Five worthy reads is a regular column on five noteworthy items we’ve discovered while researching trending and timeless topics. This week, we explore how insiders have become the biggest threat to healthcare organizations.
As the number of data breaches and cyberattacks continues to rise across the world, many organizations still somehow fall under the illusion that they won’t be targeted. Cybersecurity strategies and best practices are mere afterthoughts to these businesses. In fact, a recent Frost & Sullivan study found that 49 percent of healthcare organizations in the Asia-Pacific Region either wait to take cybersecurity into account after they’ve begun digital transformation initiatives or don’t factor cybersecurity into their security strategies at all.
Healthcare is one sector that cannot afford to act so cavalier. This sector in particular is one of the most consequential in terms of the data it handles. From personally identifiable information (PII) to protected health information (PHI), hospitals and healthcare clinics process, store, and manage immense amounts of crucially sensitive patient information on a daily basis. This makes businesses in the healthcare sector prime targets for all sorts of malicious agents.
Among the myriad of threats that a healthcare organization faces, the one that stands out time and again is the insider threat. Healthcare is reportedly the only industry that faces more risks from insiders than external threats. Insiders account for 56 percent of cyberattacks in the healthcare industry, according to the 2018 DBIR report.
While motives behind insider attacks on healthcare can range from unfortunate human error to misuse of resources, the most common motive is usually financial. The easy access that employees have to personal information of patients presents too lucrative an option for some. Fraudulently obtained electronic medical records (EHRs) can be worth hundreds or even thousands of dollars on the black market, according to Forbes magazine. This is much more than hackers receive for credit card information, social security numbers, dates of birth, and other similar personal information.
Unfortunately, the healthcare organization often suffers immensely in terms of financial losses, damage to brand name and reputation, and in some cases, quality of patient care. Let’s take a look at five interesting reads from across the web to gain a better understanding of insider threats.
How Healthcare Organizations Can Stay on Top of Insider Threats: Insider threats usually fall into one of three categories: accidental, negligent, or malicious. Each of these can be effectively combatted using a variety of strategies, education, and training.
Phishing, Negligent Insiders Leave Healthcare Vulnerable, HIMSS says: The HIMSS survey reports that most significant security breaches aren’t intentional, but rather the result of lapses in security practices and/or protocols.
3 Reasons Why HIPAA Compliance & Employee Monitoring Should Go Hand-In-Hand: HIPAA essentially requires healthcare organizations to protect their patients’ sensitive information from misuse. This cannot be achieved without ensuring that employees with access to such information are handling it as per protocol.
58% Of All Healthcare Breaches Are Initiated By Insiders: Abusing privileged access to critical databases to steal proprietary information is one of the top methods malicious actors use to attack healthcare organizations. Implementing the Zero Trust security policy to protect every possible attack surface and endpoint is the only way the healthcare industry can mitigate insider threats.
15 Million Patient Records Breached in 2018; Hacking, Phishing Surges: The Protenus 2019 Breach Barometer found that the number of patient medical records breached in 2018 have tripled since the previous year. The report notes that insider threats can remain undetected for long periods of time given the legitimacy of access, showing that insider threats continue to be a challenge for many organizations.
Most studies show that a larger percentage of breaches are caused due to insider negligence or error rather than malicious intent. Enforcing strict access controls can help ensure that sensitive patient records aren’t misused by employees. However, organizations need to strike the right balance of access control, as providing quality patient care and making timely and accurate decisions often depends on having quick access to all information available.
A combination of a comprehensive security strategy with routine auditing of access rights and regular employee training can go a long way toward reducing the vulnerability of the healthcare sector.