HHS: Insiders Pose Significant Cybersecurity Threat to Healthcare
The average cost for credential theft was more than $871,000 for each incident associated with an insider.
Disgruntled employees pose a significant insider threat because of their access to a healthcare facility’s systems. Additionally, often they are emotional threat actors with an intent to cause harm to their company. Photo via Adobe, by Artur
The U.S. Department of Health and Human Services (HHS) Cybersecurity Program Office of Information Security warned healthcare facilities on Thursday about their vulnerabilities to insider threats.
HHS cited a 2020 study from Ponomon, which found that 61% of data breaches involving an insider are primarily unintentional, caused by negligent insiders. Nearly 14% of breaches, however, are malicious, and nearly one in four involve stolen credentials. That same report found the average cost of insider threats per incident was $871,700 for credential theft, $755,800 for criminal and malicious insiders, and $307,100 for employee or contractor negligence.
The HHS report also covered the risks associated with insiders who are working on behalf of external groups, saying that 82% of organizations can’t determine the actual damage that an insider attack has actually caused. That said, the percentage of common types of insider threat damage include:
- Critical data loss, 40%
- Operational outage/disruption, 33%
- Brand damage, 26%
- Legal liabilities, 21%
- Expenses on remediating intrusions, 19%
- Competitive loss, 17%
Disgruntled employees pose a significant insider threat because of their access to a healthcare facility’s systems. Additionally, often they are emotional threat actors with an intent to cause harm to their company. Sometimes they believe they are owed something, according to the HHS report. About 80% of privilege misuse by disgruntled employees was financially motivated.
Third parties are also a threat since 94% of organizations give third parties access to their systems. Very often, third party vendors are given elevated permissions on those systems.
Insider threat activities in healthcare usually consist of fraud, data thefts, and/or system sabotage.
Behavior indicators of an inside threat actor can include:
- Official records of security violations or crimes
- Cases of unprofessional behavior
- Cases of bullying other employees
- Personality conflicts
- Misuse of travel, time, or expenses
- Conflicts with coworkers or supervisors
Indicators of IT sabotage include:
- Creating backdoor accounts
- Changing all passwords so that no one can access data
- Disabling system logs
- Installing a remote network administration tool
- Installing malware
- Accessing systems or machines of other employees
Indicators of data theft include:
- Massive downloading of corporate data
- Sending sensitive data to a non-corporate address
- Sending emails with heavy attachments to non-corporate addresses
- Extensive use of corporate printers
- Remotely accessing a server during non-working hours
The report also found that detecting insider attacks has become more difficult with so many organizations switching to the cloud.
HHS recommends the following practices to mitigate insider cybersecurity threats:
- Incorporate insider threat awareness into periodic security training for all employees.
- Implement strict password and account management policies and practices.
- Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities.
- Ensure that sensitive information is available only to those who require access to it.
- Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions.
- Develop a formal insider threat mitigation program.
CISA offers free cybersecurity services and tools, along with pertinent guidelines and updates that can help large and small organizations in the health sector. This information can be accessed online at www.cisa.gov/free-cybersecurity-services-and-tools.
If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!
About the Author
Robin Hattersley, Editor-in-Chief
Robin has been covering the security and campus law enforcement industries since 1998 and is a specialist in school, university and hospital security, public safety and emergency management, as well as emerging technologies and systems integration. She joined CS in 2005 and has authored award-winning editorial on campus law enforcement and security funding, officer recruitment and retention, access control, IP video, network integration, event management, crime trends, the Clery Act, Title IX compliance, sexual assault, dating abuse, emergency communications, incident management software and more. Robin has been featured on national and local media outlets and was formerly associate editor for the trade publication Security Sales & Integration. She obtained her undergraduate degree in history from California State University, Long Beach.
Related Content
Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century
This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!
