Insider threats, with negligence or malice, can hurt health care cybersecurity

Whether by mistake or with malice, people within health care organizations can become threats to cybersecurity.

The U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) published “Insider Threats in Healthcare.” The threat brief did not describe a specific security risk, cyberattack or health care system.

Rather, HC3 offered guidance on insider threats, people or contractors with access to assets or information about security practices, data and computer systems.

“The person could use this information in a way that negatively impacts the organization,” through fraud, data theft or system sabotage, the report said.

Employee access

HC3 cited “alarming results” from the 2021 Healthcare Data Risk Report from New York-based cybersecurity consulting firm Varonis.

That company sampled 3 billion files from 58 companies and found:

• Every employee had access to 20% of all files.
• 31,000 sensitive healthcare files were open to everyone.
• 77% of companies had 500 or more accounts with passwords that do not expire.

Threats

Threats may come from careless, negligent workers, malicious or disgruntled employees or third parties.

Negligent insider threats are more common than outside attacks with malicious intent and “unintentional insider threats pose a major risk to the health sector,” according to HC3.

Examples include an employee leaving unattended an unencrypted mobile device or laptop computer with sensitive data. Remote workers could create risks by having Amazon Echo and Alexa devices on during meetings.

Malicious insiders are people within an organization that have a grievance and choose to act on it. They could become inside agents, working on behalf of an external group “to compromise an organization’s network and carry out a data breach or other attack.”

“This is dangerous because it provides an outside group with the access and privileges of an insider,” the report said.

Disgruntled employees can be significant threats because of access to systems and because in some cases they feel as if they are owed something, the report said.

Among all organizations, 94% give third parties access to their computer systems and in 72% of case studies, third-party vendors were provided elevated permissions, according to HC3, citing the Varonis study.

What to look for

Behavioral indicators of potential insider threats could include unprofessional behavior, bullying other employees, personality conflicts and misuse of travel, time or expenses.

Indicators of IT sabotage could be creating backdoor accounts, changing passwords to limit access to data, disabling system logs, installing remote network administration tools or malware, and accessing systems or computers of other workers.

Massive downloading of corporate data, sending data or email attachments to noncorporate addresses, extensive use of corporate printers, and remotely accessing organization servers during nonworking hours, all could indicate data theft, according to HC3.