Managing Risk of Insider Threats in Healthcare Cybersecurity

April 22, 2022 - HHS’ Health Sector Cybersecurity Coordination Center (HC3) issued a brief outlining risk factors and mitigation tactics for managing insider threats in healthcare cybersecurity. From malicious insiders to careless workers and third parties, insiders with access to sensitive information could use that information to impact the organization negatively.

Specifically, HC3 defined an insider threat as “a person within a healthcare organization, or a contractor, who has access to assets or inside information concerning the organization’s security practices, data, and computer systems.”

HC3 divided insider threats into the following categories: negligent workers, malicious insiders, inside agents, disgruntled employees, and third parties. Insider threats can cause critical data loss, operational disruptions, brand damage, and legal liabilities, no matter the intent.

Some insider threats may have no motive to harm but can still make inappropriate decisions that hurt the organization. According to a 2020 Ponemon Institute report, 61 percent of data breaches involving an insider were largely unintentional and could be attributed to negligence. The finding highlights the need for more comprehensive employee cyber education. 

HC3 provided the example of an employee leaving an unencrypted mobile device unattended or having Amazon’s Alexa running while sensitive meetings were going on. Organizations can mitigate negligence by prioritizing security awareness training, HC3 suggested.

While employee education can tackle negligence, malicious insider threats are harder to predict.

“While more money is allocated to protect against these types of threats, studies show they pose less of a threat to organizations than insider threats,” HC3 noted.

The Ponemon Institute found that only 14 percent of insider threat incidents resulted from malicious intent. Inside agents may work “on behalf of an external group to compromise an organization’s network and carry out a data breach or other attack,” the brief stated.

“This is dangerous because it provides an outside group with the access and privileges of an insider.”

Disgruntled employees can also pose risks to healthcare organizations, usually motivated by financial gain. In addition, third parties with access to critical data can cause data breaches, emphasizing the importance of third-party risk management and assessments.

HC3 underscored that insider threats could lead to data theft, system sabotage, and instances of fraud. Shadow IT, mismanaged access, and bring your own device (BYOD) policies can open organizations to unforeseen risks. 

To combat these risks, organizations should focus on detection analysis, post-breach forensics, and implementing zero trust security models. In addition, healthcare organizations should update cybersecurity policies, limit privileged access, and back up data.

The brief provided the following best practices for mitigating insider threats:

• Incorporate insider threat awareness into periodic security training for all employees.
• Implement strict password and account management policies and practices.
• Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities.
• Ensure that sensitive information is available only to those who require access to it.
• Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions.
• Develop a formal insider threat mitigation program.

HC3 also suggested that organizations view insider threat management as a team effort between the IT and human resources departments and healthcare leadership in order to effectively mitigate risk.