How to Identify, Address Insider Threats in Healthcare

August 05, 2022 - Malicious hackers ascending from the depths of the dark web, state-sponsored ransomware groups, and targeted phishing scams may come to mind when thinking of potential healthcare cybersecurity threats. But insider threats, whether borne from negligence or the intent to harm, can be equally damaging.

When protected health information (PHI) gets into the wrong hands, patient privacy is at risk—regardless of the source of the threat.

External threats are currently the primary threat type to healthcare organizations, but knowing how to detect and respond to insider threats is also crucial to having a robust security strategy. 

Below, HealthITSecurity will identify the types insider threats in healthcare and provide tips for how organizations can mitigate risk. 

Changing the Narrative of Insider Threats in Healthcare

In May 2022, an IT specialist was charged for allegedly hacking into a Chicago healthcare organization’s server in 2018. Two months before the incident, Aaron Lockner, 35, of Downers Grove, Illinois, who was working in a contract role for an IT firm, was allegedly denied an employment position at the healthcare organization. A few months later, Lockner was terminated from the IT firm.

According to the indictment, Lockner “knowingly caused the transmission of a program, information, code, and command, and as a result of such conduct, intentionally caused damage without authorization to a protected computer.”

The resulting cyberattack led to disruptions in medical examinations, treatment, and diagnoses.

The case offers an example of how a disgruntled employee could use their access and credentials to put health data at risk. Although this scenario is not unheard of, the narrative of insider threats in healthcare is shifting away from cases like this and moving toward instances of negligence or carelessness.

“While most companies invest more money on insider threats with malicious intent, negligent insider threats are more common,” the HHS Health Sector Cybersecurity Coordination Center (HC3) emphasized in a brief.

The majority of today’s insider breaches come from well-intentioned employees who make honest mistakes or misunderstand HIPAA and the organization’s policies on data transmission.

Interestingly, the Verizon Business 2022 Data Breach Investigations Report (DBIR) found that, although healthcare is notorious for the prominence of insider threats, external threats accounted for 61 percent of observed threat actors in 2021. However, this does not mean that insider threats are no longer prominent in the sector.

“While the make-up of the insider breach has moved from being largely malicious misuse incidents to the more benign (but no less reportable) Miscellaneous Errors, we have always been able to rely on this industry to tell the insider threat story,” the report noted.

Essentially, the rise in web application attacks overwhelmed the sector and took the place of insider threats as the top threat. The report emphasized that this shift does not mean that insider threats are no longer significant, even as external threats become more prominent. Employees are still causing breaches, but they are 2.5 times more likely to make an honest error via misdelivery or loss than to maliciously misuse their access privileges, Verizon stated.

After factoring in human errors and privilege misuse, the “human element” accounted for 82 percent of analyzed breaches in 2021. Insider threats may look different and less threatening on the surface than in past years, but the impacts of a breach can still be damaging.

Types of Insider Threats

Within HC3’s brief on insider threats, it identified several types of insider threats: careless or negligent workers, malicious insiders, inside agents, disgruntled employees, and third parties.

Careless or negligent insiders may have a lack of awareness about the organization’s security policies, HC3 explained. Examples of unintentional insider actions include an employee leaving an unencrypted mobile device containing sensitive data unattended or leaving Alexa running while sensitive meetings are going on.

“Malicious insiders are insiders that have a grievance against a company and choose to act on it,” HC3 continued.

According to the Ponemon Institute’s 2020 Insider Threats Report, malicious insiders accounted for 14 percent of insider threat incidents, while negligent insiders accounted for 61 percent of insider threat incidents. Malicious insiders, while now less common, are still worth considering.

In addition to negligent and malicious insiders, HC3 identified inside agents as a threat type. Essentially, inside agents could be anyone within the organization who is willing to do work for an external threat actor.

“This type of insider threat works on behalf of an external group to compromise an organization’s network and carry out a data breach or other attack,” the brief stated. “This is dangerous because it provides an outside group with the access and privileges of an insider.”

Disgruntled employees are another insider threat type, and they can pose significant risks depending on what data and credentials they may have access to.

“They are considered emotional threat actors with an intent to cause harm to their company, and in some cases feel as if they are owed something,” HC3 explained.

Lastly, third parties can take the form of an insider threat. As healthcare organizations continue to outsource more of their business functions, third-party risk management has become even more critical to maintaining cybersecurity.

Even with HIPAA-required business associate agreements (BAAs) in place, third-party vendors are frequently the source of data breaches that may lead to protected health information (PHI) exposure.

Insider threats can take many forms, but recent trends have shown that negligence and simple mistakes are often the sources of insider breaches.

Preventing, Responding to Insider Threats

In a guidance document, the Cybersecurity and Infrastructure Security Agency (CISA) suggested that organizations build a comprehensive insider threat mitigation program to tackle risks.

“Insider threat mitigation programs need to be able to detect and identify improper or illegal actions, assess threats to determine levels of risk, and implement solutions to manage and mitigate the potential consequences of an insider incident,” CISA stated.

“Organizations should form a multi-disciplinary Threat Management Team to create an Incident Response Plan, ensuring their response to an insider incident or potential threat is standardized, repeatable, and consistently applied.”

Organizations should start small by assessing existing capabilities and resources, defining the purpose of the program, and identifying critical assets, CISA suggested. In addition, organizations should establish a culture of shared responsibility and develop confidential reporting pathways for employees to report suspicious activity. Last but not least, organizations should train employees to recognize indicators of insider threats.

Along with a thorough risk mitigation program, detection analysis, and post-breach forensics, HC3 suggested numerous ways in which healthcare organizations can prevent insider threats:

• Revise and update cybersecurity policies and guidelines
• Limit privileged access and establish role-based access control
• Implement the zero-trust and MFA models
• Back up data and deploy data loss prevention tools
• Manage USB devices across the corporate network

If insider threat activity does occur, healthcare organizations should consider having processes in place to detect and respond, including logging and auditing, user activity monitoring, and User and Entity Behavior Analytics (UEBA).

Third-party risk assessments can help organizations manage potential vendor risk, and strong employee education programs can mitigate negligence. Establishing a culture of cybersecurity can also aid healthcare organizations in reducing risk.

“Identifying an insider threat should be a team effort between healthcare leadership, IT and the Human Resources department,” HC3 concluded.

“This will help organizations implement targeted monitoring and detect malicious insiders in a timely manner, hopefully before they cause damage.”