Advice on Spotting Insider ThreatsOCR Highlights the Risks, Offers Mitigation Advice
While hackers and ransomware attacks have been hogging the spotlight lately, regulators are warning healthcare entities and their business associates not to underestimate the serious security and privacy threats that insiders can pose.
A new monthly cyber awareness alert, Do You Know Who Your Employees Are?, from the Department of Health and Human Services' Office for Civil Rights prods organizations to closely evaluate the risks their employees pose.
"Insider threat is becoming one of the largest threats to organizations, and some cyberattacks may be insider-driven," the alert from the HIPAA enforcement agency says. "Although all insider threats are not malicious or intentional, the effect of these threats can be damaging to a covered entity and business associate and have a negative impact on the confidentiality, integrity and availability of its electronic protected health information."
Insiders Cause Breaches
In fact, insiders have been culprits in many recent breaches of PHI. The causes of those breaches range from employee mistakes - such as clicking on a phishing email containing malware or falling for tricks that have privileged users handing over their credentials to hackers - to malicious incidents involving staffers committing identity theft, fraud or other crimes.
In one recent insider case, Jamie Knapp, a former respiratory therapist at ProMedica Bay Park Hospital in Oregon, Ohio, was convicted in June of wrongfully obtaining health information on 596 patients. Prosecutors claimed the therapist was using the information for seeking, obtaining or using intravenous drugs. Knapp faces up to one year of prison when she's sentenced later this year (see Respiratory Therapist Convicted in HIPAA Criminal Case).
"With hacking and ransomware dominating most of the breach headlines this year, I do think that the threat posed by insiders has been somewhat overlooked," says Dan Berger, CEO of the security consulting firm Redspin. "Given that health records still command a premium on the black market, insiders themselves can be motivated by financial gain to steal and resell ePHI."
Too many business leaders either ignore or don't understand the impact of insider threats, says Rebecca Herold, CEO of The Privacy Professor and co-founder of SIMBUS360 Security and Privacy Services. "They need to realize the risks and assign the appropriate resources to sufficiently address those risks."
OCR notes in its latest alert that a recent survey conducted by Accenture and HfS Research found that nearly 70 percent of organizations had experienced "an insider attempt or success at data theft or other corruption."
The most common malicious insider incidents involve unauthorized access to or use of information; exposure of private or sensitive data; installation of viruses, worms, or other malicious code; and theft of intellectual property, OCR notes.
Putting Threat Into Perspective
While employee mistakes and malicious behavior are serious threats to healthcare data, security expert Mac McMillan, CEO of the security consultancy CynergisTek, warns that concerns about insiders should not overshadow the even bigger threats that hackers pose.
"We need to keep this [OCR] guidance in perspective," he says. "While insiders may account for the highest number of incidents, the magnitude in terms of the information involved or compromised with hackers is much higher."
Still, even major cyberattacks - like the one on Anthem Inc. last year impacting nearly 79 million individuals, is believed to have started with a phishing attack on employees of the health plan.
"Hackers without a doubt" pose a bigger threat right now, McMillan says. Herold argues, however, that preventing and detecting insider breaches can be more complicated than mitigating the risk of hacker attacks.
Insiders and hackers "typically involve different types of threats, but they also often overlap," Herold says. "The types of threats that insiders bring are so much broader than hackers. Insider threats involve technology, physical and human activities threats and vulnerabilities. Hackers are mostly technology based. So insider [threats] really are larger, more complex and hard to anticipate in many ways."
Insiders often make mistakes or take malicious actions that lead to hackers being able to succeed in their attacks, she notes. "For example, when insiders use the same user ID and password to get remote access into all their ... systems, it creates a weak security environment that allows hackers easy access for breaches. In other words, poor security practices by insiders often lead to huge breaches."
Some covered entities have been the victims of large breaches caused by blunders committed by insiders at business associates and their subcontractors. Such was the case in 2013 when the Indiana Family and Social Services Administration notified almost 188,000 clients that their personal information may have been inadvertently disclosed in mailings to other clients, apparently as a result of a computer programming error by a business associate's contractor.
"Breaches caused by mistakes will usually get discovered," Herold says. "Many breaches caused by malicious intent will not. Both of these problems need to be addressed."
Steps to Take
Steps that healthcare entities and their vendors should take to help prevent and detect breaches involving insiders often are overlooked, McMillan contends. Those include defining roles and permissions more narrowly; deploying internal monitoring; implementing data loss prevention solutions; and "monitoring employee behavior, not just compliance," he says.
Covered entities and business associates "could both do much better jobs in managing the insider threat if they would just invest in the right tools and commit to real audit approaches and behavioral modeling," he adds.
OCR's advice for addressing risks posed by insiders includes developing policies and procedures to mitigate the possibility of theft of ePHI, sabotage of systems or devices containing ePHI, and fraud involving ePHI. "These policies and procedures should enforce separation of duties and least privileges, while also applying rules that control and manage access, configuration changes, and authentication to information systems and applications that create, receive, maintain or transmit ePHI," OCR notes.
In addition, OCR urges organizations to screen potential employees to determine if they are trustworthy and appropriate for the role for which they are being considered.
"Effective screening processes can be applied to allow for a range of implementations, from minimal to more stringent procedures based on the risk analysis performed by the entity and role of the potential employee," OCR notes. That includes screening checks for healthcare fraud and related issues, as well as criminal history checks. "When implementing a screening process, please be sure to review and comply with any applicable federal, state or local laws regarding the use of screening processes as part of the hiring process," OCR says.
OCR also advises organizations to refer to steps suggested by the U.S. Computer Emergency Readiness Team to protect ePHI from insider threats. Those include:
- Implement strict password and account management policies and practices;
- Enforce separation of duties and least privilege;
- Define security agreements for any cloud services, especially access restrictions and monitoring capabilities;
- Institute stringent access controls and monitoring policies on privileged users;
- Institutionalize system change controls;
- Use a log correlation engine or security information and event management system to log, monitor, and audit employee actions;
- Monitor and control remote access from all endpoints, including mobile devices.
The first step in preventing and detecting insider breaches "is recognizing the threat," Berger says.
"Internal penetration testing can also help to identify vulnerabilities that can lead to privilege escalation," he adds. "In regard to accidental breaches, there can never be enough social engineering testing and security awareness training."