Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Healthcare Unable To Keep Up With Insider Threats

Insiders played a role in recent breaches at Utah Department of Health, Emory, and South Carolina Department of Health and Human Services

April has been a brutal month for healthcare, with three major breaches disclosed accounting for nearly 1.1 million records lost. The thread woven throughout each has been the role of insiders -- both malicious and inept -- in triggering the incidents.

In one case at the Utah Department of Health, approximately 780,000 Medicaid records were exposed due to the misconfiguration of a server containing these files. Human error also accounted for the loss of 315,000 patient records at Emory Healthcare, when 10 backup disks went missing from a storage facility at Emory University Hospital. Meanwhile at South Carolina's Department of Health and Human Services, an employee sent 228,000 Medicaid patient records to himself via email. The investigation is still ongoing, but already the employee, Christopher Lykes, was fired and arrested by the South Carolina State Law Enforcement Division for his malfeasance.

According to experts, these three incidents are representative of the types of consequences healthcare organizations face when they fail to address insider threats through improved employee screening, monitoring, data controls, and security awareness training. According to Rick Dakin, CEO of the IT security consulting firm Coalfire Systems, more than half of the insider incidents his company investigates involve an insider in some way, shape, or form.

"It's not typically malicious -- the bulk of the insider threat is lack of knowledge. Users access data, leave data on systems, and it's not maliciously intended," says Dakin, who says that regardless of intent, insider incidents tend to occur due to the same weaknesses. "The insider threat follows the same vector: lack of access controls. A lack of monitoring. The lack of data loss prevention tools. There's a series of control breakdowns that allow insider threats to maliciously or just through human error and mistake access data and compromise the data."

[Large healthcare organizations and the U.S. Department of Health and Human Services (HHS) have banded together to share attack and threat intelligence in a new incident response and coordination effort established specifically for their industry. See Healthcare Industry Now Sharing Attack Intelligence.]

One of the big difficulties in convincing healthcare organizations to put the proper controls in place has been in getting organizations to adopt effective risk assessment and risk management practices. The healthcare industry has been notoriously incapable of pinpointing risks in general, let alone those from insiders.

"If you understand the threats and the vulnerability that was exploited, then we can make those kinds of control changes that would really have an impact. We're not there as an industry. Not that some organizations aren't doing that. But we're not there," says Lisa Gallagher, senior director of privacy and security for the Healthcare Information and Management Systems Society (HIMSS). "The only incentive that we seem to have are the regulatory ones. And that set of incentives might not be complete."

As she states, the numbers from Health and Human Services (HHS) show that more than 60 percent of breaches reported to HHS in response to HIPAA mandates occur due to the loss or theft of portable devices, be they laptops, smartphones, external drives, or, as was the case at Emory, backup tapes.

"That's interesting because if you took it on its face value, you would think that it means that people are just sloppy in what they do and keep losing stuff and getting it stolen," Gallagher says. "We sort of focus then on employee training -- monitoring the actual practice and then sanctioning it if there are any issues there. Which is a good thing to do. Don't get me wrong, I really think we need to work very hard at that."

The problem, though, is that the HHS numbers tell only a small part of the story, Gallagher says. For example, the numbers give little indication as to how many of those missing drives are gone due to coordinated theft by data thieves out to mine that data for fraudulent purposes and how many fell off the back of a truck. And the numbers also don't include incidents that an organization has been unable to detect -- an indeterminate volume of breaches that Gallagher suspects keeps growing.

"It's really tough to assess where we are. I think there's so much that we don't know. We don't have the data to assess where we are in my view," Gallagher says. "For example, I could not tell you any data that tells you the impact of organized crime. We don't collect that data. And even if we detect a breach -- in many cases, we probably don't -- we don't, as an industry, spend the time going back to understand the threat motivator."

As a result, the impact of the risk from malicious insiders is unquantifiable at the moment. That's problematic considering that even if these events make up the minority of insider incidents, they pose a greater risk to the data because of the near guarantee that data stolen in these events will inevitably be used for fraudulent purposes, as compared with other data that may be exposed but not necessarily used to commit identity theft.

