Cybersecurity threats from anonymous hackers grab most of the headlines. But internal security threats continue to plague all organizations, healthcare included. Threats come from malicious individuals, careless or disgruntled employees and third-party vendors, all of whom pose a major risk to healthcare entities.

To help healthcare organizations understand and better manage these threats, the Department of Health and Human Services’ Health Sector Cybersecurity Coordinating Center, or HC3, published a threat brief on Friday April 22 describing insider threats. The risks and challenges include fraud, data theft, system sabotage, competitive loss, liability issues and brand damage.

Insider threats also weaken HIPAA compliance. If a major breach occurs, no matter the cause, the Office for Civil Rights (OCR) will investigate.

Types of Insider Threats

According to the HC3 brief, there are several types of insider threats within an organization, all with different goals. Some insider threats are:

• Careless or negligent workers
• Malicious insiders
• Inside agents
• Disgruntled employees
• Third parties

While most organizations invest more money on insider threats with malicious intent, negligent insider threats are more common, the brief says. For instance, according to a 2020 insider threat report by the Ponemon Institute, 61% of data breaches involving an insider are primarily unintentional, caused by negligent insiders. The HC3 brief explains that unintentional insider threats today still pose a major risk to the health sector.

Examples of unintentional incidents include an employee leaving an unencrypted mobile device or laptop containing sensitive data unattended – the device could be stolen, or data could be copied it’s unattended or a virtual assistant device like Alexa might be on while sensitive meetings occur (e.g., working remotely) causing sensitive data to be leaked.

Prevent Insider Threats

Both intentional and negligent (or accidental) acts can be prevented, or reduced.

“Deterrence, detection analysis, and post-breach forensics are key areas of insider threat prevention,” according to HC3. HC3 recommends healthcare organizations focus more attention on the following critical areas to prevent incidents involving insiders:

• Revising and updating cybersecurity policies and guidelines;
• Limiting privileged access and establishing role-based access control;
• Implementing zero trust and multi-factor authentication models;
• Backing up data and deploying data loss prevention tools;
• Managing USB devices across the corporate network.

Workforce Cybersecurity Training

The threat brief also mentions that a lack of training, and lack of cybersecurity awareness among employees contributes to the problem. The brief notes:

• 27% of employees saw security policies less than once a year;
• 39% received security awareness training less than once a year.

It’s essential, and required by HIPAA, to provide cybersecurity awareness training to staff, along with basic HIPAA training.

Business Associates are a Source of Threat and Risk

The threat brief also discusses third party risks – insider threats are not just internal employees but can also take the form of third parties.

• 94% of organizations give third parties access to their systems.
• In 72% of case studies, third party vendors were provided elevated permissions on these systems.

In healthcare, these third party vendors are likely business associates.

Business associates are obligated to comply with HIPAA, conduct their own HIPAA Risk Analysis, and provide workforce training. But covered entities who hire third party business associates should also conduct due diligence to ensure business associates are complying with the law, and should enter business associate agreements with them.

HIPAA Risk Analysis and Risk Management is Your Best Defense

All of the advice HC3 provides is included in the HIPAA Privacy and Security Rules. If you follow HIPAA, do your own annual HIPAA Risk Analysis, and follow your Risk Management Plan year-round, the likelihood of insider threats is much lower.  (For more information about intentional insider threats, motives, behavioral indicators, and how to detect the threats, read the full HC3 brief here.)