News

Feds Warn of Insider Cybersecurity Threat to Health Care

• By Chris Paoli
• 09/27/2022

Neglectful individuals, not malicious actors, are behind the majority of insider threats that can lead to data loss in the health care industry.

In a recent brief by the Department of Health and Human Services' Health Sector Cybersecurity Coordinating Center (H3), the company pointed out that negligent insiders account for 61 percent of insider threat incidents, while only 16 percent are from malicious insiders. The remaining 25 percent are connected to stolen credentials.

H3 said a "lack of awareness about security policies and a failure to provide security awareness training" is the top reason for the neglect, and pointed to a Ponemon 2020 Insider Threats Report that found only 39 percent of health care employees received security awareness training in the previous year.

It's also important to note that H3 considers insider threats to involve third parties that might have temporary access to a network. According to the brief, 72 percent of third-party vendors were granted elevated permissions on systems. This can pose a problem, especially if the third parties aren't up to speed on an organization's security policies.

The shift to the cloud and clear communication of security policies related to the technology have made insider threats 53 percent harder to detect, according to the brief. And it's also enabled disgruntled individuals to perpetrate insider threats easier. The brief pointed to an example in 2021 of an ongoing investigation into an individual believed to be responsible for downloading 12,000 confidential files to a cloud service before leaving to work for a competitor.

The growing workforce and the increased use of personal devices, like home PCs and smartphones, have also led to an increase in insider threats to the health care industry. The brief points to the increase in incidents because an employee leaves a personal device unattended that contains confidential information.

As stated earlier, there's still a portion of insider threats that do come from malicious individuals. The brief points to the risk from disgruntled employees, and are typically connected to a privilege misuse. According to a Verizon 2021 Data Breach Report, 80 percent of privilege misuse was financially motivated, and not caused by neglect.

Whether caused by a lack of security awareness or by a bad actor, insider threats are a financial toll on the health care industry. H3 points again to the Ponemon report that found the annual global cost of insider threats was $11.45 million in 2020 -- a figure that has been steadily increasing over the past five years.

When looking to curb this growth and to mitigate the financial burden, H3 recommends the following best practices:

• Incorporate insider threat awareness into periodic security training for all employees.
• Implement strict password and account management policies and practices.
• Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities.
• Ensure that sensitive information is available only to those who require access to it.
• Use a log correlation engine or security information and event management (SIEM) system to log, monitor and audit employee actions.
• Develop a formal insider threat mitigation program.