Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Healthcare Unable To Keep Up With Insider Threats

Insiders played a role in recent breaches at Utah Department of Health, Emory, and South Carolina Department of Health and Human Services

April has been a brutal month for healthcare, with three major breaches disclosed accounting for nearly 1.1 million records lost. The thread woven throughout each has been the role of insiders -- both malicious and inept -- in triggering the incidents.

In one case at the Utah Department of Health, approximately 780,000 Medicaid records were exposed due to the misconfiguration of a server containing these files. Human error also accounted for the loss of 315,000 patient records at Emory Healthcare, when 10 backup disks went missing from a storage facility at Emory University Hospital. Meanwhile at South Carolina's Department of Health and Human Services, an employee sent 228,000 Medicaid patient records to himself via email. The investigation is still ongoing, but already the employee, Christopher Lykes, was fired and arrested by the South Carolina State Law Enforcement Division for his malfeasance.

According to experts, these three incidents are representative of the types of consequences healthcare organizations face when they fail to address insider threats through improved employee screening, monitoring, data controls, and security awareness training. According to Rick Dakin, CEO of the IT security consulting firm Coalfire Systems, more than half of the insider incidents his company investigates involve an insider in some way, shape, or form.

"It's not typically malicious -- the bulk of the insider threat is lack of knowledge. Users access data, leave data on systems, and it's not maliciously intended," says Dakin, who says that regardless of intent, insider incidents tend to occur due to the same weaknesses. "The insider threat follows the same vector: lack of access controls. A lack of monitoring. The lack of data loss prevention tools. There's a series of control breakdowns that allow insider threats to maliciously or just through human error and mistake access data and compromise the data."

[Large healthcare organizations and the U.S. Department of Health and Human Services (HHS) have banded together to share attack and threat intelligence in a new incident response and coordination effort established specifically for their industry. See Healthcare Industry Now Sharing Attack Intelligence.]

One of the big difficulties in convincing healthcare organizations to put the proper controls in place has been in getting organizations to adopt effective risk assessment and risk management practices. The healthcare industry has been notoriously incapable of pinpointing risks in general, let alone those from insiders.

"If you understand the threats and the vulnerability that was exploited, then we can make those kinds of control changes that would really have an impact. We're not there as an industry. Not that some organizations aren't doing that. But we're not there," says Lisa Gallagher, senior director of privacy and security for the Healthcare Information and Management Systems Society (HIMSS). "The only incentive that we seem to have are the regulatory ones. And that set of incentives might not be complete."

As she states, the numbers from Health and Human Services (HHS) show that more than 60 percent of breaches reported to HHS in response to HIPAA mandates occur due to the loss or theft of portable devices, be they laptops, smartphones, external drives, or, as was the case at Emory, backup tapes.

"That's interesting because if you took it on its face value, you would think that it means that people are just sloppy in what they do and keep losing stuff and getting it stolen," Gallagher says. "We sort of focus then on employee training -- monitoring the actual practice and then sanctioning it if there are any issues there. Which is a good thing to do. Don't get me wrong, I really think we need to work very hard at that."

The problem, though, is that the HHS numbers tell only a small part of the story, Gallagher says. For example, the numbers give little indication as to how many of those missing drives are gone due to coordinated theft by data thieves out to mine that data for fraudulent purposes and how many fell off the back of a truck. And the numbers also don't include incidents that an organization has been unable to detect -- an indeterminate volume of breaches that Gallagher suspects keeps growing.

"It's really tough to assess where we are. I think there's so much that we don't know. We don't have the data to assess where we are in my view," Gallagher says. "For example, I could not tell you any data that tells you the impact of organized crime. We don't collect that data. And even if we detect a breach -- in many cases, we probably don't -- we don't, as an industry, spend the time going back to understand the threat motivator."

As a result, the impact of the risk from malicious insiders is unquantifiable at the moment. That's problematic considering that even if these events make up the minority of insider incidents, they pose a greater risk to the data because of the near guarantee that data stolen in these events will inevitably be used for fraudulent purposes, as compared with other data that may be exposed but not necessarily used to commit identity theft.

