New HHS guidance takes aim at the healthcare sector's struggles to identify and remediate the risk of insiders. (Photo credit: "Lt. James Kelty monitors a critically-ill COVID-19 patient in the intensive care unit at Javits New York Medical Station, April 13, 2020." by Official U.S. Navy Imagery is marked with CC BY 2.0.)

The Department of Health and Human Services Cybersecurity Coordination Center (HC3) shared a threat brief detailing the risks insiders pose to the healthcare sector, as well as indicators of compromise and preventative measures.

In light of the risk of Lapsus$ to the healthcare sector and its penchant for preying on insiders, the insights can support provider organizations with ensuring they’ve employed best practices.

A 2019 Egress report found healthcare has been the hardest hit by insider-related breaches, while Verizon’s annual data breach investigation report has consistently named insiders as the biggest cause of healthcare data breaches, outside of the last two years.

In response to these findings, the HHS Office for Civil Rights previously shared the challenges posed by insiders and the primary concerns, including reputational damage, data loss, civil liability disclosure, and potential regulatory actions. 

The new HC3 guidance details the various types of insider-related threat profiles, all based on individuals who provided access to assets or inside information about the entity and its practices and systems, which could be used to negatively impact the organization.

Negligent insiders are more common than those with malicious intent, with 61% of data breaches caused by accidents. Further, not all insider threats come from inside the organization, as 94% of organizations give third parties access to their systems. 

However, the complexity and existing challenges of the healthcare ecosystem make it difficult for providers to even detect insider-related incidents, with many going undetected for years. HC3 notes the key challenges are caused by failure to properly monitor user activity or behavioral analytics, lack of employee education, and inadequate incident detection tools.

Given that data shows 82% of organizations are unable to determine the actual damage caused by an insider related attack, HC3 is urging healthcare entities to review existing policies and procedures to properly assess their ability to detect, respond and mitigate these types of risks.

The insights include risk factors, how insider threats can escalate, and red flags, such as behavioral, IT sabotage, and data theft indicators. HC3 reminds entities that “deterrence, detection analysis, and post-breach forensics are key areas to insider threat prevention.”

The most critical areas include revising cybersecurity policies, limit privileged access, setting up role-based access controls, multi-factor authentication, zero-trust models, backups, data loss prevention tools, and managing USB devices across the enterprise. Recent research also shows email warnings following snooping incidents can drastically reduce repeat offenses.

HC3 recommends the incorporation of insider threat awareness into security training and strict password and account management policies, while ensuring contracts contain explicit security policies for any cloud services. The guidance contains full mitigation measures.

The best approach “ is to be proactive, stay vigilant, have a plan, and implement recommendations … where needed,” according to the guide. Healthcare leadership, IT, and human resources must work together to combat the risk of insiders through “targeted monitoring and detect malicious insiders in a timely manner, hopefully before they cause damage.”

Further insider threat guidance can be found from OCR and the Cybersecurity and Infrastructure Security Agency.