How to Mitigate the Insider Threat to Healthcare

Rich Bailey

In the year 2020, a virus swept the globe, forcing the world’s population to seek shelter at home. Scientists worked day and night to find a vaccine as the world’s economies start to collapse. Less than two years ago this might have seemed like the start of a Hollywood blockbuster, but sadly, this is the world we now inhabit.

Global healthcare has faced unprecedented challenges, and on top of the daily demands professionals face, the need to double down on cybersecurity efforts and comply with the Health Insurance Portability and Accountability Act (HIPAA) has never been greater. Before the pandemic, the healthcare sector was a prime target for cybercriminals. But the rise of remote work has only increased vulnerability.

An insider threat might be a current or former employee. They might work for a supplier, a third party or they could a visitor at an employee’s home. Protected Health Information (PHI) is a valuable asset, and in the wrong hands, sensitive data can be easily sold to the highest bidder on a dark web hackers forum. What can be done to reduce the threat of an insider perpetrating accidental or deliberate harm during these challenging times?

How Has COVID-19 Changed the Insider Threat?

The past year has created many new challenges. Most originate from organizations requiring remote work during periods of lockdown. In March 2020, healthcare organizations transitioned large numbers of employees to work-from-home status, non-essential treatment was canceled, and many patients were only offered teleconferencing appointments with front-line medical personnel.

This abrupt change may have increased the risk of non-compliance, unauthorized PHI disclosures, fraud, and the increased likelihood of a data breach, simply because so much more data was now leaving the enterprise perimeter. The pandemic has also fast-tracked many healthcare organizations’ cloud migration strategy, which has created several challenges for securing new cloud platforms quickly.

Employee complacency or ignorant insider’s actions could result in a data breach. Some cloud tools that were implemented urgently at the start of the pandemic, such as cloud storage, may have been misconfigured. Cloud storage creates an offsite copy of any data, data that can be shared with ease to anyone with an internet connection. Unfortunately, the majority of the publicly available services are not HIPAA compliant. Instead, they increase the attack surface of the business.

Only outsourcing to a HIPAA-compliant cloud provider can guarantee a quick turnaround to PHI protections. No matter the urgency caused by implementing business continuity planning, covered entities, and business associates still have a duty to uphold the integrity of patient data.

How Can HIPAA Business Associates Mitigate the Insider Threat?

Data exfiltration is a big concern for the healthcare sector, and outsourcing IT services to a HIPAA compliant hosting business associate is an easy win to avoid the insider threat. Business associates work with the healthcare provider to identify in-scope PHI data and the flow of data around the business. Outsourcing to a provider that encrypts data at rest and in transit will limit the exposure if data is compromised.

Coming to grips with your organization’s mobile device strategy and consider denying access to mobile phones, USB sticks, or portable hard disks when plugged into business assets. Only grant access to personnel that must use these devices, such as computer engineers.

Your provider may offer additional managed services that provide a detailed logging analysis, or tools to scan event logs, network logs, and so on. Set up processes that kick in immediately when an employee leaves the business, locking their user account immediately, disabling any VPN connections, and blocking access to HIPAA-compliant applications is a good start. It is also best to be proactive and become familiar with the details of healthcare development applications.

To conclude, there is no doubt that the insider threat is very difficult to manage. However, many steps can be taken to minimize the risk and maintain HIPAA compliance. Security controls should be robust without being intrusive to legitimate end-users, but tight controls are needed on any system that touches PHI. PHI must not be altered or deleted without the appropriate authorization, and technical safeguards can be introduced to substantiate this approach.

Encrypting all PHI is a great start. Securing user access with TLS certificates and an encrypted VPN connection will help, and having a technical solution that blocks users from plugging in personal devices into laptops, servers, and medical devices will protect against data theft. Combining all these solutions with an education program will put your organization on the front foot to combat the insider threat.

About the Author

Rich Bailey is the lead IT consultant and frequent blogger for Atlantic.Net, with 20 years of experience in Linux, Cloud, automation, and infrastructure, as well as code. He is a graduate of the University of Bradford, England.