"It's hard to analyze what's happening when you may not be detecting a lot of the real hard-core threat motivators. We have a sense that financial crimes -- financial identity theft and medical identity theft -- are on the rise. We're just not connecting all the dots," Gallagher says. "It's a very complex, multilayered problem, and health care, we're really not set up right now to manage it well."

Even without a lot of statistics to back up the claims, on an anecdotal level malicious incidents such as the one that occurred in South Carolina are hitting healthcare organizations more frequently and with more impact, according to practitioners who deal in these cases regularly.

"Actually, a majority of cases that we investigate end up being insiders rather than external hacking or anything of that nature," says Brian McGinley, senior vice president of data risk management for Identity Theft 911. "If we characterize a trend based on the breaches we've seen, it has probably been related to insiders being recruited or placed by organized fraud and ID theft rings. They're out to steal patient information, employee information, and doctor information -- all very rich fodder for identity theft."

McGinley believes healthcare organizations need to do a better job of looking at the methods of how data leaves organizations and addressing those to get to the heart of risks posed by insiders.

"We see simple theft of documents that are either archived or left in desk drawers, or handwritten notes where they're handwritten copies of files or systems. We've seen downloads to flash drives," McGinley says. "We've seen the use of emails to send the information out of the medical facility, sometimes with attachments and spreadsheets. You have various devices that are out there that the medical facilities are going to have to step up to."

While many organizations certainly will need to put new security technology in place, some of the best defense comes from doing a better job leveraging tools that are already there, often because of hasty compliance purchases that weren't followed up with process changes.

"One thing that folks forget is that often times, they already have the audit trails and tools that can be tweaked or turned on to help identify exception behavior," McGinley says. "But the key piece to understand is that if you don't have those audit trails turned on, you may not have the ability to solve the cases when you do identify the probability of a leak ... so it's going to increase your expense and reduce the probability that the case is going to be solved and the cancer cut out of the organization."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jsantangelo101
50%
50%
jsantangelo101,
User Rank: Apprentice
5/14/2012 | 10:05:00 PM
re: Healthcare Unable To Keep Up With Insider Threats
There are too many instances of PHI that exist in healthcare environments.-To be complaint with HIPAA, covered entities must implement technical policies and procedures to allow access only to those persons and business associates that absolutely require access (164.312(a)(1)). -Lessen the numbers of instances of PHI that can be compromised by internal staff and business associates and then harden the remaining, absolutely necessary instances.

-
Ericka Chickowski
50%
50%
Ericka Chickowski,
User Rank: Moderator
5/3/2012 | 3:14:06 PM
re: Healthcare Unable To Keep Up With Insider Threats
Interestingly, too,- many of these employees have no previous record, according to McGinley. People are being specifically recruited to beat HR screening, apparently. And Daikin says he's run into cases where the clinic cleaning crews were paid to install malware on machines using USB sticks. So if it isn't your employees, it is your outsourced workers...
Cryptodd
50%
50%
Cryptodd,
User Rank: Moderator
5/2/2012 | 1:04:26 AM
re: Healthcare Unable To Keep Up With Insider Threats
it was interesting to read how much of the data stolen by insiders is sold and used to commit financial fraud. ItGs also concerning that in some cases employees intentionally seek out jobs simply to steal data and sell it. Obviously no amount of security training will help in those situations. Access control, along with other security measures, remains key to fighting rogue insiders.-- @Cryptodd:twitter-
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19807
PUBLISHED: 2019-12-15
In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The timeri variable was originally intended to be for a newly created timer instance, but was used for ...
CVE-2014-8650
PUBLISHED: 2019-12-15
python-requests-Kerberos through 0.5 does not handle mutual authentication
CVE-2014-3536
PUBLISHED: 2019-12-15
CFME (CloudForms Management Engine) 5: RHN account information is logged to top_output.log during registration
CVE-2014-3643
PUBLISHED: 2019-12-15
jersey: XXE via parameter entities not disabled by the jersey SAX parser
CVE-2014-3652
PUBLISHED: 2019-12-15
JBoss KeyCloak: Open redirect vulnerability via failure to validate the redirect URL.