IT Specialist Charged in Healthcare Cyberattack Highlights Insider Threat Risks

June 01, 2022 - An IT specialist has been charged for allegedly hacking into a Chicago healthcare organization’s server in 2018, the Department of Justice (DOJ) announced.

Aaron Lockner, 35, of Downers Grove, Illinois, formerly worked for an IT company that had a contract with the impacted healthcare organization. As a result, Lockner had access to the healthcare organization’s computer network.  

Two months before the incident, Lockner was allegedly denied an employment position at the healthcare company. A few months later, Lockner was terminated from the IT firm.

According to the indictment, Lockner allegedly “knowingly caused the transmission of a program, information, code, and command, and as a result of such conduct, intentionally caused damage without authorization to a protected computer.”

The resulting cyberattack led to disruptions in medical examinations, treatment, and diagnoses. Lockner could face up to 10 years in federal prison if convicted.

The incident underscored the risk of insider threats in healthcare, which can be just as damaging as cyberattacks executed by anonymous threat actors, according to a recent Health Sector Cybersecurity Coordination Center (HC3) brief.

HC3 defined an insider threat as “a person within a healthcare organization, or a contractor, who has access to assets or inside information concerning the organization’s security practices, data, and computer systems.”

HC3 divided insider threats into the following categories: negligent workers, malicious insiders, inside agents, disgruntled employees, and third parties. Insider threats can cause critical data loss, operational disruptions, brand damage, and legal liabilities, no matter the intent.

The Verizon Business 2022 Data Breach Investigations Report (DBIR) noted that healthcare has long been known for the prominence of insider threats compared to other industries. However, basic web application attacks overtook miscellaneous errors in causes of breaches in the healthcare sector in 2022’s report for the first time.

“While the make-up of the insider breach has moved from being largely malicious misuse incidents to the more benign (but no less reportable) Miscellaneous Errors, we have always been able to rely on this industry to tell the insider threat story,” the report noted.

“With the rise of the Basic Web Application Attacks pattern in this vertical, those inside actors no longer hold sway.”

Verizon stressed that this shift does not imply that insider threats are no longer relevant, even as external threats become more prominent. Employees are still causing breaches, but they are 2.5 times more likely to make an honest error via misdelivery or loss than to maliciously misuse their access privileges, the report explained. After factoring in human errors and privilege misuse, the human element accounted for 82 percent of analyzed breaches in 2021 across all sectors. 

Even as external threats continue to grow, the Lockner case highlighted the need to protect against insider threats as well. HC3 recommended that healthcare organizations implement strict password and account management policies, develop a formal insider threat mitigation program, and use the principle of least privilege to limit access to sensitive material.