On April 21, the Department of Health and Human Services (HHS) issued a warning regarding insider threats when it comes to healthcare and the public health (HPH) sector. “An insider threat in the HPH Sector is potentially a person within a healthcare organization, or a contractor, who has access to assets or inside information concerning the organization's security practices, data, and computer systems,” the warning says. “The person could use this information in a way that negatively impacts the organization.”
Insider threats within an organization include:
- Careless or negligent workers
- Malicious insiders
- Inside agents
- Disgruntled employees
- Third parties
The warning adds that, “While most companies invest more money on insider threats with malicious intent, negligent insider threats are more common." According to Ponemon’s ‘2020 Insider Threats Report,’ 61 percent of data breaches involving an insider are primarily unintentional, caused by negligent insiders.
- Lack of awareness about security policies and a failure to provide security awareness training
- Twenty-seven percent of employees saw security policies less than once a year; 39 percent received security awareness training less than once a year
- Unintentional insider threats pose a major risk to the health sector
- An example is an employee leaving an unencrypted mobile device or laptop containing sensitive data unattended. The device(s) could be stolen, or data could be copied while the device is unattended.
- Alexa on while sensitive meetings are going on (i.e., working remote) could cause sensitive data to be leaked”
The warning adds that malicious insiders are individuals that have a grievance against a company and act on it. More money is allocated to protect against these types of threats, studies have shown that they pose less of a threat to organizations than insider threats.
“It is important to mention that there are different studies on this with varied metrics,” the warning adds. “According to the Ponemon Institute’s ‘2020 Insider Threats Report:’
- Malicious Insiders – 14 percent of Insider Threat Incidents
- Negligent Insiders – 61 percent of Insider Threat Incidents
- Negligent Insiders (credentials stolen) – 25 percent of Insider Threat Incident”
According to the warning, inside agents work on behalf of an external group to compromise an organization’s network and carry out data breaches or other attacks. Additionally, “disgruntled employees” pose significant risk because of their access to an organization’s systems and are considered “emotional threat actors.” Third parties are also a type of insider threats, 94 percent of organizations give third parties access to their systems and in 72 percent of case studies, third-party vendors had advanced permissions on said systems.
As what organizations can do to prevent insider threats, some criteria include:
- Revising and updating cybersecurity policies
- Limiting privileged access and establishing role-based access control
- Implementing the zero-trust and multi-factor authentication models
- Backing up data and deploying data loss prevention tools
- Managing USB devices across the corporate network
