From social engineering attacks and phishing to malware and hackers, the healthcare industry has a firm target on its back. As we explored in the other three parts of our healthcare breach crisis blog series, attacks can come from almost any vector with the payoff for criminals on the dark web or via ransomware being well-worth the effort.
The fourth and final part of our series looks inward to the 58 percent of healthcare breaches that are initiated by insider threats. Whether through simple human error or behavior that’s intentionally malicious, internal actors are responsible for more threat actions that lead to data breaches within the industry than external users.
In the final installment of our healthcare data breach series, we’re exploring the insider threat to healthcare organizations and outlining how a modern Identity and Access Management (IAM) solution can help mitigate these risks.
Insider Threat: Protect Your Company from Itself
More than half of healthcare breaches can be traced to an organization's employees. These can be due to intentional acts or benign ignorance. However, the most common issue is simple user error, which can be just as damaging to healthcare providers as malicious and targeted data breaches.
Whether it’s due to a lack of cybersecurity awareness and training or carelessness and neglect, organizational data can be compromised with alarming ease. In fact, 78 percent of healthcare employees are classified as risks or novices when it comes to digital security practices.
More than 33 percent of healthcare security incidents involve actions that directly compromise an asset due to human error. Some examples include misdelivery (i.e. a clinician sending sensitive medical information to the wrong patient), disposal error (i.e. a clinician simply tossing patient documents in the trash versus shredding them), and loss of equipment (i.e. misplacing a thumb drive that contains sensitive patient information).
Then there are the insider breaches that are more insidious: nearly 30 percent of employee-related data breaches involve employees who maliciously misuse their access to systems or data for their own benefit. Of that percentage, nearly half of these employees are motivated by financial gain, while about 30 percent use their access to view an unauthorized patient’s record out of simple curiosity.
The final point of malicious activity involves employees using their access inappropriately. In these cases, nearly 83 percent of employees abuse their account’s privileged access to obtain sensitive data. Of that number, 10 percent of malicious activity comes in the form of employees using resources for convenience, such as storing sensitive data on an unapproved device. Rounding out malicious activities are employees who obtain information due to a grudge against their employer at 3 percent.
How an IAM Can Safeguard Against Insider Threats
Although protecting against outside threats is a must, there’s no external threat software panacea that can completely protect an organization from a threat that has its own set of authorized credentials. An important consideration to be mindful of is that employees are human and, regardless of training or best practice security policies, are prone to errors. This is where a comprehensive IAM solution can help to mitigate these risks by ensuring that the right employees have the appropriate access needed to do their jobs—and nothing more.
Enforcing Least Privileged Access
Enforcing least privileged access, or the practice of limiting access to only the access a user needs, for the minimum time needed, and then removing that access, can be a complex and tedious endeavor when organizations are tasked with manually managing access.
However, modern IAM solutions offer capabilities that help enforce least privilege access. For example, with the right solution, organizations put dynamic role and group management in place that automatically assigns and removes access rights based on a user’s role or attributes. When a user changes roles, those access rights are automatically updated and unneeded access is removed, eliminating the risk of entitlement creep.
Just in time (JIT) access can be used to manage one-off or occasional access to systems or applications not required for day-to-day jobs . With JIT access, users are granted access for predetermined amounts of time on an as-needed basis and then, access is automatically revoked.
Continuous and ad-hoc certification campaigns are invaluable for organizations wishing to ensure users don’t retain unnecessary access. Typically, identity governance is based on periodic “recertification campaigns,” in which a company asks all of its appropriate managers or IT staff to review a comprehensive list of who has access to what and then to “re-certify” them as needed. However, with numerous entitlements to numerous systems, this time-consuming process can lead to rubber-stamping approvals. Some IAM solutions enable you to further streamline the process with time- and event-based recertification as well, allowing IT to review smaller quantities of entitlements on an ongoing basis, so you can cease leaving these decisions to chance and make them less susceptible to human error.
Modern IAM solutions offer automated identity lifecycle management for all users, which includes automated deprovisioning. For example, if an employee leaves an organization, the user’s access needs to be completely removed on their end date to minimize the risk of data theft. When HR or IT has to manually deprovision access, it’s all too easy to overlook accounts, not do it in a timely manner, or forget to do it altogether.
With the right IAM solution, a user’s accounts can not only be immediately disabled in the central IAM, but the appropriate disables, deletes, archives, suspends, and so on occur in target systems per the policies defined for each, Furthermore, deprovisioning functions can be delegated to non-IT personnel, such as managers, who are best equipped to make these decisions.
Providing a Complete Audit Trail
IAM solutions provide a comprehensive audit trail that provides complete visibility into who accessed what, when, and for how long. This audit trail can provide important evidence in the event that data is stolen and can even be used to keep a proactive eye on sensitive systems in the event of anticipated layoffs.
As an extra measure, an effective IAM can introduce risk-based authentication (RBA), which is a form of strong authentication that calculates a risk score for any given access attempt in real-time, based on a predefined set of rules. Users are then presented with authentication options appropriate to that risk level. RBA only requires additional authentication for login attempts that are deemed to be high risk, so that users aren’t unnecessarily burdened. This is critical in healthcare environments where clinicians need to efficiently access patient records.
RBA can not only look at contextual factors, such as time of day or access device, etc., but also personal characteristics, such as a user’s role and tenure, and behavioral factors that account for users more likely to have risky behavior, such as those who have had prior security incidents or fallen victim to internal phishing tests.
Wrapping Up the Series
As technology has evolved, so too have cybercriminals. Although organizations have to protect themselves from threats at all times, an attacker only needs to find one crack in the system to wreak havoc. In terms of data security, it’s clear that employees are the weakest link in the system. This is not necessarily due to malicious activity, but more so compassionate users and inadequate training. The good news is that insider threats can be cured with a dose of prevention and awareness.
This is why a comprehensive cybersecurity program with a comprehensive IAM solution as the foundation is essential to protecting company and patient data. Not only does modern IAM streamline healthcare organizations’ processes, but it also greatly increases overall security, protecting private patient information and organizations alike.