Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

06:30 PM
Connect Directly

Insider Threat Seriously Undermining Healthcare Cybersecurity

Two separate reports suggest insiders - of the malicious and careless variety - pose more of a problem in healthcare than any other sector.

The healthcare industry's ability to defend against cyberthreats is being seriously undermined by its own workforce, according to two separate reports released this week.

In an analysis of 1,368 security incidents at healthcare organizations in 27 countries, Verizon found that nearly six out of 10 (58%) security incidents involve insiders. That figure, according to Verizon, makes healthcare the only sector where internal actors pose the biggest threat to an organization's cybersecurity posture than external actors.

The primary driver in many cases is financial gain, with insiders often stealing data to commit tax fraud, to open lines of credit, and to commit other fraud. Fun and curiosity are other factors as well: 31% of the security incidents involved insiders looking up personal records of celebrities and family members, Verizon found.

In an Accenture report based on a survey of 912 healthcare employees in the US and Canada, some 18% of the respondents — or nearly 1 in 5 — professed their willingness to sell confidential data to unauthorized thirds parties for as little as between $500 and $1,000. Among the malicious activity they were willing to peform: sell login credentials, download data to portable drives, and install tracking software on business systems.

Twenty-four percent actually know someone in their organization who had sold their access credentials to an unauthorized third-party. The willingness to sell confidential data was more pronounced among respondents from provider organizations (21%), compared to those in payer organizations (12%), Accenture found.

"Healthcare is a veritable treasure trove of valuable information," says John Schoew, lead of Accenture's health & public service security practice in North America. The adoption of electronic medical records (EMRs), wearables, and other healthcare technologies has created a wealth of data, making healthcare organizations an attractive target for data thieves, he says.

"Employees are often a weak link in an organization's cyber defenses - across many industries," Schoew says. But as with most other industries, the bad actors in the healthcare sector are the exception and not the rule. Often, breaches result from employee error caused by a failure to comply with or understand policies.

"When it comes to healthcare cybersecurity, however, the stakes are higher," Schoew cautions. A healthcare data breach could have a significant impact on patient care, cause reputation damage, and hurt enormously from a financial standpoint. Accenture's research has shown that cyber breaches cost individual healthcare providers on average of more than $12 million, and individual victims, an average of $2,500, he says.

There are multiple short-term improvements organizations can make to address some of security threats posed by insiders, says Suzanne Widup, senior analyst with Verizon Security Research. They include measures like implementing full disk encryption; conducting a comprehensive review and ongoing audits of access rights to sensitive PHI and other data; establishing a proactive policy of building security into technology updates; and developing and testing incident response plans ahead of an issue. 

"The healthcare sector houses unique and sensitive protected health information," Widup says. The most important takeaway for organizations and IT leaders is to prioritize the security of that data. "Healthcare organizations should develop longer-term strategic actions to keep this information private for future stability and success in the digital world," she says. 

Employees need to be made aware through training and awareness campaigns that improper access to patient data could lead to corrective actions being taken against them, according to Verizon's report.

More Sick Data

The Verizon and Accenture reports are among several new reports that paint an especially bleak picture of healthcare cybersecurity against the backdrop of the Healthcare Information and Management Systems Society's (HIMSS) conference in Las Vegas this week. US organizations in particular appear to be struggling more with security issues than counterparts in other regions of the world.

One of the reports, from Thales, for instance, found that healthcare organizations in the US experience substantially more breaches than organizations in other regions of the world. 

Thales surveyed 100 senior healthcare IT managers in the US and 135 professionals from nine other countries and found 48% of the US respondents reporting a breach in the last 12 months, compared to an average of 36% elsewhere.

More than three-quarters (77%) of US healthcare entities say they have experienced at least one data breach in the past, and nearly six in 10 (56%) confess to feeling either "very vulnerable" or "extremely vulnerable" to potential data security incidents. In comparison, just 34% of the respondents from other countries felt the same way, the Thales study shows.

On a positive note, Thales found that more US healthcare organizations plan to increase spending on cybersecurity than organizations in any other sector. Eighty-four percent of healthcare entities in the US indicate they will spend more on security, with 46% saying their spending would be "much higher" than present.

"Data breaches have become the new reality for healthcare organizations," says Peter Galvin, chief strategy officer at Thales. Healthcare records, which can include full names, social security numbers, birth dates, banking information, and credit card data, are the most valuable pieces of information on the Dark Web, he says.

"Given the value of the information, the breaches are coming from cyber gangs, insiders, and even nation states mostly for monetary advantage," Galvin notes.

Unfortunately, too many healthcare organizations continue to use compliance with regulations such as HIPAA as their sole benchmark for security and are therefore spending on the wrong controls. "While organizations have found that encryption, tokenization, and data masking are the most effective techniques for preventing data breaches, they are spending the majority of their budgets on 10-year-old perimeter security solutions," Gavin says.

Encouragingly, while the number of attacks has kept increasing, there is some data to suggest that healthcare organizations are getting somewhat better at mitigating the fallout.

Security vendor BitGlass analyzed breach data from the US Department of Health and Human Services and found that organizations are losing less data records in breaches than previously.

In 2017, the number of records compromised per breach on average, was 16,060 — a 72% decline from 2015 and a 95% decline from 2016 when mega breaches like those at Anthem and Premera were excluded. BitGlass also found that between 2014 and 2017, healthcare organizations reduced the number of breach incidents resulting from lost and stolen devices by 63%.

"More and more, healthcare organizations are turning to proactive security solutions rather than reactive security solutions in order to address breaches," notes Mike Schuricht, vice president of product management at Bitglass. "In other words, instead of focusing on cleanup after the fact, they are deploying tools that actively alert and enable IT to take action on high-risk activities."

Related Content:


Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
nida anjum
nida anjum,
User Rank: Apprentice
2/27/2019 | 12:42:33 PM
health threats
your blog is just great but some information is missing i have some more important information about health threats here..
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-17 package apport hooks, it could expose private data to other local users.