9 February 2023
One of the elements of our annual Security Navigator report is the CyberSOC statistics, including specific numbers and insights for different branches. One statistic that stands out is that as a sector, healthcare has historically been challenged with its own users posing the highest risk – the insider threat.
Let’s take a look at the different types of insider threats and their appearance in the healthcare sector.
As the name already indicates, an insider threat is a business threat that comes from within the organization, more specifically the people within the organization. These can be (former) employees, contractors or business relations. Unlike most threats coming from outside the organization, insider threats don’t always have bad or criminal intent. There are various types of insider threats, but generally, we can categorize these as aware and unaware.
Even though a perpetrator may be aware of his or her action, they are not always conscious of the damage it may cause to the organization. There is a distinction between a malicious actor and those acting out of curiosity.
Malicious – In this case, the perpetrator has negative intentions and knowingly steals your data or intelligence. Their motivation can be a personal financial gain or to harm the organization’s position or status. An example could be a former employee who feels wronged by the organization, acting out of payback.
Within the healthcare sector, the malicious insider threat usually operates from a financial prospect. Sensitive confidential patient information has a high tradeable value on the black market and is therefore very attractive to criminals.
Curious – Data has always been labeled as the new gold. Employees or business associates can be interested in information that they know they shouldn’t have access to. Either because of its financial interest or just out of personal curiosity.
Imagine you work in a hospital and your favorite celebrity is brought in for treatment, however, not in your department. Would you want to find out what is going on, and how many others might be interested in this information?
With unaware insider threats, the actor does not have malicious or criminal intent and is unaware of the potential damage that is caused to the organization. Or in the case of the healthcare sector, the patient whose data might be at stake.
Here, we can also make a distinction between two different actors.
Negligent – These are often the result of users not aware of their privileges or being careless with their rights. For example, when employees don’t notice who enters a secured entrance behind them, allowing intrusions, or employees that are careless with transferring via file transfer systems.
If in a hospital a patient is in urgent need of aid, employees might run away from their desks to attend to the patient, leaving sensitive data out in the open.
Accidental – Humans make mistakes, and accidents happen. Emails with sensitive data can end up with the wrong person when the sender mistypes an email address, or hard copy files are misplaced.
Although many institutions have worked hard on digitalizing their operations, many healthcare organizations still rely on hard copy patient files. Those paper files are unfortunately easier to misplace or get lost.
In addition to the examples already mentioned above, there are a few more reasons why the healthcare branch is sensitive to insider threats.
What changes can be implemented to mitigate the risks posed by insider threats?
As the different examples of insider threats show, access to sensitive data causes the most damage. The Varonis 2021 Healthcare Data Risk Report shows that on average, every employee in healthcare organizations has access to 20% of the organization’s total files. A number that is even higher for mid-size and small organizations.
Restricting access roles and privileges is, therefore, a key priority in the healthcare sector. For example, implementing a Zero Trust strategy, based on the principle ‘Never trust, always verify‘.
A risk assessment can help to get a better picture of the organizational structure and threat landscape. Is there a clear view of which data is available to which employees?
As for many different types of organizations and branches, security is not just an IT issue. Creating user awareness can significantly reduce the insider threat risk, not just for the unaware actors. In a business such as healthcare, where consequences are not limited to organizations but involve the damage to patient trust and confidentiality, creating security awareness can also influence the aware actors of the actions.
When roles are restricted and awareness has been created, breaches can still occur. Investing in Incident response will help to minimize the potential damage, either financially, for the organization’s reputation, or for patient data.