"It's hard to analyze what's happening when you may not be detecting a lot of the real hard-core threat motivators. We have a sense that financial crimes -- financial identity theft and medical identity theft -- are on the rise. We're just not connecting all the dots," Gallagher says. "It's a very complex, multilayered problem, and health care, we're really not set up right now to manage it well."

Even without a lot of statistics to back up the claims, on an anecdotal level malicious incidents such as the one that occurred in South Carolina are hitting healthcare organizations more frequently and with more impact, according to practitioners who deal in these cases regularly.

"Actually, a majority of cases that we investigate end up being insiders rather than external hacking or anything of that nature," says Brian McGinley, senior vice president of data risk management for Identity Theft 911. "If we characterize a trend based on the breaches we've seen, it has probably been related to insiders being recruited or placed by organized fraud and ID theft rings. They're out to steal patient information, employee information, and doctor information -- all very rich fodder for identity theft."

McGinley believes healthcare organizations need to do a better job of looking at the methods of how data leaves organizations and addressing those to get to the heart of risks posed by insiders.

"We see simple theft of documents that are either archived or left in desk drawers, or handwritten notes where they're handwritten copies of files or systems. We've seen downloads to flash drives," McGinley says. "We've seen the use of emails to send the information out of the medical facility, sometimes with attachments and spreadsheets. You have various devices that are out there that the medical facilities are going to have to step up to."

While many organizations certainly will need to put new security technology in place, some of the best defense comes from doing a better job leveraging tools that are already there, often because of hasty compliance purchases that weren't followed up with process changes.

"One thing that folks forget is that often times, they already have the audit trails and tools that can be tweaked or turned on to help identify exception behavior," McGinley says. "But the key piece to understand is that if you don't have those audit trails turned on, you may not have the ability to solve the cases when you do identify the probability of a leak ... so it's going to increase your expense and reduce the probability that the case is going to be solved and the cancer cut out of the organization."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/14/2012 | 10:05:00 PM
re: Healthcare Unable To Keep Up With Insider Threats
There are too many instances of PHI that exist in healthcare environments.-To be complaint with HIPAA, covered entities must implement technical policies and procedures to allow access only to those persons and business associates that absolutely require access (164.312(a)(1)). -Lessen the numbers of instances of PHI that can be compromised by internal staff and business associates and then harden the remaining, absolutely necessary instances.

Ericka Chickowski
Ericka Chickowski,
User Rank: Moderator
5/3/2012 | 3:14:06 PM
re: Healthcare Unable To Keep Up With Insider Threats
Interestingly, too,- many of these employees have no previous record, according to McGinley. People are being specifically recruited to beat HR screening, apparently. And Daikin says he's run into cases where the clinic cleaning crews were paid to install malware on machines using USB sticks. So if it isn't your employees, it is your outsourced workers...
User Rank: Moderator
5/2/2012 | 1:04:26 AM
re: Healthcare Unable To Keep Up With Insider Threats
it was interesting to read how much of the data stolen by insiders is sold and used to commit financial fraud. ItGs also concerning that in some cases employees intentionally seek out jobs simply to steal data and sell it. Obviously no amount of security training will help in those situations. Access control, along with other security measures, remains key to fighting rogue insiders.-- @Cryptodd:twitter-
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-07
An issue was discovered in Emote Remote Mouse through Attackers can maximize or minimize the window of a running process by sending the process name in a crafted packet. This information is sent in cleartext and is not protected by any authentication logic.
PUBLISHED: 2021-05-07
An issue was discovered in Emote Remote Mouse through 3.015. Attackers can close any running process by sending the process name in a specially crafted packet. This information is sent in cleartext and is not protected by any authentication logic.
PUBLISHED: 2021-05-07
An issue was discovered in Emote Remote Mouse through Attackers can retrieve recently used and running applications, their icons, and their file paths. This information is sent in cleartext and is not protected by any authentication logic.
PUBLISHED: 2021-05-07
An issue was discovered in Emote Remote Mouse through Authentication Bypass can occur via Packet Replay. Remote unauthenticated users can execute arbitrary code via crafted UDP packets even when passwords are set.
PUBLISHED: 2021-05-07
An issue was discovered in Emote Remote Mouse through Remote unauthenticated users can execute arbitrary code via crafted UDP packets with no prior authorization or authentication.