Governance & Risk Management
Incident & Breach Response
HHS HC3 Urges Sector to Assess, Address Insider Cyber Risks
While major hacking incidents regularly grab headlines, insider threats – including malicious individuals, careless or disgruntled employees and third-party contractors – continue to pose significant and sometimes underestimated risk to healthcare sector entities, federal authorities warn.
The Department of Health and Human Services’ Health Sector Cybersecurity Coordinating Center, or HC3, in a threat brief issued Friday spotlights risks and challenges the healthcare sector faces because of insider threats, including fraud, data theft, system sabotage, competitive loss, liability issues and brand damage.
Top insider threats for healthcare sector entities include individuals that have a grievance against an organization and act on it, negligent and careless users, and third-party vendors and contractors that have elevated permissions on an entity’s systems.
While most organizations invest more money on insider threats with malicious intent, negligent insider threats are more common, the brief says. For instance, according to a 2020 insider threat report by the Ponemon Institute, 61% of data breaches involving an insider are primarily unintentional, caused by negligent insiders.
Those unintentional incidents range from employees leaving unencrypted mobile devices – including BYOD gear – containing sensitive data unattended to having Amazon Alexa virtual assistant devices turned on while attending remote meetings where sensitive information is being discussed, HC3 writes.
But about 25% of negligent, accidental insider breaches involve stolen credential incidents, HC3 says.
“Deterrence, detection analysis, and post-breach forensics are key areas of insider threat prevention,” according to HC3.
Privacy attorney Iliana Peters of the law firm Polsinelli says the HHS insider threat brief is an important reminder of a pervasive threat across all sectors – and not just in healthcare. Insider threat “is often overlooked given the prevalence and ‘scariness’ of incidents involving outside threat actors, such as nation-states and foreign criminals,” says Peters, a former senior adviser at HHS’ Office for Civil Rights, which enforces HIPAA.
HC3 recommends healthcare organizations focus more attention on the following critical areas to prevent incidents involving insiders:
- Revising and updating cybersecurity policies and guidelines;
- Limiting privileged access and establishing role-based access control;
- Implementing zero trust and multifactor authentication models;
- Backing up data and deploying data loss prevention tools;
- Managing USB devices across the corporate network.
The shift to cloud services by many organizations has also made insider threats harder to detect, HC3 says.
For instance, it says that in October 2021, a large U.S. pharmaceutical company launched an investigation after an employee downloaded 12,000 confidential files on a cloud system before leaving to work for a competitor.
That incident, which was the subject of a lawsuit filed last fall in a federal court by Pfizer, alleges that the former employee transferred over 12,000 files – including confidential company documents from her Pfizer-issued laptop – to a personal Google Drive account and onto other personal devices, just before planning to resign from the company to join another drug firm (see: Pfizer Alleges Worker Took COVID Vaccine Trade Secrets).
Some security experts say that risks involving insiders and cloud-based data are often misjudged by entities.
“One of the biggest mistakes entities make when shifting to the cloud is to think that the cloud is a panacea for their security challenges and that security is now totally in the hands of the cloud service,” says privacy and cybersecurity attorney Erik Weinick of the law firm Otterbourg PC.
“Even entities that are fully cloud-based must be responsible for their own privacy and cybersecurity, and threat actors can just as readily lock users out of the cloud as they can from an office-based server if they are able to capitalize on vulnerabilities such as weak user passwords or system architecture that allows all users to have access to all of an entity’s data, as opposed to just what that user needs to perform their specific job function,” he says.
Dave Bailey, vice president of security services as privacy and security consultancy CynergisTek, says that when entities assess threats to data within the cloud, it is incredibly important to develop and maintain solid security practices, including continuous monitoring. “It is vital to understand and monitor both normal and abnormal behavior, regardless of whether the data is maintained in the cloud or on-premises,” he says.
Peters says that some of the most problematic incidents that she has seen involving insiders – including employees and former employees – occur because of the individuals’ access to “a wealth of data” and because many entities do not have sufficient data loss prevention technologies, policies and procedures.
Many entities do not consider employees to be a serious threat, she says. “But to the extent any particular employee or former employee does perpetrate some type of incident, they can do a significant amount of damage in a short period of time, and entities should have both technological and administrative controls in place to discover such incidents quickly and respond to them appropriately.”
Bailey suggests that to help reduce the risk of insider incidents, organizations should continually review aspects of their environment, including network and systems access, as well as good change management practices, such as “confirming that the people who have access and can make catastrophic decisions or errors is limited and appropriate. In addition, many organizations have implemented proactive user access monitoring, so that they can review potential access issues in real time.”
The COVID-19 crisis also has added healthcare sector challenges involving insider threats, some experts say.
“The pandemic has completely changed our behavior, so we have to relearn what is considered normal versus abnormal behavior,” Bailey says. “We had to shift to remote working, make changes to hours of operations, shifts in duties, and changes in who needs to access what data. Understanding appropriate behavior and access helps us identify threats and risks, as well as what behavior is atypical.”
Weinick says the pandemic also has brought rapid growth to healthcare and as a result, many individuals working in the sector have not had sufficient training or been adequately vetted to handle sensitive data.
“We also have organizations, such as schools and nonhealthcare workplaces, that are collecting healthcare information – such as vaccine status or reasons why students or employees are exempt – and do not have sufficiently robust systems to safeguard that type of information,” he says.
“As a result, some of these nonhealthcare entities may serve as an easier access point for nefarious threat actors seeking to leverage sensitive healthcare information.”