Insider threats are among the leading cyber issues facing the healthcare industry today. Since the pandemic, attackers are taking advantage of remote workforces, bring-your-own devices (BYOD), and rapidly adopted technologies to launch an alarming amount of ransomware and phishing attacks.
Regardless of how strong their cybersecurity programs and security measures are, countless covered entities and business associates continue to overlook their weakest link – their own employees.
In an ever-changing and dynamic threat landscape, attackers aren’t limited to your external controls to access and exploit electronic protected health information (ePHI); they simply need to outwit your employees.
Team members who aren’t educated (and routinely tested) on cyber risk can put your organization in a precarious situation when protecting PHI and personally identifiable information (PII).
In fact, according to the 2021 HIMSS Healthcare Cybersecurity Survey, healthcare’s most significant security incidents are phishing attacks (45%), followed by ransomware attacks (17%), with general email phishing (75%) leading the list of attack vectors. The HIMSS report cited previous research, indicating that most healthcare organizations don’t have robust insider threat management or awareness programs.
The harsh reality is that dealing with insider risks is more than just a potential headache. If strong insider-threat mitigations aren’t defined, implemented, and routinely evaluated, you may set yourself up for a potential cyber breach and Office for Civil Rights (OCR) penalties that could cost you millions of dollars, not to mention put your ePHI at risk. The HHS Cybersecurity Program recently released this brief outlining the potential damage insider threats can cause an organization and, maybe more startling, reveals that 82% of organizations can’t fully determine the damage an insider threat has caused.
What is an Insider Threat?
According to the “An insider threat is the potential for an insider to use their authorized access or special understanding of an organization to harm that organization.”
Indicators for Insider Threats
Insider threats may take many forms and are driven by various factors; however, they typically reside within one of two categories, careless or malicious.
Before tackling the insider threat, we must understand the relationship between insider threat opportunities and capabilities.
Questions to consider about insider threat opportunities:
- Location: Where are they located? Who are what are they adjacent to? What physical access does the insider threat retain?
Questions to consider regarding insider threat capabilities:
- Access: What areas of your organization
- Training: Are they properly trained? Are they subject matter experts? Do they understand the impacts of phishing attacks or ransomware?
- Authority: What type of authority do they have within the organization? Do they have access to sensitive or critical systems or information?
While the origins of insider threats vary, there are five primary insider threat expressions:
- Violence: for example, acts of aggression or reprisal
- Espionage: for example, when someone within your organization represents another organization, and they’re trying to obtain information about your business
- Sabotage: for example, when an insider knowingly destroys your network, infrastructure, or data
- Theft: for example, of money or intellectual property
- Cyber: for example, a phishing attack that launches malware on your network
Other motivating triggers for malicious insider threats may include:
- Workplace relations
- Personal problems
- Foreign affiliation(s) such as state or political actors
- Corporate loyalties
- Personal ideology
- A mix of some or all of the above
Regardless of the insider threat’s motivation, as a covered entity or business associate, it’s your responsibility to understand the risks and respond accordingly.
Real-World Impact of Insider Threats
Earlier this year, an IT specialist, disgruntled over being denied an employment position and subsequent termination from the health IT company he worked for, was charged with hacking into a Chicago healthcare organization’s server in 2018. The hacker is charged with intentionally transmitting data and intending to cause harm, which he did. The resulting cyberattack triggered disruptions in medical examinations, treatments, and diagnoses.
Some ways organizations can protect ePHI to prevent this type of breach include:
- URL access filtering of internet file sharing services or unapproved content
- System activity reviews
- Data loss prevention solutions
- Privileged access management
- System isolation, physical or logical segmentation
While insider threats are growing at an alarming rate, many healthcare organizations simply don’t have the resources or skillset to appropriately evaluate the risk and develop response or mitigation plans.
Common areas where organizations make mistakes or increase the threat surface:
Lenient or Unrestrictive Hiring Practices
Finding skilled workers can be challenging, especially for smaller organizations. Without proper employee scrutiny, organizations unintentionally increase the risk of data loss due to insider threats.
For example, you increase the risk of insider threats exploiting vulnerabilities if you do not:
- Conduct background checks, or they do not carry enough weight in the hiring process
- Perform psychological (personality) reviews during the hiring process to identify potential incompatibility in the workplace
- Verify the information that candidates submit (references, resume, education, credentials, etc.
