Healthcare is the only industry where insider threats are greater than threats from the outside. This is according to the recently released 2018 Data Breach Investigations Report (DBIR) by Verizon, which noted the prevalence of human error as well as threats from phishing and ransomware.
The problem of inside actors in healthcare organizations is only getting worse, according to Suzanne Widup, one of the report’s co-authors.
“It just continues to be an issue year over year,” says Widup. “We see a lot more errors [in healthcare] than we do in some other industries, especially where encryption has been adopted that would mitigate that.”
Much of the issue could stem from continuing opposition to encryption in the healthcare sector, as many are worried that encryption will delay access to data in an emergency situation.
“My answer to that is that not all of these devices, by any means, are ever going to be used in an emergency situation,” says Widup. “It doesn’t have to be an all-or-nothing proposition.”
The industry’s diversity — hospitals, clinics, private practices and more — includes many offices that are simply too small to have a dedicated security staff. For larger organizations, she cites cultural impediments to implementing security controls that other industries use.
How to Tackle Insider Healthcare Threats
According to Michelle O’Neill, director of corporate compliance and privacy officer for Summit Health Management, a physician-led management services model for medical practices, there are three types of insider threats: accidental, negligent and malicious.
For accidental and negligent threats, education and effective training are generally key, a strategy the Verizon report stressed.
Malicious insider threats are tougher to prevent, but there are strategies that can help, O’Neill says. These strategies include:
- Know and manage anyone with access to the organization’s systems
- Pay attention to unusual employee or user behaviors
- Focus on high-risk individuals
- Perform proactive audits to identify red flags
- Implement effective privacy and security training
- Have strong termination procedures in place
Training Proves Key to Keeping Insider Threats at Bay
The threat from social attacks remains a challenge to prevent. In fact, companies are nearly three times more likely to get breached by social attacks than via actual vulnerabilities. The Verizon report found financial pretexting and phishing represent 98 percent of social incidents and 93 percent of all breaches investigated. For these incidents, email continues to be the main entry point (96 percent of cases).
Training employees to spot and report suspicious email is especially important, says Randall Frietzsche, CISO and privacy officer for Denver Health.
“Users are really scared to use email today. They get email that they’re afraid to click on and they hear all the horror stories. I want to not only reduce the risk of phishing email and ransomware, but I also want to increase users’ confidence in using email because they’ve seen phishing email before, they’re trained on the indicators and what to do with phishing email,” he says.
Denver Health employees undergo training, but they’re also tested at least monthly with fake phishing emails.
Getting users to report phishing emails gives the security team a chance to respond earlier than if the organization already has been compromised.
“When people alert us, we can use tech tools to dive into that, see what it was, see who all got it, see if anybody clicked on it. We can drive very fast once we get notified,” Frietzsche says.
Health IT Teams Should Keep Security Programs Up to Date
Healthcare is behind the curve in enacting security controls — about 10 years behind financial services, which enacted controls due to strict regulatory requirements, Frietzsche says.
Along with O’Neill, he stresses the need for healthcare organizations to have an insider threat plan as part of an overall privacy and security program.
The Denver Health security management program covers different domains: risk management, incident management, exception management as well as insider threat management.
“[With each one] we define why we do it, why it’s important, how we do it, and what’s the expected outcome. If there are any metrics associated with it, we say what those will be as well,” Frietzsche says. Having such a laid-out plan is useful if the team has to go ask for money or other resources to enact it.
It has an overall IT security policy and an acceptable use policy – you can do these things and you can’t do those things.
He recommends technology including role-based access, limited privilege, monitoring of user behavior through a security information and event management (SIEM) tool or user behavior analytics in order to find patterns and develop policy that lays out how the organization will act on patterns if there are deviations.
“Then we have a policy from governance all the way down to operationally how we address insider threats,” he says.
According to Frietzsche, many healthcare organizations haven’t thought about what happens if an employee clicks on a malicious email — will that person be fired for a first offense?
Widup also urges organizations to make a ransomware attack their next incident response test so they can figure out how to recover before it actually happens to them.
“Even if it’s not time to do a response test — and we hope everybody does this annually — it would be a really good exercise to go through,” she says.