Cyber Risk Advisory

Insider Threats to the Healthcare Industry

Coalfire Advisory Team

May 22, 2023
Blog Images 2023 Coalfire Main Image Blog Insider Threat Healthcare FINAL

A discussion of insider threats faced by the U.S. healthcare industry, highlighting the types of threats and recommendations on how organizations can mitigate the risks.

Key takeaways:

  • Identifying examples of insider threats
  • Best practices to help mitigate insider threats
  • Importance of awareness and training specific to identifying insider threats

The healthcare industry in the United States is a critical sector with vast amounts of sensitive patient data. For example, medical records contain personally identifiable information (PII) such as names, addresses, social security numbers, etc. When information associated with treatment, payment, and healthcare operations (TPO) is added to the PII, it becomes protected health information (PHI) and, as such, is subject to the HIPAA Privacy and Security Rules.

In recent years, the healthcare industry has become a prime target for cybercriminals due to the high value of this private data. In addition to the threat to PHI confidentiality, risks associated with the integrity and availability of the data can directly lead to patient harm or even death.

While external cybersecurity threats such as ransomware attacks and phishing scams are often discussed, insider cybersecurity threats are equally dangerous and can go unnoticed for extended periods. Insider threats can come from employees, contractors, or business associates with authorized access to sensitive information.

Common insider cybersecurity threats in healthcare

While this blog post discusses common insider cybersecurity threats and best practices in the U.S. healthcare industry, it can also be applicable to other industry verticals.

Malicious insider threats

One of the most severe insider cybersecurity threats is the malicious insider threat, which occurs when an employee or contractor with authorized access intentionally misuses or steals sensitive information for personal gain or to harm the organization. The motives for these attacks can range from financial gain, revenge, or ideology. It can be difficult to detect and prevent malicious insider threats as the insider already has access to sensitive data, making it challenging to distinguish between authorized and unauthorized access.

Implementation of Data Loss Prevention (DLP) is essential, as is monitoring for unusual activity, such as employees working at unusual times of day, changes in behavior, changes in relationships with managers, co-workers, etc. The organization should conduct regular activity audits, and ensure the employee only has access to the minimum amount of data required to fulfill their duties.

Human error

Human error is another major insider threat often overlooked. It can occur when employees or contractors inadvertently expose sensitive data due to a lack of training, negligence, or carelessness. For example, an employee might accidentally send an email containing confidential patient information to the wrong person, or leave their computer unlocked, allowing unauthorized individuals to access sensitive data.

To help reduce the effects of human error, it is important to create a culture of cybersecurity through proper training and cybersecurity awareness. For example, organizations could reward employees who take proactive measures to protect sensitive data, like promptly reporting phishing attempts.

Compliance and privacy officers should conduct regular walkthroughs to check for potential incidents such as documents left on copy machines, unattended computers without screen savers, passwords on sticky notes, etc.

Business associates

Business associates (BA) are external entities with sensitive healthcare data access, such as contractors, consultants, and third-party vendors who work with healthcare organizations. These associates can pose an insider threat by accidentally exposing sensitive data, intentionally stealing information, or failing to implement adequate security measures.

Healthcare organizations should conduct due diligence for all third-party relationships and ensure that business associates know their cybersecurity policies and comply with industry standards such as the Health Insurance Portability and Accountability Act (HIPAA). When a third party uses or discloses PHI on behalf of the healthcare covered entity, the two entities must execute a business associate agreement (BAA) which requires the BA to comply with the HIPAA security rule.

Business associate activity should be monitored and audited to ensure compliance with the requirements of the BAA.

Unsecured devices

Healthcare professionals often use mobile devices such as laptops, smartphones, and tablets to access patient data. These devices can pose a significant risk if they are not adequately secured. Unsecured devices can be lost or stolen, allowing unauthorized access to sensitive data.

Healthcare organizations should implement policies such as device encryption, strong passwords, and multifactor authentication (MFA). A Mobile Device Management application (MDM) can enforce these policies, as well as provide remote wipe capabilities to prevent unauthorized access to sensitive data if the device is lost or stolen.

Healthcare cybersecurity is imperative

Healthcare organizations need to implement robust security measures and train their employees and contractors on the risks of insider threats.

By understanding the risks and taking proactive measures, healthcare organizations can protect their sensitive data and maintain the trust of their patients.