Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/5/2018
06:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Insider Threat Seriously Undermining Healthcare Cybersecurity

Two separate reports suggest insiders - of the malicious and careless variety - pose more of a problem in healthcare than any other sector.

The healthcare industry's ability to defend against cyberthreats is being seriously undermined by its own workforce, according to two separate reports released this week.

In an analysis of 1,368 security incidents at healthcare organizations in 27 countries, Verizon found that nearly six out of 10 (58%) security incidents involve insiders. That figure, according to Verizon, makes healthcare the only sector where internal actors pose the biggest threat to an organization's cybersecurity posture than external actors.

The primary driver in many cases is financial gain, with insiders often stealing data to commit tax fraud, to open lines of credit, and to commit other fraud. Fun and curiosity are other factors as well: 31% of the security incidents involved insiders looking up personal records of celebrities and family members, Verizon found.

In an Accenture report based on a survey of 912 healthcare employees in the US and Canada, some 18% of the respondents — or nearly 1 in 5 — professed their willingness to sell confidential data to unauthorized thirds parties for as little as between $500 and $1,000. Among the malicious activity they were willing to peform: sell login credentials, download data to portable drives, and install tracking software on business systems.

Twenty-four percent actually know someone in their organization who had sold their access credentials to an unauthorized third-party. The willingness to sell confidential data was more pronounced among respondents from provider organizations (21%), compared to those in payer organizations (12%), Accenture found.

"Healthcare is a veritable treasure trove of valuable information," says John Schoew, lead of Accenture's health & public service security practice in North America. The adoption of electronic medical records (EMRs), wearables, and other healthcare technologies has created a wealth of data, making healthcare organizations an attractive target for data thieves, he says.

"Employees are often a weak link in an organization's cyber defenses - across many industries," Schoew says. But as with most other industries, the bad actors in the healthcare sector are the exception and not the rule. Often, breaches result from employee error caused by a failure to comply with or understand policies.

"When it comes to healthcare cybersecurity, however, the stakes are higher," Schoew cautions. A healthcare data breach could have a significant impact on patient care, cause reputation damage, and hurt enormously from a financial standpoint. Accenture's research has shown that cyber breaches cost individual healthcare providers on average of more than $12 million, and individual victims, an average of $2,500, he says.

There are multiple short-term improvements organizations can make to address some of security threats posed by insiders, says Suzanne Widup, senior analyst with Verizon Security Research. They include measures like implementing full disk encryption; conducting a comprehensive review and ongoing audits of access rights to sensitive PHI and other data; establishing a proactive policy of building security into technology updates; and developing and testing incident response plans ahead of an issue. 

"The healthcare sector houses unique and sensitive protected health information," Widup says. The most important takeaway for organizations and IT leaders is to prioritize the security of that data. "Healthcare organizations should develop longer-term strategic actions to keep this information private for future stability and success in the digital world," she says. 

Employees need to be made aware through training and awareness campaigns that improper access to patient data could lead to corrective actions being taken against them, according to Verizon's report.

More Sick Data

The Verizon and Accenture reports are among several new reports that paint an especially bleak picture of healthcare cybersecurity against the backdrop of the Healthcare Information and Management Systems Society's (HIMSS) conference in Las Vegas this week. US organizations in particular appear to be struggling more with security issues than counterparts in other regions of the world.

One of the reports, from Thales, for instance, found that healthcare organizations in the US experience substantially more breaches than organizations in other regions of the world. 

Thales surveyed 100 senior healthcare IT managers in the US and 135 professionals from nine other countries and found 48% of the US respondents reporting a breach in the last 12 months, compared to an average of 36% elsewhere.

More than three-quarters (77%) of US healthcare entities say they have experienced at least one data breach in the past, and nearly six in 10 (56%) confess to feeling either "very vulnerable" or "extremely vulnerable" to potential data security incidents. In comparison, just 34% of the respondents from other countries felt the same way, the Thales study shows.

On a positive note, Thales found that more US healthcare organizations plan to increase spending on cybersecurity than organizations in any other sector. Eighty-four percent of healthcare entities in the US indicate they will spend more on security, with 46% saying their spending would be "much higher" than present.

"Data breaches have become the new reality for healthcare organizations," says Peter Galvin, chief strategy officer at Thales. Healthcare records, which can include full names, social security numbers, birth dates, banking information, and credit card data, are the most valuable pieces of information on the Dark Web, he says.

"Given the value of the information, the breaches are coming from cyber gangs, insiders, and even nation states mostly for monetary advantage," Galvin notes.

Unfortunately, too many healthcare organizations continue to use compliance with regulations such as HIPAA as their sole benchmark for security and are therefore spending on the wrong controls. "While organizations have found that encryption, tokenization, and data masking are the most effective techniques for preventing data breaches, they are spending the majority of their budgets on 10-year-old perimeter security solutions," Gavin says.

Encouragingly, while the number of attacks has kept increasing, there is some data to suggest that healthcare organizations are getting somewhat better at mitigating the fallout.

Security vendor BitGlass analyzed breach data from the US Department of Health and Human Services and found that organizations are losing less data records in breaches than previously.

In 2017, the number of records compromised per breach on average, was 16,060 — a 72% decline from 2015 and a 95% decline from 2016 when mega breaches like those at Anthem and Premera were excluded. BitGlass also found that between 2014 and 2017, healthcare organizations reduced the number of breach incidents resulting from lost and stolen devices by 63%.

"More and more, healthcare organizations are turning to proactive security solutions rather than reactive security solutions in order to address breaches," notes Mike Schuricht, vice president of product management at Bitglass. "In other words, instead of focusing on cleanup after the fact, they are deploying tools that actively alert and enable IT to take action on high-risk activities."

Related Content:

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
nida anjum
50%
50%
nida anjum,
User Rank: Apprentice
2/27/2019 | 12:42:33 PM
health threats
your blog is just great but some information is missing i have some more important information about health threats here..
https://nidaanjum.blogspot.com/
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Cognitive Bias Can Hamper Security Decisions
Kelly Sheridan, Staff Editor, Dark Reading,  6/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7472
PUBLISHED: 2019-06-15
The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter.
CVE-2019-12839
PUBLISHED: 2019-06-15
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
CVE-2019-12840
PUBLISHED: 2019-06-15
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
CVE-2019-12835
PUBLISHED: 2019-06-15
formats/xml.cpp in Leanify 0.4.3 allows for a controlled out-of-bounds write in xml_memory_writer::write via characters that require escaping.
CVE-2019-12830
PUBLISHED: 2019-06-15
In MyBB before 1.8.21, an attacker can exploit a parsing flaw in the Private Message / Post renderer that leads to [video] BBCode persistent XSS to take over any forum account, aka a nested video MyCode issue.