- Many healthcare professionals are more concerned about insider threats to health data security than external breaches, according to a survey by HIMSS on behalf of SailPoint.
There is an acute level of concern about the threats posed by insiders. On a scale of 1 to 10, the mean score for the level of concern of respondents was 8.2.
Among respondents who implemented or managed cybersecurity solutions for their organization, 43 percent said that insider threats were of greater concern than external threats. Another 35 percent were equally concerned about insider threats and external threats to data security, according to the survey of 101 healthcare professionals, a copy of which was provided to HealthITSecurity.com.
Sixty-one percent of respondents said that they use directory group membership to secure data stored in files, 48 percent use manual permissions assignments to secure data stored in files, 46 percent use unified identity management solutions, and 38 percent use data governance solutions.
Three-quarters of respondents rely on training and awareness to be staples for addressing threats posed by insiders.
At the same time, slightly more than half of the respondents are using identity governance for data stored in files or data loss prevention tools, while slightly less than half use access behavior monitoring and analytics.
However, respondents recognized the importance of monitoring and analyzing user access behavior to thwart insider threats. On a scale of 1 to 10, the mean score for the level of importance respondents attached to this capability was 8.1.
“While training and awareness programs remain a commonly deployed tactic, organizations are falling short of providing the proper tools and technology that enable best practices. Healthcare providers seeking to mitigate insider risks would be wise to consider adopting a truly comprehensive, intelligent identity solution as a foundation for governing and protecting on-premises or cloud applications and data files,” the report recommended.
This concern about insider threats in healthcare is justified. According to Verizon’s 2018 Data Breach Investigations Report (DBIR), the healthcare industry is the worst when it comes to stopping data breaches caused by insiders.
DBIR found that the healthcare industry was the only sector that had more internal actors (56 percent) behind data breaches than external actors (43 percent).
While insider threats are often seen as disgruntled employees and other malicious individuals, errors make up the most common type of cyber incident in healthcare, followed by malware, hacking, and privilege misuse.
Medical information is the target of two-thirds of data breaches in the healthcare industry, while personal information made up 37 percent and payment information 4 percent of breaches, the report found.
The healthcare industry had 750 cyber incidents last year, with 536 involving data disclosure. Miscellaneous errors, crimeware, and privilege misuse presented 63 percent of cyber incidents in the sector.
The 2018 HIMSS Cybersecurity Survey found that three-quarters of healthcare professionals surveyed said their organization had experienced a significant security incident in the past 12 months; 20 percent of those incidents were caused by negligent insiders.
If they haven’t already, healthcare organizations should adopt a comprehensive cybersecurity framework, the HIMSS report recommended. Nearly 58 percent of respondents said their organization uses the NIST Cybersecurity Framework, with HITRUST (26.4 percent) and Critical Security Controls (24.7 percent) also in the top three.
“Before healthcare cybersecurity can improve, all healthcare organizations need to get on the same page,” the report explained. “One of the ways to achieve this is through the adoption of a universal security framework. Unfortunately, we are not there yet.”
As part of a comprehensive security program, healthcare organizations should establish an insider threat management program, the HIMSS report advised.
An insider threat management program can include policies, controls, and the involvement of management within an organization to address and mitigate the threat. Nearly 45 percent of respondents said their organization had such a program established, with 27 percent saying there was an informal program in place.