HHS: Insiders Pose Significant Cybersecurity Threat to Healthcare
The average cost for credential theft was more than $871,000 for each incident associated with an insider.
The U.S. Department of Health and Human Services (HHS) Cybersecurity Program Office of Information Security warned healthcare facilities on Thursday about their vulnerabilities to insider threats.
HHS cited a 2020 study from Ponomon, which found that 61% of data breaches involving an insider are primarily unintentional, caused by negligent insiders. Nearly 14% of breaches, however, are malicious, and nearly one in four involve stolen credentials. That same report found the average cost of insider threats per incident was $871,700 for credential theft, $755,800 for criminal and malicious insiders, and $307,100 for employee or contractor negligence.
The HHS report also covered the risks associated with insiders who are working on behalf of external groups, saying that 82% of organizations can’t determine the actual damage that an insider attack has actually caused. That said, the percentage of common types of insider threat damage include:
- Critical data loss, 40%
- Operational outage/disruption, 33%
- Brand damage, 26%
- Legal liabilities, 21%
- Expenses on remediating intrusions, 19%
- Competitive loss, 17%
Disgruntled employees pose a significant insider threat because of their access to a healthcare facility’s systems. Additionally, often they are emotional threat actors with an intent to cause harm to their company. Sometimes they believe they are owed something, according to the HHS report. About 80% of privilege misuse by disgruntled employees was financially motivated.
Third parties are also a threat since 94% of organizations give third parties access to their systems. Very often, third party vendors are given elevated permissions on those systems.
Insider threat activities in healthcare usually consist of fraud, data thefts, and/or system sabotage.
Behavior indicators of an inside threat actor can include:
- Official records of security violations or crimes
- Cases of unprofessional behavior
- Cases of bullying other employees
- Personality conflicts
- Misuse of travel, time, or expenses
- Conflicts with coworkers or supervisors
Indicators of IT sabotage include:
- Creating backdoor accounts
- Changing all passwords so that no one can access data
- Disabling system logs
- Installing a remote network administration tool
- Installing malware
- Accessing systems or machines of other employees
Indicators of data theft include:
- Massive downloading of corporate data
- Sending sensitive data to a non-corporate address
- Sending emails with heavy attachments to non-corporate addresses
- Extensive use of corporate printers
- Remotely accessing a server during non-working hours
The report also found that detecting insider attacks has become more difficult with so many organizations switching to the cloud.
HHS recommends the following practices to mitigate insider cybersecurity threats:
- Incorporate insider threat awareness into periodic security training for all employees.
- Implement strict password and account management policies and practices.
- Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities.
- Ensure that sensitive information is available only to those who require access to it.
- Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions.
- Develop a formal insider threat mitigation program.
CISA offers free cybersecurity services and tools, along with pertinent guidelines and updates that can help large and small organizations in the health sector. This information can be accessed online at www.cisa.gov/free-cybersecurity-services-and-tools.