Cybersecurity pros share countermeasures for protecting against insider threats
Several years back, Memorial Healthcare System in Florida was attacked from within. Two employees accessed the protected health information of more than 115,000 patients, stealing the patient data. That breach led Memorial to completely revamp its security procedures to guard against future insider threats. It still ended up paying a $5.5 million HIPAA settlement as a result of the breach.
It's not just mystery hackers from Russia trying to gain access to U.S. information systems. Insider security threats are becoming more common in healthcare, and the cause of many breaches. A recent Verizon report noted that 60 percent of healthcare data breaches involve insiders.
There are two types of insider threats that healthcare organizations can face: malicious and accidental. Malicious actors aim to do harm; unintentional insiders are often employees that were trying to do the right thing but made a mistake or acted in ignorance.
"The first and most obvious type of insider threat is malicious actors whose intention is to cause harm to an organization," said Mike McKee, CEO of insider threat management company ObserveIT. "If an insider is bored, depressed, frustrated or angry based on a situation involving an organization or workplace, there is a high likelihood that they may act out maliciously. Money is another significant motivator for malicious insider threats."
If an employee is suffering from financial hardship, or is looking to improve their situation, there is an opportunity to exploit their insider position for monetary gain. And malicious insider threats can be motivated by politics. Incidents of state-sponsored insider threat attacks and corporate espionage have been reported.
"The second type of insider threat is accidental, often caused by human error or ignorance," McKee explained. "An employee or contractor with access to the organization's systems and data may be a risk for becoming an insider threat if they aren't necessarily tech-savvy or used to considering the security implications of their actions. Even if they are aware of the potential consequences, employees often take the most convenient course available and avoid using difficult and cumbersome security tools."
Healthcare organizations can take administrative countermeasures to protect themselves.
"These include continuous workforce education, active training via simulated phishing emails with immediate feedback and training, and progressive disciplinary measures for repeat offenders, although this has been slow to adopt in my experience," said Fernando Martinez, chief digital officer at the Texas Hospital Association, which created and promotes a cybersecurity awareness program.
"If an insider is bored, depressed, frustrated or angry based on a situation involving an organization or workplace, there is a high likelihood that they may act out maliciously."
Mike McKee, ObserveIT
Hospitals also can take technical countermeasures to protect digital assets.
"These include disabling hyperlinks and document execution from emails, flagging emails from outside of the organization, and using third-party security software, host-based intrusion prevention systems or advanced hyperlink analyzers," Martinez said.
Other countermeasures such as thorough network management and visibility may not prevent a successful exploit but can identify and alert when an exploit succeeded in order to minimize the risk and operation impact, he added. These include detection of anomalous network behavior using security information and event management or similar technology, network traffic analysis such as egress filtering, honeypots, and geo-constrained access control lists on firewalls and other perimeter controls, he said.
The best way to mitigate risk associated with both intentional and unintentional insider threats is by monitoring user activity and implementing a formal insider threat program to decrease risk, McKee said.
Nearly half of respondents (44.9%) to the 2018 HIMSS Cybersecurity Survey indicated that their organizations do have insider threat management programs and that policies are in place. Yet other respondents (27.0%) indicated that their insider threat management programs are informal. But a fair number of respondents (24.2%) indicated that their organizations had no insider threat management program at all.
"Both negligent and malicious insider threat activity can be extremely damaging to any organization," the HIMSS report said. "Undesirable consequences, such as data leakage, breaches, sabotage and fraud may occur and could go unnoticed for a significant period of time until the damage is significant to the organization."
The problem, of course, is not new and HIMSS noted in its 2017 cybersecurity report that formalizing an insider threat management program is more effective because rules, formal policies and sanctions can be applied and enforced consistently.
A monitoring solution should include a collection of data: capturing rich metadata including timestamp and duration of a session, login account, system name, the far endpoint the user came in from and more provides organizations the context of user actions before, during and after any incident or out-of-policy behavior, McKee said.
Such technology should also be able to automatically detect risky activity and anomalous user behavior, McKee added. Behavioral analytics can continually analyze user activity to detect actions that are out of role, suspicious, or in violation of the formal insider threat program. And live session response allows healthcare administrators to receive real-time alerts when an unauthorized or suspicious activity takes place.
Healthcare Security Forum
The Boston forum focuses on business-critical information healthcare security pros need Oct. 15-16.