Insider threats put the healthcare industry's security and confidentiality of patient data at risk. Healthcare organizations often overlook potential dangers within their walls. To better protect patient information, organizations should understand the types of insiders and recent breaches, and adopt effective strategies. A zero-trust security approach and enhanced awareness programs can mitigate risks posed by insiders.
What is an insider threat?
An insider threat refers to individuals within a healthcare organization with legitimate access to company resources containing personal health information (PHI). These individuals may be employees, contractors, third-party vendors, or volunteers with authorized access to electronic medical records (EMRs), cloud applications, or documents containing sensitive patient information. The consequences of an insider breach can be severe, including compliance fines, reputational damage, lawsuits, and loss of patient trust.
According to research, healthcare organizations in the US experienced a staggering 60% increase in insider attacks in 2022, with an average of 1,426 attacks per week. Insider breaches often go undetected for longer periods, resulting in greater damage and financial losses compared to external attacks.
Related: Insider threats in healthcare
Types of insider threats
Insider threats can be categorized into two main types: malicious insiders and accidental insiders.
Malicious insiders
Malicious insiders are individuals who deliberately seek to harm their organization. Motivations for such threats can include financial gain or personal grudges against the company. A study by Accenture found that almost 20% of healthcare employees would be tempted to steal confidential information for a substantial sum of money.
Accidental insiders
Accidental insiders, on the other hand, pose a risk to data security and compliance due to human error and negligence. These breaches often occur when employees unintentionally share sensitive information with the wrong recipients, improperly handle patient records out of curiosity, or fail to follow good cybersecurity practices.
Examples of insider threat incidents
Several high-profile incidents highlight the significant impact of insider threats on healthcare organizations and patient data security. Understanding these examples can provide valuable insights into the nature and consequences of insider breaches.
Florida hospital fraudulent claims
In one case, a Florida hospital discovered that two employees had been printing sensitive files containing PHI for approximately two years. These files contained valuable information such as social security numbers, names, and addresses, which the employees used to make fraudulent benefit claims with patients' health insurers.
Bupa data breach
In 2017, an employee at Bupa, a leading healthcare provider, with legitimate access to the company's customer relationship management system, copied the sensitive data of over half a million customers. The employee then attempted to sell this information on the Dark Web, exposing the data to potential misuse. Bupa faced severe repercussions, including a £175,000 fine from the UK's Information Commissioner's Office for failing to safeguard personal data.
Related: The $16.2 million insider security threat and urgent need for change
Defending against insider threats in healthcare
Protecting patient data from insider threats requires a multi-faceted approach that combines a zero-trust security model and an effective security awareness program.
Zero trust for insider threats
Implementing a zero-trust security approach can enhance an organization's ability to defend against insider threats. Zero trust revolves around the principle of "never trust, always verify," requiring continuous authentication of users as they access company resources. Zero trust eliminates the possibility of malicious insiders stealing patient data. It prevents accidental insiders from inadvertently sharing sensitive information, ensuring compliance and data security.
Enhancing security awareness
Traditional security awareness training often falls short in combating insider threats. Instead of relying on one-off training sessions that yield low knowledge retention rates, healthcare organizations should adopt more effective approaches. Workflow nudges and prompts can influence employees' security decisions positively. These real-time reminders serve as educational tools, providing guidance and explanations when employees attempt actions that violate security policies.
See also: HIPAA Compliant Email: The Definitive Guide
Farah Amod
