Fighting the Insider Threat: A Long-Term BattleSuzanne Widup of Verizon Describes Why Risk Mitigation Must Be Continuous
To be successful, the quest to mitigate insider threat risks must start at the time employees are hired and continue as they move into different positions requiring varying degrees of data access, says Suzanne Widup, a senior analyst and researcher at Verizon Enterprise Solutions.
While breaches involving record snooping are common, in some cases, insiders deliberately seek positions within healthcare organizations with the intent to steal patient information to commit identity theft, tax fraud and other crimes, Widup says.
Although a background check won't necessarily prevent the hiring of these potential fraudsters, precautionary steps in the early days of employment can help mitigate risks, she says in an interview with Information Security Media Group.
"What I do recommend is having a probationary period where what they're accessing is monitored heavily," she says. "If they're going in with the idea that they're going to get access to information, they probably aren't going to wait around to do the job for a long time; they probably want to get in, get the data and get out. So if you monitor their access pretty heavily, especially in the first [few] months, you probably have a pretty good chance of catching someone before they've gotten a lot of data."
While the use of role-based access controls also can help prevent insider breaches, the role-based privileges must be frequently reviewed, she stresses.
In the healthcare sector, she says, role-based access could specify the specific fields within a patient record that can be viewed. For example, a nurse doesn't need access to patients' financial information.
"Certainly, you can get a lot more granular on what you can provide a view of, rather than giving them [access to] everything," she says.
In the interview, (see audio link below photo), Widup also discusses:
- Preventing insider breaches involving phishing;
- Why the use of multifactor authentication is critical, especially for privileged user access;
- The risks related to patients accessing their own health data.
Widup is a senior analyst at Verizon Enterprise Solutions. She's a member of the Verizon Research, Investigations, Solutions and Knowledge, or RISK, team, a co-author of the Verizon Data Breach Investigations Report and lead author for the Verizon PHI Report. Widup has 20 years of IT experience.