The effects of the COVID-19 pandemic have forced changes in many aspects of society. Two areas that have seen significant change involve how people work and obtain healthcare. Remote work and healthcare solutions were adopted wherever possible to slow the spread of the virus by limiting face-to-face contact.
In this article, we will look at the best practices healthcare organizations can use to minimize the security risk posed by insiders. In many cases, insiders pose the greatest threat to an enterprise since they possess important information in how it operates and where its weaknesses may lie.
Cyberattacks in the Healthcare Industry
Cyberattacks affecting the healthcare industry have increased tremendously since the start of the pandemic. The attacks can be made via multiple methods, with ransomware being one of the most popular. Ransomware, which is a particularly nasty type of malware, attacks an organization's databases. It encrypts the data and holds it for ransom, usually requested in some type of cryptocurrency. Botnets, remote code execution, and dedicated denial of service (DDoS) attacks against healthcare organizations are also happening with disturbing frequency.
A common characteristic of all cyberattacks is the need for the perpetrators to gain access to resources in an organization's IT infrastructure. Sophisticated cybercriminals research their targets and choose victims who cannot afford to lose access to their data. Healthcare providers, especially those involved in emergency measures designed to address the pandemic, are prime targets for unscrupulous hackers.
Organized teams of hackers employ multiple steps in planning and executing an attack.
- Reconnaissance - Steps are taken to get to know the target and how they operate.
- Weaponization - Phishing emails or fake web pages are created to attempt to gain access to secured systems.
- Delivery - Phishing emails are sent, and fake pages are posted to trick unsuspecting employees to open an attachment and launch malware.
- Exploitation - Hackers start collecting passwords and other credentials sent to them by the malware and use them to explore the network and its current limitations.
- Installation - Hackers will install a persistent backdoor to the compromised system to ensure future access.
- Command and control - In extreme cases, hackers can take control of the entire network and lock out authorized users.
- Action on the objective - Once command and control is achieved, the hackers can pursue their objective which may be stealing information, installing ransomware, or disrupting mission-critical systems.
Malicious insiders can be involved in any of these steps. An attack initiated by an insider can skip the first three steps and start directly exploiting sensitive systems. Untrained or careless insiders can also inadvertently contribute to an attack's success by clicking on links in phishing emails.
Insider Threats to IT Security in Healthcare
Insider threats can originate from five different types of insiders:
- Careless workers who may unintentionally bypass security and privacy measures resulting in a data breach.
- Inside agents are employees who have been coerced, recruited, or bribed into stealing data from an organization for a third party.
- Incompetent third parties or partners can put healthcare data at risk through improper security procedures or negligence.
- Disgruntled employees or those who are leaving soon may be tempted to take private data with them when they go.
- Malicious insiders working by themselves are hard to spot and pose the greatest challenge to security teams in the healthcare industry.
Insiders pose specific threats to IT systems that can be difficult or impossible to fully address. As can be seen from the steps required for executing a cyberattack, using an insider considerably streamlines the process. A malicious trusted insider may eliminate the need for reconnaissance, weaponization, and delivery by using authorized privileges to directly exploit IT resources. This is extremely hard to stop before the fact and may be difficult to detect through standard security monitoring.
The following are some key findings from a Varonis sponsored report on security in the healthcare industry:
- On average, nearly 20% of files are open to all employees in a healthcare organization.
- Over 50% of organizations have more than 1,000 sensitive files open to every employee.
- Almost two-thirds of organizations have 500 or more accounts with passwords that never expire.
These statistics are extremely troubling from a security perspective. They illustrate the critical nature of implementing enhanced security measures across the healthcare industry.
Best Practices to Manage Insider Threats
Many of the insider threats faced by the healthcare industry are also problems for other market sectors. A major distinguishing factor impacting healthcare is the critical and sensitive nature of their IT systems and the data they store. In addition to sensitive personal health information (PHI), payment details and financial records are also stored in healthcare databases.
The following best practices will help strengthen security and protect sensitive information resources in the healthcare field:
Implementing the Zero Trust Security Model
The Zero Trust Model was introduced by John Kindervag of Forrester Research in 2010. The model provides an innovative way to approach the security of computer networks and their supported systems. This security model eliminates the assumption that internal network traffic should be trusted, and treats all traffic as being potentially dangerous based on the following observations.
- Insiders cannot be implicitly trusted.
- Data packets can never automatically be trusted. Since there is doubt as to their origin, every packet needs to be seen as potentially harmful.
It is important to note that Zero Trust is a philosophy rather than a technical solution. Zero Trust outlines three core principles to address security weaknesses:
1. All computing resources need to be accessed securely.
2. The concept of least privilege needs to be enforced.
3. Network traffic needs to be monitored and verified in real time to protect the environment.
Focusing on Security Awareness
Hackers try to gain access to systems by compromising the weakest links in the organization's security. These are usually the people who have direct or indirect access to sensitive data. Security awareness involves an understanding of the organization's data resources and how malevolent actors may target unsuspecting employees.
Many employees may not be aware of how to defend themselves against phishing campaigns. Security training can help limit, but never eliminate the dangers of targeted phishing. A single mistake or lack of judgment can result in serious consequences for a healthcare provider.
End-To-End Data Encryption
Encrypting sensitive data is an accepted technique for protecting it from unauthorized use. Fully encrypting data in transit, in use, and at rest can become complicated, especially when multiple environments are involved. Healthcare organizations need to ensure that all data is encrypted end-to-end whether on-premises or in the cloud.
Classifying data based on its degree of sensitivity will assist in efforts to protect it.
Not all data needs the same level of protection. Most organizations need between three and five data classifications and should implement minimum handling requirements for each class.
Monitoring Mobile Device Access
The increased reliance on mobile devices by patients, providers, and workers in the healthcare industry has introduced new security risks. An authorized mobile device in the wrong hands can quickly lead to the loss of sensitive information and a costly data breach. Healthcare organizations need to find the right balance between the functionality of mobile and telehealth solutions and the security and privacy of their sensitive data resources.
Managing the insider threats to the healthcare industry demands a multi-faceted approach that implements strong protective policies and trains employees on the fine points of security awareness. Failure to address these issues leaves healthcare organizations vulnerable to attacks from both internal and external sources.
HIPAA Compliant Hosting by Atlantic.Net™ is SOC 2 and SOC 3 certified, HIPAA and HITECH audited, and designed to secure and protect critical healthcare data, electronic protected health information (ePHI)m and records. We are audited by qualified, independent third-party auditing firms to demonstrate our leading security and compliance services. For more information, visit