Carnegie Mellon University, the most commonly targeted sector for insider attacks is the healthcare sector. In 2018, Trustwave Global Security Report identified PHI as one of the most valuable forms of data. A healthcare record for a single targeted individual can fetch $250 on average, whereas credit card information fetches only around $5.40.
The vast difference between the value of health information and credit card information is attributed to the long shelf life of the health information. Payment-related data thefts are usually identified quicker and the cards or the account can be frozen instantly, but breach of health information is harder to identify. This health information can be used to purchase prescriptions, receive treatment, or make fake medical claims until the breach is identified and remedial actions are taken.
Besides the value of stolen PHI, the machines and computers PHI is stored on are often obsolete in terms of security, which provides threat actors an easy way in. Hospitals often have numerous machines like heart monitors within the network, which also considerably increases the attack area.
An attack on a healthcare institution can put numerous lives at stake and leaves little room for negotiation, which emboldens threat actors.
The U.S. Department of Health & Human Services recently issued a warning in which it splits the prevalent insider threats in healthcare institutions into five major categories:
The biggest problem with identifying insider attackers is that they could be anyone: the guy down the corridor, the janitor, the unassuming help desk technician, or even the cheery and helpful receptionist. Anyone and everyone with access to the hospital facilities could be a threat. However, there are some indicators you can look out for when monitoring the organization for insider threats.
Government mandates like HIPAA, which requires healthcare institutions implement the essential cybersecurity practices, in order to be compliant. Organizations should also be proactive in fortifying their network and sensitive data since cyberattack tactics are continuously evolving. Recognizing insider threats can be difficult, but mitigating and protecting the network and its resources is much easier.
Inventory all the users and devices in your network. Maintaining an updated record of all devices, users, and their access permissions can help you gain a better perspective of the suitable security practices that need to be implemented.
Ensure all the employees are aware of the best practices about security such as not opening suspicious emails, not installing unwanted applications, and how to handle PHI. Conducting regular security awareness campaigns can be a good place to start to prevent negligent employee behavior before it turns into security vulnerabilities.
Implement security practices that align with Zero Trust and the principle of least privilege. Zero Trust security eliminates the notion of implicit trust and encourages validating user and machine identities at every stage of any digital interaction. The principle of least privilege focuses on access management and states that only the minimum level of access required for an employee to accomplish their tasks should be provided. Identity and access management should be the prime focus while provisioning user accounts in an organization.
Keep track of all employee activities. Monitor employees who indulge in suspicious activities like logging in during non-work hours, logging in from personal devices, downloading large volumes of data, etc., and set up alerts when an anomalous activity is detected. Maintaining audit reports of employee activities is essential to be compliant with security mandates as well.
All ex-employees accounts should be properly deprovisioned. This includes revoking employees' access permissions and disabling mailboxes as soon as they leave their jobs. All old patient records containing PHI should also be disposed off properly by either shredding it or as mandated by HIPAA.
A report by the Grand View Research, Inc. estimates that the global healthcare cybersecurity market size is expected to reach USD 56.3 billion by 2030. Between 2020 and 2021, the market for cybersecurity increased by 15.6%. One of the major factors that fueled this rise was the pandemic and the increased threat of a data breach. This has resulted in healthcare institutions turning to cybersecurity solutions to mitigate the risk. Unless healthcare institutions invest resources into training their employees and fortifying their cybersecurity practices, it is only a matter of time before they fall prey to an attack.