Lack of Quality Security Awareness Training
Another common mistake is the organization failing to properly train its staff on cyber risks. You could place your organization at increased risk if you do not:
- Have security awareness training
- Regularly test the effectiveness of your security awareness training program and content
- Regularly update your security awareness training as emerging threats arise and the threat landscape evolves
Lack of Employee Activity Monitoring
Even if your organization conducts routine training or simulation exercises, you may lack sufficient technical or administrative monitoring capabilities, further leading to an increased risk of insider threat exploitation:
- Do you have systems in place to monitor user activity?
- Have you deployed and integrated robust audit logging capabilities
- Do you regularly update administrative, technical, or physical controls when adding new systems or the workplace environment changes
Information System Activity Reviews
HIPAA mandates information system activity reviews as part of its administrative safeguards requirement. Beyond that, technical safeguards also have requirements related to information systems, specifically that organizations implement hardware, software, and/or procedural mechanisms to record and examine activity in information systems that create, receive, maintain, or transmit ePHI.
What is an information security review?
An information system activity review evaluates your software and hardware activity logs, which should be conducted regularly and compared to baseline information. To protect the confidentiality, availability, and integrity of your ePHI, your comprehensive reviews should include security, compliance, and privacy staff.
Below are examples of what your organization should review on a consistent and continuous cadence:
- User access logs
- User accounts
- Login time(s) and location
- Failed login attempts
- User access log modifications and deletions
- Record view logs
- Access logs of sensitive files, records, applications, or services
How to Reduce Insider Threat Risks
Now that you understand insider threats and common motivation factors, here are three best practice recommendations to reduce the risk of vulnerability exploitation.
- Conduct a review and develop an inventory of information systems and applications that require system activity reviews
- Identify systems or applications that create, store, maintain, or transmit ePHI
- Identify resources and touchpoints
- May not be limited to the Information Security team
- Security Operations Center (SOC)
- Understand the current system activity review lifecycle
- People, processes, and technology
- Leverage findings as part of your Strategic Action Plan
- Have actionable policies and procedures in place, including
- Roles and responsibilities
- Preparation for conducting system activity reviews
- Necessary safeguards to protect the Confidentiality, Availability, and Integrity of audit trails and information system activity review reports
- Evidence of system activity reviews identifying when, who, and what was reviewed will be retained for a minimum period
- Automated processes will be used to identify anomalies or unusual activity
- Conducting activity reviews
- Segregation between System Administrators and the System Activity Review Team
- Cross-functional, interdepartmental team(s)
- Follow-up actions
- Investigation and escalation
- Train your workforce members that play a role in the system activity review lifecycle
- Continuously review your systems, processes, and technology and develop strategies for improvement and maturity
- The size, complexity, and capabilities of your organization
- Your technical infrastructure, hardware, and software security capabilities
- The costs of security measures
- The probability and criticality of potential risks to ePHI
Strategic Action Plans
Implementing a system activity review program can often be daunting; however, if you take a phased approach over a defined period, you may find it easier to fund and manage.
Here is an example of a general phased strategic action plan that may help:
- Phase 1: Six months to one year
- This phase requires that you create a documented repository of key objectives. Phase 1 is also the point where organizations should implement remediations of ‘low hanging fruit’ or items with a low financial impact.
- Phase 2: One or two years
- This phase requires that you begin to approve and finalize the execution or deployment of items within phase 3.
- Phase 3: Two to three years
- This phase requires executing and deploying items with the highest operational and financial impacts, as planned for in phases 1 and 2.
Out of the various strategies for protecting ePHI and reducing vulnerability exploitation, tackling insider threats is one of the most important and often overlooked sources of risk to an organization.
Employee training, integrated hiring practices, and system activity reviews often feel like formalities or boxes to check rather than critical components of a robust cyber risk management program-but they are vital.
Helping your workforce understand their role and responsibility in protecting systems, software, and patient data is foundational to creating a culture of cybersecurity in an age of rapidly evolving threat actors. Furthermore, your employees must understand that cyber risks are tangible, present, and can do much more than make a patient’s data vulnerable-they can compromise the delivery of care and lead to adverse clinical events, potentially leading to loss of life. While most breaches from insider threats stem from a lack of awareness or an honest mistake, organizations must not overlook the possibility that a disgruntled employee could have malicious intentions. Fortunately, simple yet effective strategies like those discussed in this resource can help your organization account for unintentional and intentional inside threats.
Would you like to take a deeper dive into mitigating insider threats and how to conduct a system activity review? Check out this on-demand webinar, “Insider Threats: How to Tackle One of the Biggest Issues Facing Healthcare Organizations,” or contact a Clearwater advisor today.