HHS Warns of Insider Threats in the Healthcare Sector

April 27, 2022
Recently, HHS published a warning about insider threats in healthcare and the public health sector—sixty one percent of data breaches that involve an insider are unintentional and caused by negligent insiders

On April 21, the Department of Health and Human Services (HHS) issued a warning regarding insider threats when it comes to healthcare and the public health (HPH) sector. “An insider threat in the HPH Sector is potentially a person within a healthcare organization, or a contractor, who has access to assets or inside information concerning the organization's security practices, data, and computer systems,” the warning says. “The person could use this information in a way that negatively impacts the organization.”

Insider threats within an organization include:

  • Careless or negligent workers
  • Malicious insiders
  • Inside agents
  • Disgruntled employees
  • Third parties

The warning adds that, “While most companies invest more money on insider threats with malicious intent, negligent insider threats are more common." According to Ponemon’s ‘2020 Insider Threats Report,’ 61 percent of data breaches involving an insider are primarily unintentional, caused by negligent insiders.

  • Lack of awareness about security policies and a failure to provide security awareness training
  • Twenty-seven percent of employees saw security policies less than once a year; 39 percent received security awareness training less than once a year
  • Unintentional insider threats pose a major risk to the health sector
  • An example is an employee leaving an unencrypted mobile device or laptop containing sensitive data unattended. The device(s) could be stolen, or data could be copied while the device is unattended.
  • Alexa on while sensitive meetings are going on (i.e., working remote) could cause sensitive data to be leaked”

The warning adds that malicious insiders are individuals that have a grievance against a company and act on it. More money is allocated to protect against these types of threats, studies have shown that they pose less of a threat to organizations than insider threats.

“It is important to mention that there are different studies on this with varied metrics,” the warning adds. “According to the Ponemon Institute’s ‘2020 Insider Threats Report:’

  • Malicious Insiders – 14 percent of Insider Threat Incidents
  • Negligent Insiders – 61 percent of Insider Threat Incidents
  • Negligent Insiders (credentials stolen) – 25 percent of Insider Threat Incident”

According to the warning, inside agents work on behalf of an external group to compromise an organization’s network and carry out data breaches or other attacks. Additionally, “disgruntled employees” pose significant risk because of their access to an organization’s systems and are considered “emotional threat actors.” Third parties are also a type of insider threats, 94 percent of organizations give third parties access to their systems and in 72 percent of case studies, third-party vendors had advanced permissions on said systems.

As what organizations can do to prevent insider threats, some criteria include:

  • Revising and updating cybersecurity policies
  • Limiting privileged access and establishing role-based access control
  • Implementing the zero-trust and multi-factor authentication models
  • Backing up data and deploying data loss prevention tools
  • Managing USB devices across the corporate network

Sponsored Recommendations

Northeast Georgia Health System: Scaling Digital Transformation in a Competitive Market

Find out how Northeast Georgia Health System (NGHS) enabled digital access to achieve new patient acquisition goals in Georgia's highly competitive healthcare market.

2023 Care Access Benchmark Report for Healthcare Organizations

To manage growing consumer expectations and shrinking staff resources, forward-thinking healthcare organizations have adopted digital strategies, but recent research shows that...

Increase ROI Through AI: Unlocking Scarce Capacity & Staffing

Unlock the potential of AI to optimize capacity and staffing in healthcare. Join us on February 27th to discover how innovative AI-driven solutions can revolutionize operations...

Boosting Marketing Efficiency: A Community Healthcare Provider’s Success Story

Explore the transformative impact of data-driven insights on Baptist Health's marketing strategies. Dive into this comprehensive case study to uncover the value of leveraging ...