Best Practices for Managing the Insider Threat in Healthcare

The effects of the COVID-19 pandemic have forced changes in many aspects of society. Two areas that have seen significant change involve how people work and obtain healthcare. Remote work and healthcare solutions were adopted wherever possible to slow the spread of the virus by limiting face-to-face contact.

In this article, we will look at the best practices healthcare organizations can use to minimize the security risk posed by insiders. In many cases, insiders pose the greatest threat to an enterprise since they possess important information in how it operates and where its weaknesses may lie.

Cyberattacks in the Healthcare Industry

Cyberattacks affecting the healthcare industry have increased tremendously since the start of the pandemic. The attacks can be made via multiple methods, with ransomware being one of the most popular. Ransomware, which is a particularly nasty type of malware, attacks an organization's databases. It encrypts the data and holds it for ransom, usually requested in some type of cryptocurrency. Botnets, remote code execution, and dedicated denial of service (DDoS) attacks against healthcare organizations are also happening with disturbing frequency.

A common characteristic of all cyberattacks is the need for the perpetrators to gain access to resources in an organization's IT infrastructure. Sophisticated cybercriminals research their targets and choose victims who cannot afford to lose access to their data. Healthcare providers, especially those involved in emergency measures designed to address the pandemic, are prime targets for unscrupulous hackers. 

Organized teams of hackers employ multiple steps in planning and executing an attack.

Malicious insiders can be involved in any of these steps. An attack initiated by an insider can skip the first three steps and start directly exploiting sensitive systems. Untrained or careless insiders can also inadvertently contribute to an attack's success by clicking on links in phishing emails. 

Insider Threats to IT Security in Healthcare

Insider threats can originate from five different types of insiders:

Insiders pose specific threats to IT systems that can be difficult or impossible to fully address. As can be seen from the steps required for executing a cyberattack, using an insider considerably streamlines the process. A malicious trusted insider may eliminate the need for reconnaissance, weaponization, and delivery by using authorized privileges to directly exploit IT resources. This is extremely hard to stop before the fact and may be difficult to detect through standard security monitoring.

The following are some key findings from a Varonis sponsored report on security in the healthcare industry:

These statistics are extremely troubling from a security perspective. They illustrate the critical nature of implementing enhanced security measures across the healthcare industry. 

Best Practices to Manage Insider Threats

Many of the insider threats faced by the healthcare industry are also problems for other market sectors. A major distinguishing factor impacting healthcare is the critical and sensitive nature of their IT systems and the data they store. In addition to sensitive personal health information (PHI), payment details and financial records are also stored in healthcare databases. 

The following best practices will help strengthen security and protect sensitive information resources in the healthcare field:
Implementing the Zero Trust Security Model

The Zero Trust Model was introduced by John Kindervag of Forrester Research in 2010. The model provides an innovative way to approach the security of computer networks and their supported systems. This security model eliminates the assumption that internal network traffic should be trusted, and treats all traffic as being potentially dangerous based on the following observations. 

It is important to note that Zero Trust is a philosophy rather than a technical solution. Zero Trust outlines three core principles to address security weaknesses: 

1. All computing resources need to be accessed securely.
2. The concept of least privilege needs to be enforced.
3. Network traffic needs to be monitored and verified in real time to protect the environment.

Focusing on Security Awareness

Hackers try to gain access to systems by compromising the weakest links in the organization's security. These are usually the people who have direct or indirect access to sensitive data. Security awareness involves an understanding of the organization's data resources and how malevolent actors may target unsuspecting employees. 

Many employees may not be aware of how to defend themselves against phishing campaigns. Security training can help limit, but never eliminate the dangers of targeted phishing. A single mistake or lack of judgment can result in serious consequences for a healthcare provider.  

End-To-End Data Encryption

Encrypting sensitive data is an accepted technique for protecting it from unauthorized use. Fully encrypting data in transit, in use, and at rest can become complicated, especially when multiple environments are involved. Healthcare organizations need to ensure that all data is encrypted end-to-end whether on-premises or in the cloud.

Data Classification

Classifying data based on its degree of sensitivity will assist in efforts to protect it. 
Not all data needs the same level of protection. Most organizations need between three and five data classifications and should implement minimum handling requirements for each class.

Monitoring Mobile Device Access

The increased reliance on mobile devices by patients, providers, and workers in the healthcare industry has introduced new security risks. An authorized mobile device in the wrong hands can quickly lead to the loss of sensitive information and a costly data breach. Healthcare organizations need to find the right balance between the functionality of mobile and telehealth solutions and the security and privacy of their sensitive data resources.


Managing the insider threats to the healthcare industry demands a multi-faceted approach that implements strong protective policies and trains employees on the fine points of security awareness. Failure to address these issues leaves healthcare organizations vulnerable to attacks from both internal and external sources. 

HIPAA Compliant Hosting by Atlantic.Netâ„¢ is SOC 2 and SOC 3 certified, HIPAA and HITECH audited, and designed to secure and protect critical healthcare data, electronic protected health information (ePHI)m and records. We are audited by qualified, independent third-party auditing firms to demonstrate our leading security and compliance services. For more information, visit