- There are numerous potential threats to health data security, and the increasingly complex level of technology will only help add to that threat level. Insider threats are one key area of concern, as careless or poorly trained employees could compromise sensitive information.
A recent report from the Institute for Critical Infrastructure Technology (ICIT) discusses this growing danger, as insider threat actors may either ignore cyber-hygiene measures or potentially bypass cybersecurity controls. Organizations across all industries need to ensure they are taking necessary steps to prevent an insider threat epidemic, ICIT report authors maintain.
“Despite all the technological innovation of the digital age, humans remain the strongest and the weakest link in every organization’s cybersecurity,” the report authors wrote. “Personnel are the most vital and the most vulnerable operational resource.”
Citing data from IBM, 31.5 percent of all the 2014 cybersecurity incidents were caused by malicious insiders. Furthermore, 23.5 percent stemmed from non-malicious insider threat activity.
Detecting, deterring, and mitigating insider threats are key pillars to building strong cybersecurity measures, ICIT stressed. One insider threat “can jeopardize decades of work, can inflict millions or billions of dollars of harm, and can impact millions of lives,” the report stated.
There are three main types of insider threats, according to ICIT:
- Careless or uninformed users who unintentionally violate security requirements and policies due to a lack of cybersecurity awareness, training, or foundational cyber hygiene
- Negligent users who intentionally evade security measure out of convenience, neglect, or misguided attempts to increase productivity
- Malicious users who intentionally evade security measures in attempts to profit financially, gain revenge, or seek to unmask corruption or other malfeasance, based on a misguided sense of idealism
Report authors noted that non-malious insider threats cannot be ignored. These types of threats can be especially harmful to healthcare.
For example, ransomware attacks have increasingly become a key concern in the industry. If employees are not properly trained to recognize phishing scams or malicious email, they may inadvertently expose their organization to outside threats.
The majority of healthcare data security incidents in 2016 were caused by cybersecurity attacks. Covered entities and business associates not only need to implement the latest technical safeguards, but must also regularly train all employees.
Staff members should be trained to not open any email attachments that they are not expecting, and to also not click any links embedded in emails sent from unknown sources.
Secure connections are also important. Any mobile users should not log in from unsecured wireless locations.
Strong authentication measures will also be beneficial for healthcare organizations, ensuring that users are who they claim to be. Toward the end of 2016 the Office for Civil Rights (OCR) touched on this very issue, as healthcare will “usually use login passwords or passphrases to access information on public or private networks, internet portals, computers, medical devices, servers, and software applications.”
A comprehensive, accurate, and thorough risk analysis for the entire organization is critical, according to OCR. This will help identify potential ePHI vulnerabilities and to identify any vulnerabilities in current authentication methods and practices.
A study released last year by Accenture and HfS Research also discussed how insider threats may affect healthcare organizations’ data security.
Approximately half – 48 percent – of surveyed C-level security executives and IT professionals said they had a strong or critical concern over data theft from insiders in the next 12 to 18 months. Sixty-nine percent reported that they had experienced an attempted or successful theft or corruption of data by insiders during the prior 12 month period.
“Cybersecurity today must include a rethinking of the nature of security, and a shift from an approach that stresses protecting vulnerable assets to one based upon strengthening assets, making them more resilient and part of a holistic cybersecurity process that delivers greater value to the enterprise,” the report’s authors stated in the executive summary. “Digital trust is not a technology, nor a process — it’s an outcome exemplified by secure, transparent relationships and engagement between the enterprise and its employees, partners, and customers.”
For healthcare/pharma respondents, 26 percent said that a lack of a security budget - including technology and services - was the largest inhibitor to their organization’s security provision. A lack of staffing budget was the greatest inhibitor – cited by 16 percent – while extended budget cycles were listed as the top hindrance by 16 percent.