insider threat

Manage Insider Threats

Cybersecurity threats from anonymous hackers grab most of the headlines. But internal security threats continue to plague all organizations, healthcare included. Threats come from malicious individuals, careless or disgruntled employees and third-party vendors, all of whom pose a major risk to healthcare entities.

To help healthcare organizations understand and better manage these threats, the Department of Health and Human Services’ Health Sector Cybersecurity Coordinating Center, or HC3, published a threat brief on Friday April 22 describing insider threats. The risks and challenges include fraud, data theft, system sabotage, competitive loss, liability issues and brand damage.

Insider threats also weaken HIPAA compliance. If a major breach occurs, no matter the cause, the Office for Civil Rights (OCR) will investigate.

Types of Insider Threats

According to the HC3 brief, there are several types of insider threats within an organization, all with different goals. Some insider threats are:

  • Careless or negligent workers
  • Malicious insiders
  • Inside agents
  • Disgruntled employees
  • Third parties

While most organizations invest more money on insider threats with malicious intent, negligent insider threats are more common, the brief says. For instance, according to a 2020 insider threat report by the Ponemon Institute, 61% of data breaches involving an insider are primarily unintentional, caused by negligent insiders. The HC3 brief explains that unintentional insider threats today still pose a major risk to the health sector.

Examples of unintentional incidents include an employee leaving an unencrypted mobile device or laptop containing sensitive data unattended – the device could be stolen, or data could be copied it’s unattended or a virtual assistant device like Alexa might be on while sensitive meetings occur (e.g., working remotely) causing sensitive data to be leaked.

Prevent Insider Threats

Both intentional and negligent (or accidental) acts can be prevented, or reduced.

“Deterrence, detection analysis, and post-breach forensics are key areas of insider threat prevention,” according to HC3. HC3 recommends healthcare organizations focus more attention on the following critical areas to prevent incidents involving insiders:

  • Revising and updating cybersecurity policies and guidelines;
  • Limiting privileged access and establishing role-based access control;
  • Implementing zero trust and multi-factor authentication models;
  • Backing up data and deploying data loss prevention tools;
  • Managing USB devices across the corporate network.

Workforce Cybersecurity Training

The threat brief also mentions that a lack of training, and lack of cybersecurity awareness among employees contributes to the problem. The brief notes:

  • 27% of employees saw security policies less than once a year;
  • 39% received security awareness training less than once a year.

It’s essential, and required by HIPAA, to provide cybersecurity awareness training to staff, along with basic HIPAA training.

Business Associates are a Source of Threat and Risk

The threat brief also discusses third party risks – insider threats are not just internal employees but can also take the form of third parties.

  • 94% of organizations give third parties access to their systems.
  • In 72% of case studies, third party vendors were provided elevated permissions on these systems.

In healthcare, these third party vendors are likely business associates.

Business associates are obligated to comply with HIPAA, conduct their own HIPAA Risk Analysis, and provide workforce training. But covered entities who hire third party business associates should also conduct due diligence to ensure business associates are complying with the law, and should enter business associate agreements with them.

HIPAA Risk Analysis and Risk Management is Your Best Defense

All of the advice HC3 provides is included in the HIPAA Privacy and Security Rules. If you follow HIPAA, do your own annual HIPAA Risk Analysis, and follow your Risk Management Plan year-round, the likelihood of insider threats is much lower.  (For more information about intentional insider threats, motives, behavioral indicators, and how to detect the threats, read the full HC3 brief here.)

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2023 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job® are registered trademarks of ET&C Group LLC

Terms & Conditions | Privacy Policy | Cookies Policy | Privacy Settings

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124