Getty Images/iStockphoto
Can Healthcare Shore Up Insider Threats, Transparency Needs in 2021?
The rise in attacks and healthcare security incidents at the end of 2020 makes it imperative to secure insider threats, particularly as the need for transparency increases in response to COVID-19.
Ransomware is often the prime headline-stealing topic when it comes to cybersecurity and risks to the healthcare sector. But many entities often overlook the dominance of insider threats and its overall prevalence in a majority of these attacks.
Previous data has found the healthcare sector is the worst at stopping insider-related breaches, with a 2019 Verizon report revealing that insider security threats were a bigger concern than hacking.
In fact, insiders have been consistently named the biggest risk to healthcare data each year. The 2020 version of the report was the first to find external threats outpacing insiders for the first time in the report's history.
Given the increase in remote work and telehealth in the last year in response to the national crisis, the need for transparency in the sector is paramount. As cybercriminals continue to prey on human nature and social engineering attacks, these concerns should be a key focus for healthcare organizations into 2021.
“External threats are always big and scary, but insider threats are just as insidious, and far more prevalent,” said Justin Petitt, director of cybersecurity with SES Corp. “The challenge is in protecting against passive, or accidental insider threats, such as malware, mistakes, etc., and active internal threats that are realized with intent, at the same time.”
“With more personnel working and connecting remotely, the traditional ‘walls’ have become more porous than ever, and special attention needs to be paid inside,” he added.
Adding to these challenges in healthcare, is the need for balancing transparency with the confidentiality and integrity of data. To Petitt, the mandate regarding the portability of healthcare records has significantly added to the targeted hacking risks for a number of years.
These risks expanded with the rapid adoption of more remote work amid the COVID-19 pandemic response, as well as the massive need for an increase in the review, collaboration, and examination of medical records, Petitt explained.
Further, the Department of Health and Human Services applied enforcement discretion to a number of data sharing circumstances, including telehealth exceptions, public health entities, temporary COVID-19 care sites, first responders, and the like, which have further compounded the need to balance transparency with the increase in data sharing.
“One of the biggest challenges for the sector is meeting the needs of data not being accessed outside of approved channels and partners, and in authenticating the data sets throughout the entire lifecycle of the data being at rest and in motion,” said Petitt.
“The handoff from the original source must be able to be authenticated at any stage it is being used or referenced – even more relevant with multi-state and traveler data taking the spotlight,” he continued.
As the crisis continues into the coming year, Petitt stressed that provider organizations must continue to review and improve processes across the enterprise and practice these measures across the entire workforce.
Cybersecurity works best with clearly posted guidelines and expectations, presented in a way that makes it easy for employees to engage with the policies, he explained.
And failing to act now is putting the security of the entire healthcare sector at risk, as well as the increased threat to patient safety.
“There isn’t yet a catchy, 30 second tune to sing while practicing effective cyber hygiene, but having consistent habits while working through emails and URLs may well be the hand-washing equivalent,” Petitt added.
“The last quarter of CY 2020 has highlighted major organizations dealing with massive breaches and attacks – from school districts to government agencies, small businesses and large alike,” he concluded. “Technology continues to integrate with more and more components of operations, which is typically a powerful, positive force-multiplier. When one mis-click can bring the walls tumbling down, acting to adapt to threats by evolving defensive practices is critical.”
As reports show that insider breach remediation can cost the healthcare and pharmaceutical sectors about $10.81 million annually, entities should review guidance from the Office for Civil Rights and Healthcare and Public Health Sector Coordinating Council for insights on managing malicious insiders and protecting trade secrets. Europol guidance can also shed light on spear-phishing security policies and tech, a critical employee vulnerability.