Insider Threat Seriously Undermining Healthcare Cybersecurity

The healthcare industry's ability to defend against cyberthreats is being seriously undermined by its own workforce, according to two separate reports released this week.

In an analysis of 1,368 security incidents at healthcare organizations in 27 countries, Verizon found that nearly six out of 10 (58%) security incidents involve insiders. That figure, according to Verizon, makes healthcare the only sector where internal actors pose the biggest threat to an organization's cybersecurity posture than external actors.

The primary driver in many cases is financial gain, with insiders often stealing data to commit tax fraud, to open lines of credit, and to commit other fraud. Fun and curiosity are other factors as well: 31% of the security incidents involved insiders looking up personal records of celebrities and family members, Verizon found.

In an Accenture report based on a survey of 912 healthcare employees in the US and Canada, some 18% of the respondents — or nearly 1 in 5 — professed their willingness to sell confidential data to unauthorized thirds parties for as little as between $500 and $1,000. Among the malicious activity they were willing to peform: sell login credentials, download data to portable drives, and install tracking software on business systems.

Twenty-four percent actually know someone in their organization who had sold their access credentials to an unauthorized third-party. The willingness to sell confidential data was more pronounced among respondents from provider organizations (21%), compared to those in payer organizations (12%), Accenture found.

"Healthcare is a veritable treasure trove of valuable information," says John Schoew, lead of Accenture's health & public service security practice in North America. The adoption of electronic medical records (EMRs), wearables, and other healthcare technologies has created a wealth of data, making healthcare organizations an attractive target for data thieves, he says.

"Employees are often a weak link in an organization's cyber defenses - across many industries," Schoew says. But as with most other industries, the bad actors in the healthcare sector are the exception and not the rule. Often, breaches result from employee error caused by a failure to comply with or understand policies.

"When it comes to healthcare cybersecurity, however, the stakes are higher," Schoew cautions. A healthcare data breach could have a significant impact on patient care, cause reputation damage, and hurt enormously from a financial standpoint. Accenture's research has shown that cyber breaches cost individual healthcare providers on average of more than $12 million, and individual victims, an average of $2,500, he says.

There are multiple short-term improvements organizations can make to address some of security threats posed by insiders, says Suzanne Widup, senior analyst with Verizon Security Research. They include measures like implementing full disk encryption; conducting a comprehensive review and ongoing audits of access rights to sensitive PHI and other data; establishing a proactive policy of building security into technology updates; and developing and testing incident response plans ahead of an issue. 

"The healthcare sector houses unique and sensitive protected health information," Widup says. The most important takeaway for organizations and IT leaders is to prioritize the security of that data. "Healthcare organizations should develop longer-term strategic actions to keep this information private for future stability and success in the digital world," she says. 

Employees need to be made aware through training and awareness campaigns that improper access to patient data could lead to corrective actions being taken against them, according to Verizon's report.

More Sick Data

The Verizon and Accenture reports are among several new reports that paint an especially bleak picture of healthcare cybersecurity against the backdrop of the Healthcare Information and Management Systems Society's (HIMSS) conference in Las Vegas this week. US organizations in particular appear to be struggling more with security issues than counterparts in other regions of the world.

One of the reports, from Thales, for instance, found that healthcare organizations in the US experience substantially more breaches than organizations in other regions of the world. 

Thales surveyed 100 senior healthcare IT managers in the US and 135 professionals from nine other countries and found 48% of the US respondents reporting a breach in the last 12 months, compared to an average of 36% elsewhere.

More than three-quarters (77%) of US healthcare entities say they have experienced at least one data breach in the past, and nearly six in 10 (56%) confess to feeling either "very vulnerable" or "extremely vulnerable" to potential data security incidents. In comparison, just 34% of the respondents from other countries felt the same way, the Thales study shows.

On a positive note, Thales found that more US healthcare organizations plan to increase spending on cybersecurity than organizations in any other sector. Eighty-four percent of healthcare entities in the US indicate they will spend more on security, with 46% saying their spending would be "much higher" than present.

"Data breaches have become the new reality for healthcare organizations," says Peter Galvin, chief strategy officer at Thales. Healthcare records, which can include full names, social security numbers, birth dates, banking information, and credit card data, are the most valuable pieces of information on the Dark Web, he says.

"Given the value of the information, the breaches are coming from cyber gangs, insiders, and even nation states mostly for monetary advantage," Galvin notes.

Unfortunately, too many healthcare organizations continue to use compliance with regulations such as HIPAA as their sole benchmark for security and are therefore spending on the wrong controls. "While organizations have found that encryption, tokenization, and data masking are the most effective techniques for preventing data breaches, they are spending the majority of their budgets on 10-year-old perimeter security solutions," Gavin says.

Encouragingly, while the number of attacks has kept increasing, there is some data to suggest that healthcare organizations are getting somewhat better at mitigating the fallout.

Security vendor BitGlass analyzed breach data from the US Department of Health and Human Services and found that organizations are losing less data records in breaches than previously.

In 2017, the number of records compromised per breach on average, was 16,060 — a 72% decline from 2015 and a 95% decline from 2016 when mega breaches like those at Anthem and Premera were excluded. BitGlass also found that between 2014 and 2017, healthcare organizations reduced the number of breach incidents resulting from lost and stolen devices by 63%.

"More and more, healthcare organizations are turning to proactive security solutions rather than reactive security solutions in order to address breaches," notes Mike Schuricht, vice president of product management at Bitglass. "In other words, instead of focusing on cleanup after the fact, they are deploying tools that actively alert and enable IT to take action on high-risk activities."

Related Content:

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.