Healthcare Unable To Keep Up With Insider ThreatsInsiders played a role in recent breaches at Utah Department of Health, Emory, and South Carolina Department of Health and Human Services
April has been a brutal month for healthcare, with three major breaches disclosed accounting for nearly 1.1 million records lost. The thread woven throughout each has been the role of insiders -- both malicious and inept -- in triggering the incidents.
In one case at the Utah Department of Health, approximately 780,000 Medicaid records were exposed due to the misconfiguration of a server containing these files. Human error also accounted for the loss of 315,000 patient records at Emory Healthcare, when 10 backup disks went missing from a storage facility at Emory University Hospital. Meanwhile at South Carolina's Department of Health and Human Services, an employee sent 228,000 Medicaid patient records to himself via email. The investigation is still ongoing, but already the employee, Christopher Lykes, was fired and arrested by the South Carolina State Law Enforcement Division for his malfeasance.
According to experts, these three incidents are representative of the types of consequences healthcare organizations face when they fail to address insider threats through improved employee screening, monitoring, data controls, and security awareness training. According to Rick Dakin, CEO of the IT security consulting firm Coalfire Systems, more than half of the insider incidents his company investigates involve an insider in some way, shape, or form.
"It's not typically malicious -- the bulk of the insider threat is lack of knowledge. Users access data, leave data on systems, and it's not maliciously intended," says Dakin, who says that regardless of intent, insider incidents tend to occur due to the same weaknesses. "The insider threat follows the same vector: lack of access controls. A lack of monitoring. The lack of data loss prevention tools. There's a series of control breakdowns that allow insider threats to maliciously or just through human error and mistake access data and compromise the data."
[Large healthcare organizations and the U.S. Department of Health and Human Services (HHS) have banded together to share attack and threat intelligence in a new incident response and coordination effort established specifically for their industry. See Healthcare Industry Now Sharing Attack Intelligence.]
One of the big difficulties in convincing healthcare organizations to put the proper controls in place has been in getting organizations to adopt effective risk assessment and risk management practices. The healthcare industry has been notoriously incapable of pinpointing risks in general, let alone those from insiders.
"If you understand the threats and the vulnerability that was exploited, then we can make those kinds of control changes that would really have an impact. We're not there as an industry. Not that some organizations aren't doing that. But we're not there," says Lisa Gallagher, senior director of privacy and security for the Healthcare Information and Management Systems Society (HIMSS). "The only incentive that we seem to have are the regulatory ones. And that set of incentives might not be complete."
As she states, the numbers from Health and Human Services (HHS) show that more than 60 percent of breaches reported to HHS in response to HIPAA mandates occur due to the loss or theft of portable devices, be they laptops, smartphones, external drives, or, as was the case at Emory, backup tapes.
"That's interesting because if you took it on its face value, you would think that it means that people are just sloppy in what they do and keep losing stuff and getting it stolen," Gallagher says. "We sort of focus then on employee training -- monitoring the actual practice and then sanctioning it if there are any issues there. Which is a good thing to do. Don't get me wrong, I really think we need to work very hard at that."
The problem, though, is that the HHS numbers tell only a small part of the story, Gallagher says. For example, the numbers give little indication as to how many of those missing drives are gone due to coordinated theft by data thieves out to mine that data for fraudulent purposes and how many fell off the back of a truck. And the numbers also don't include incidents that an organization has been unable to detect -- an indeterminate volume of breaches that Gallagher suspects keeps growing.
"It's really tough to assess where we are. I think there's so much that we don't know. We don't have the data to assess where we are in my view," Gallagher says. "For example, I could not tell you any data that tells you the impact of organized crime. We don't collect that data. And even if we detect a breach -- in many cases, we probably don't -- we don't, as an industry, spend the time going back to understand the threat motivator."
As a result, the impact of the risk from malicious insiders is unquantifiable at the moment. That's problematic considering that even if these events make up the minority of insider incidents, they pose a greater risk to the data because of the near guarantee that data stolen in these events will inevitably be used for fraudulent purposes, as compared with other data that may be exposed but not necessarily used to commit identity theft.
"It's hard to analyze what's happening when you may not be detecting a lot of the real hard-core threat motivators. We have a sense that financial crimes -- financial identity theft and medical identity theft -- are on the rise. We're just not connecting all the dots," Gallagher says. "It's a very complex, multilayered problem, and health care, we're really not set up right now to manage it well."
Even without a lot of statistics to back up the claims, on an anecdotal level malicious incidents such as the one that occurred in South Carolina are hitting healthcare organizations more frequently and with more impact, according to practitioners who deal in these cases regularly.
"Actually, a majority of cases that we investigate end up being insiders rather than external hacking or anything of that nature," says Brian McGinley, senior vice president of data risk management for Identity Theft 911. "If we characterize a trend based on the breaches we've seen, it has probably been related to insiders being recruited or placed by organized fraud and ID theft rings. They're out to steal patient information, employee information, and doctor information -- all very rich fodder for identity theft."
McGinley believes healthcare organizations need to do a better job of looking at the methods of how data leaves organizations and addressing those to get to the heart of risks posed by insiders.
"We see simple theft of documents that are either archived or left in desk drawers, or handwritten notes where they're handwritten copies of files or systems. We've seen downloads to flash drives," McGinley says. "We've seen the use of emails to send the information out of the medical facility, sometimes with attachments and spreadsheets. You have various devices that are out there that the medical facilities are going to have to step up to."
While many organizations certainly will need to put new security technology in place, some of the best defense comes from doing a better job leveraging tools that are already there, often because of hasty compliance purchases that weren't followed up with process changes.
"One thing that folks forget is that often times, they already have the audit trails and tools that can be tweaked or turned on to help identify exception behavior," McGinley says. "But the key piece to understand is that if you don't have those audit trails turned on, you may not have the ability to solve the cases when you do identify the probability of a leak ... so it's going to increase your expense and reduce the probability that the case is going to be solved and the cancer cut out of the organization."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.