Insider Attacks: What Healthcare Organizations Need to Know

By Renee Tarun

Verizon’s 2020 Data Breach Investigations Report found that 48% of the threat actors in healthcare are internal. Not all of these threat actors are acting with deliberate evil intent. In fact, simple negligence is to blame for 62% of insider incidents, according to Ponemon Institute.

These “insiders” are the folks that unwittingly cause harm or unauthorized access by doing things like clicking on malicious links, not following policies and procedures, or being careless. These incidents occur because employees aren’t aware of proper cyber hygiene practices; they simply didn’t know any better. 

And sometimes, those who do know better—overworked administrators—try to take short cuts. For instance, they use weak or default passwords, don’t take the time to do recommended patching and so on.

And as we all know, networks around the world, especially those in healthcare, have been inverted with the need for mobile health and remote work. According to Fortinet research, 29% of organizations expect over 50% of employees to continue teleworking long-term. That’s not to mention the fact that cybercriminals have already demonstrated how they can leverage the pandemic with unprecedented attacks.

How much does an insider threat cost an organization? It differs, depending on the type of incident. If the incident was due to the negligence of a contractor or employee, each incident may average $307,111. Since this is the most common type of incident – accounting for 62% of all incidents – this adds up to $4.58 million annually for each organization. 

Then there are the malicious insiders who fully intend to steal information or cause disruption. Verizon notes that healthcare remains the industry with the highest number of internal bad actors. They are usually driven by the promise of financial gain, but some may be disgruntled employees. Considering the layoffs and staff reductions due to COVID, this is a time to be particularly wary of attack from within.

Malicious insiders either act independently or act as an agent for another entity. These actors are responsible for 23% of incidents. Ponemon Institute found that the annualized cost of incidents relating to malicious insiders is $4.08 million.

The research firm also found that credential thieves account for 14% of insider attacks. Though these attackers are not truly insiders, they look like insiders because they use compromised insider information such as usernames or passwords. These are the most expensive “insider” threats; Ponemon found that on average, they are more than 2.5 times as expensive per incident as those involving employee or contractor negligence.

What Makes Insider Threat So Hard to Combat?

It can be extremely difficult to fight insider threats because organizations are dealing with people who are believed to be known, trusted entities with legitimate access. It’s sometimes hard to decipher what good and bad behavior look like within the network. 

IT security teams often lack the business context for a system or application to understand what’s normal behavior and what’s not. The increase in remote work has complicated this – with more people working from home, that’s also made it harder to determine what is normal. Teams may also be suffering from a lack of the tools, staff and policies/processes to effectively manage the insider threat.

People, Processes, and Technology to the Rescue

Though insider attacks can be difficult to identify and mitigate, organizations have many tools available to combat them. The people element is critically important here, so organizations would do well to create a culture of security. Employees need to know that everyone has a role to play in cyber hygiene practices and cybersecurity, from the C-suite to the loading dock. This involves ongoing education and training, including phishing testing at regular intervals. Teach employees that they are the front line of defense and that if they see something out of the ordinary, they should say something. And they need to know who they should report incidents to.

Partnership and collaboration are important, too. The HR, legal, communications and other departments have roles to play in defining how insider threats are handled. However, take care here not to create a culture where employees feel untrusted because, in most cases, employees are trustworthy. Having said that, it’s a good rule of thumb to limit access to the network. Create a separation of duties and grant access on a need-to-know basis, giving them the least privilege necessary to do their jobs.

Processes are another element in defeating insider threats. First, you need to know your assets. You can’t protect them if you don’t know about them, so identify the key assets and then make sure you know who is accessing them, as well as when and why. This will help you determine whether the right security controls are in place.

A strong insider threat program will have robust processes to identify and manage insider risks.  This will include DLP and data encryption strategies. When it comes to any set of policies and procedures, a key aspect is raising awareness with employees and making sure you’re properly communicating expectations, risk definitions and guidance. 

Preparation is key for when bad things happen, so make sure your incident response plan includes how to deal with insider incidents. Then, exercise, exercise, exercise the plan.

There are many technologies to help defeat insider threats. Solutions to improve awareness and careful information handling include training and awareness, and the monitoring of privileged users and critical data across the distributed network, from the core to the cloud. Combine this with dynamic network segmentation, advanced behavioral analytics and the integration of security tools into one comprehensive framework.

Stop Insider Threats from All Angles

Technology tools provide only part of the solution. Creating a positive work environment that values individual contributors goes a long way toward preventing malicious insider activity. It’s more than just salary that makes a satisfying work experience. A collaborative team experience that acknowledges the importance of all employees’ effort make for a more enjoyable and rewarding work life. People working in those conditions are far less likely to become malicious insiders.

The healthcare industry remains a prime focus of attack, particularly from within. Whether the attacks are malicious or not, all must be defended against with a combined approach of people, processes and technology. Your proactive strategy must include deterrence and detection tech, along with automation. But it must also include a strategy to continually train and appreciate the people on the security front lines: all employees, not just those in IT. This multi-pronged approach will enable better detection and mitigation of insider threats.

About the author

Renee Tarun is deputy CISO at Fortinet. She is focused on enterprise security, compliance and governance, and product security. She is also a contributor to the book, The Digital Big Bang. Previously, she served for over 20 years with the U.S. government, with over 12 years as a cybersecurity leader for the National Security Agency (NSA). Renee received her master’s degree in computer/information technology administration and management from the University of Maryland University College. She is also a board member for the George Mason University Volgenau School of Engineering. She is married with two children.