HHS Warns of Insider Threats in the Healthcare Sector

April 27, 2022
Recently, HHS published a warning about insider threats in healthcare and the public health sector—sixty one percent of data breaches that involve an insider are unintentional and caused by negligent insiders

On April 21, the Department of Health and Human Services (HHS) issued a warning regarding insider threats when it comes to healthcare and the public health (HPH) sector. “An insider threat in the HPH Sector is potentially a person within a healthcare organization, or a contractor, who has access to assets or inside information concerning the organization's security practices, data, and computer systems,” the warning says. “The person could use this information in a way that negatively impacts the organization.”

Insider threats within an organization include:

  • Careless or negligent workers
  • Malicious insiders
  • Inside agents
  • Disgruntled employees
  • Third parties

The warning adds that, “While most companies invest more money on insider threats with malicious intent, negligent insider threats are more common." According to Ponemon’s ‘2020 Insider Threats Report,’ 61 percent of data breaches involving an insider are primarily unintentional, caused by negligent insiders.

  • Lack of awareness about security policies and a failure to provide security awareness training
  • Twenty-seven percent of employees saw security policies less than once a year; 39 percent received security awareness training less than once a year
  • Unintentional insider threats pose a major risk to the health sector
  • An example is an employee leaving an unencrypted mobile device or laptop containing sensitive data unattended. The device(s) could be stolen, or data could be copied while the device is unattended.
  • Alexa on while sensitive meetings are going on (i.e., working remote) could cause sensitive data to be leaked”

The warning adds that malicious insiders are individuals that have a grievance against a company and act on it. More money is allocated to protect against these types of threats, studies have shown that they pose less of a threat to organizations than insider threats.

“It is important to mention that there are different studies on this with varied metrics,” the warning adds. “According to the Ponemon Institute’s ‘2020 Insider Threats Report:’

  • Malicious Insiders – 14 percent of Insider Threat Incidents
  • Negligent Insiders – 61 percent of Insider Threat Incidents
  • Negligent Insiders (credentials stolen) – 25 percent of Insider Threat Incident”

According to the warning, inside agents work on behalf of an external group to compromise an organization’s network and carry out data breaches or other attacks. Additionally, “disgruntled employees” pose significant risk because of their access to an organization’s systems and are considered “emotional threat actors.” Third parties are also a type of insider threats, 94 percent of organizations give third parties access to their systems and in 72 percent of case studies, third-party vendors had advanced permissions on said systems.

As what organizations can do to prevent insider threats, some criteria include:

  • Revising and updating cybersecurity policies
  • Limiting privileged access and establishing role-based access control
  • Implementing the zero-trust and multi-factor authentication models
  • Backing up data and deploying data loss prevention tools
  • Managing USB devices across the corporate network

Sponsored Recommendations

How Digital Co-Pilots for patients help navigate care journeys to lower costs, increase profits, and improve patient outcomes

Discover how digital care journey platforms act as 'co-pilots' for patients, improving outcomes and reducing costs, while boosting profitability and patient satisfaction in this...

5 Strategies to Enhance Population Health with the ACG System

Explore five key ACG System features designed to amplify your population health program. Learn how to apply insights for targeted, effective care, improve overall health outcomes...

A 4-step plan for denial prevention

Denial prevention is a top priority in today’s revenue cycle. It’s also one area where most organizations fall behind. The good news? The technology and tactics to prevent denials...

Healthcare Industry Predictions 2024 and Beyond

The next five years are all about mastering generative AI — is the healthcare industry ready?