Healthcare Information Security

News

How Insider Threats May Affect Healthcare Data Security

A recent study should be a lesson to healthcare organizations when it comes to monitoring insider threats and potential compromises to their healthcare data security.

By Elizabeth Snell

Malware attacks are becoming an increasingly major threat to covered entities, but if a recent report is any indication, insider threats could also lead to healthcare data security compromises.

Insider threats could be large threat to healthcare data security

More than 200 C-level security executives and IT professionals were polled for The State of Cybersecurity and Trust 2016 report by Accenture and HfS Research, in industries including media and technology, banking and financial services, and healthcare/pharma.

Forty-eight percent of those surveyed stated they had a strong or critical concern over data theft from insiders in the next 12 to 18 months. Furthermore, 69 percent said they had experienced an attempted or successful theft or corruption of data by insiders during the prior 12 month period.

“Cybersecurity today must include a rethinking of the nature of security, and a shift from an approach that stresses protecting vulnerable assets to one based upon strengthening assets, making them more resilient and part of a holistic cybersecurity process that delivers greater value to the enterprise,” the report’s authors stated in the executive summary. “Digital trust is not a technology, nor a process — it’s an outcome exemplified by secure, transparent relationships and engagement between the enterprise and its employees, partners, and customers.”

In terms of current funding and staffing levels, 42 percent of respondents said they need more of a budget for hiring cybersecurity professionals and for training.

For the healthcare/pharma industry specifically, 26 percent said that a lack of a security budget - including technology and services - was the largest inhibitor to their organization’s security provision. Sixteen percent reported that a lack of staffing budget was the greatest inhibitor, and extended budget cycles were listed by 16 percent of healthcare/pharma respondents.

Accenture graph of biggest security provision inhibitors

The report also found that overall, 54 percent of those surveyed either agreed or strongly agreed that cybersecurity is an enabler of digital trust for consumers. Additionally, 36 percent stated that their executive management considers cybersecurity an unnecessary cost.

“Our research paints a sobering picture,” Accenture Security Senior Managing Director Kelly Bissell said in a statement. “Security leaders believe threats are not going away, in fact they expect them to increase and hinder their ability to safeguard critical data and establish digital trust. At the same time, while organizations want to invest in advanced cyber technologies, they simply don’t have enough budget to recruit or train skilled people to use that technology effectively.”  

Organizations need to ensure that they are creating a digital trust environment, she added.

Staffing, training, and creating a culture of cybersecurity awareness will be essential tools for all sectors, according to the report’s authors. It must be integrated into the business model, and start at the executive leadership level.

“If an organization is unable to properly secure, and trust, its data, if it is unable to procure advanced technology, or lacks the staff to deploy, or if its overall cybersecurity posture isn’t enabling a higher level of trust and customer benefit, CEOs and executive team members must drive a cultural shift that embraces cybersecurity,” the report explained.

It is also important for healthcare organizations to understand that not all insider threats are necessarily malicious. Research from Dartmouth College, the University of Pennsylvania, and USC showed that healthcare workers often find workarounds for cybersecurity measures in an effort to stay efficient and complete their tasks.

CIOs, CTOs, IT personnel, or whomever builds a healthcare organization’s system, do not always consider how clinician workflow will be affected, according to the report’s authors. Entering multiple passwords, and having automatic timed log offs can be seen as annoying, rather than a patient safety measure.

“Equally important, circumvention of cybersecurity is seldom examined by those concerned with workflow, HIT usability, barriers to teamwork, thought-flow, or user frustration,” the report states. “Cybersecurity and permission management problems are hidden from management, and fall in the purview of computer scientists, engineers, and IT personnel.”

Image Credit: Accenture, HfS Research

Dig Deeper:

X

SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
BYOD
Cybersecurity
Data Breaches
Ransomware

Our privacy policy

no, thanks