Insider Threats at Hospitals
What are insider threats, why do they happen, and what is the outcome?
Insider threat is an umbrella term for a number of different malicious acts carried out against an organization by someone inside that organization. It covers a gamut of actions, from angry employees deleting sensitive records to state sponsored espionage carried out via someone close to the organization, and everything in between. According to PWC in their “Global State of Information Security 2016 Report,” 63% of security incidents can be attributed to current or former employees.
The types of insider threats can be broken down into several categories:
- Intentional, e.g. sabotage, data theft
- Unintentional, e.g. loss of data via lost devices, accidental disclosure of data, improper disposal of records
The reasons for insider attacks include:
- Revenge - disgruntled employee, dissatisfied with job or manager
- Competition - to use intellectual property to start their own business
- Financial - to sell data online or to a third party who may use the data in a number of ways, such as reselling through the black market
Insider threats are much more heavily cloaked than external threats by the organization suffering them. This could be due to the very sensitive nature of an internally initiated breach. Because of this, companies avoid the use of the law, preferring to deal with the issue, quietly. PWC in their report on managing cyber risks, stated that:
“75% of respondents to the US cybercrime survey said they did not involve law enforcement or bring legal charges in compromises committed by insiders.”
The same report found that insider cyber crimes were more costly than external cyber crimes. This may be due to insider threats taking longer to detect, after all, the actions are carried out by people allowed to perform those tasks. In a report by NATO Cooperative Cyber Defense Center of Excellence (CCDCOE), they found that the different types of insider threat actions had timelines associated with their execution. Sabotage, which was often enacted out of revenge, was a fast action, usually occurring on average 30 days after a contract was terminated. Theft of data and intellectual property was a longer term action, taking around 60 days to commit. Fraud, where data such as Personally Identifiable Information (PII) is modified or sold, is an ongoing concern. Exfiltration of information can occur over several months or even years before detection.
On a global level it is the USA that feels most under threat from insiders, with 92% of U.S. organizations feeling vulnerable to this type of security issue.
How big is the problem of Insider threats in the healthcare industry as a whole and in hospitals?
The 2016 Verizon “Data Breach Investigations Report” (DBIR) points out that the healthcare industry is one of the top three sectors to suffer at the hands of an insider. We can look at the scale of the issue using the ‘wall of shame’ hosted by the Department of Health and Social Services. This is a requirement of the Health Insurance Portability and Accountability Act (HIPAA) which mandates that a breach affecting over 500 individuals must be submitted to the authorities and be publically accessible. To view the extent of insider threats within health care providers (which included hospitals and associated health centers) the ‘wall of shame’ was filtered for the following variables:
- The first 6 months of 2016
- Healthcare providers only (which includes hospitals as well as medical care centers and doctors)
- Theft or unauthorized disclosure of data
- Electronic medical records (EMR)
The result was 8 breaches with a total of 81,432 EMRs. If I add to the filters all types of data, which includes sensitive information not in EMR format, then this figure jumps massively to 64 healthcare providers being breached and the data of almost 1 million individuals being compromised. Some examples of the bigger breaches include Public Health Trust of Miami-Dade County, Florida with over 24,000 EMRs lost and Eye Institute of Corpus Christi with almost 44,000 lost EMRs.
The whys and wherefores of health-related insider threats
Some further interesting facts that have come out of the 2016 DBIR include that internal threats are often initiated by outsiders. It outlines a picture of a typical insider threa: a disgruntled employee, usually with privileged access credentials, but less likely to be someone in a management role. The reasons behind the attacks are most likely financial or espionage. When you consider that the average healthcare salary of a nursing aide is around the $28K range, and for computer operators around the $40K mark, if you have the mindset of a disgruntled or angry employee, you may well be easy prey for an external malicious source to take advantage of. But in a recent worrying twist to insider threats, Gartner has identified that the ease of use of the dark web is allowing it to be used as a direct medium for a disgruntled employee to upload and sell PII directly.
But why is the healthcare industry and hospitals such a prized target for insider breaches?
To answer this we need to look at some facts about data and our healthcare providers. Firstly Personal Health Information (PHI) is valuable. Where credit card details may fetch as little as $5 on the dark web, a PHI record will fetch closer to $363 according to the Ponemon Institute and IBM. This is because data records within the health system contain personal data, such as social security numbers, that can be used for further cybercrime - it’s like the gift that keeps on giving. Cybercriminals can take the rich data from an Electronic Medical Record (EMR) and use it for a number of further criminal activities, for example, to buy drugs and medical equipment. The IRS breach of 2015 was successful because health records gave enough information to allow fraudulent tax claims to be made in real people’s names. Secondly, the theft of health data, especially that stolen by insiders which is difficult to detect, means that the data has a longer life span. Unlike stolen credit cards, which can be swiftly cancelled, PHI has a long lifetime, and great re-use possibilities.
Some examples of hospital based insider threats
Hospitals are a busy, multi-dimensional community. The vast majority of people who choose to go into healthcare as a career do so because they are genuine and caring human beings. However, like any organization, hospitals have a variety of people to manage, which can include less than scrupulous ones. Some insider threats, like the first in our list here, are on the edge of what is malicious and what is just plain lack of privacy awareness. Others are organized attempts to extract as much personal data as possible, over long periods of time, and sell it on for profit.
Example 1: The first example is Children's Healthcare of Atlanta, Inc. v. McCray. Sharon McCray was a senior audit advisor for Children’s Healthcare of Atlanta. McCray started to send healthcare records of patients from her corporate email to her home email on the day that she resigned. When caught, she told the hospital that she had emailed the data for “future employment reference.”
Example 2: Another long term breach was found at the Florida hospital, who sent out a notice to affected patients. They found that two hospital employees had printed out data sheets that contained patient personal data, including social security numbers, phone numbers, names and addresses. The breach had occurred over a two year period. The hospital believes that the PHI was being used to make fraudulent benefit claims from health insurers.
Example 3: Other insider breaches come under the banner of disgruntled employee. For example, an employee of Woodwinds hospital in Minnesota was sacked and, as retribution, took 200 pages of confidential information home. The now ex-employee said she was using the information to blow the whistle on the hospital who she believed had carried out a number of medical misconducts.
Example 4: The wider hospital network, including smaller facilities which offer assisted care, are not immune to insider breaches. Earlier this year, a worker at a facility for the elderly, Holland Manor Eldercare in Maryland, used his privileged access on the network to steal patient data. He then used these data to fraudulently obtain credit cards. Again this was carried out over a 2 year period before being detected.
What mitigation strategies exist to control insider threats
Insider threats are extremely difficult to detect because of the nature of the problem - a breakdown in trust by otherwise trusted individuals. Unfortunately, the facts, such as those identified by the DBIR, mean we cannot just give blind trust to employees and the extended supply ecosystem. Because internal breaches are often carried out using normal modes of operation, we can’t use traditional tools, like firewalls or antivirus software, to stop them. Instead we have to think like an insider and build a security strategy that can handle internal as well as external cyber security issues.
The Intelligence and National Security Alliance (INSA), in partnership with the Office of Homeland Security, the FBI and the Office of the Director of National Intelligence, have created an Insider Threat Resource Directory. They have used over 200 insider threat profiles to create a framework which contains 13 guidelines for developing a strategy around insider threats. A key theme running through the guidelines is top down driven awareness. Security awareness and training which has leadership buy-in has greater success across the organization. Being driven at the executive level gives the program kudos and weight. Having security awareness programs that build upon the idea of trust, built into the very ethos of a hospital, may not prevent the small minority of rogue employees attempting to carry out a malicious act, but they will give the rest of the team the knowledge to spot and prevent the act occurring.
Self-policing of staff is an essential part of the overall insider threat strategy, but it is not the whole story. Technology can also play a part in thwarting insider data exfiltration attempts. Monitoring, combined with modern analytics, is an important tool in the security strategy kit. Using intelligence, such as the information gleaned from reports like DBIR, can help to focus energies on key areas of importance. For example, it was found that a likely time for an insider threat to take place was in the month after an employee has resigned, so this would be a good place to focus monitoring and analytics. Or as the DBIR has stated, it is those with access to sensitive data such as EMRs or other PII that are more likely to cause a breach, so focusing attention in those areas would be wise. The DBIR recommends that you:
“…monitor the heck out of their [employees] authorized daily activity, especially ones with access to monetizable data (financial account information, personally identifiable information (PII), payment cards, medical records).”
Perhaps the most difficult task in handling insider threats is striking a balance between tackling the threats and ensuring the trust of the vast majority of your workforce. If your strategy around insider threats is not carried out with the agreement and acceptance of the wider workforce, then it may backfire. This is where a well coordinated and inclusive security awareness program can really excel.