When Being Aware is Simply Not Enough


9.26.18
By Larry Salazar, SailPoint Inc.

Healthcare providers are expressing deep concerns about the security risks associated with insiders, whether due to negligence or malice. But are these organizations doing enough to mitigate risk of breach? HIMSS and SailPoint recently paired up to conduct a study on how healthcare providers view insider threats and what they are doing to address this issue. Responses from 101 health IT professionals revealed multiple insights. What did HIMSS find? Here are a few key takeaways:

  • Hospitals and health systems share widespread concern regarding cybersecurity risks from insiders
  • Provider organizations generally feel insider threats to be of equal or greater concern than intrusions from external parties.
  • Healthcare professionals are not adequately leveraging technology to applications and data stored in files

Who are the Insiders?
It’s not just your traditional FTEs. Today, provider organizations must look at insiders from the lens of access, rather than employed status. This becomes a bigger challenge particularly in a complex ecosystem where non-employed staff, vendors, partners and even volunteers may have varying levels of access to systems, applications and data stored in files. 

Why Insiders Do What They Do
There are three primary reasons for why leak or breach occurs:

  • Accidental – Unauthorized exposure of sensitive information are often the result of users lacking awareness of processes or best practices.
  • Negligence – There are also users who knowingly disregard established policies due to negligence. Their reasons may vary, but their intent is not malicious.
  • Malicious – These users intentionally expose sensitive data for various reasons whether for financial gain, espionage or something else. 

Level of Concern Leaves Room for Concern
When asked to rate on a scale of 1 to 10 their level of concern around insider threats to data security, respondents expressed acuity with a mean score of 8.2.

More importantly, the study indicates that an overwhelming number of them view threats from the inside equally or more pressing than from the outside. (See data chart) Such sentiment seems reasonable given that a recent and separate study by Verizon2 revealed more than half of breach incidents can be attributed to someone with authorized access.

However, the same study also indicated a number of respondents considered the threat posed from within their organization, to be moderate or low—assigning a score of 6 and below (out of 10). While it is uncertain whether the score is due to a lack of awareness or apathy, the results are concerning because of the potential impact that insiders can have on security and compliance. In fact, while many news headlines regarding hackers and phishing attacks condition us to associate data breaches with outsiders, it is important to remember that a breach is a breach. Regardless of whether it was triggered by someone from the outside or the inside, neglecting one or the other leads to the same result—a compromise of data security.   

Another interesting finding around the level of concern with insider threats, is the pronounced difference in scoring between business/clinical leaders and IT. While business and clinical leaders are not as close as IT professionals are to the actual process of governing access, they may have greater sensitivity to the topic since the remediation process to any breach (regardless of whether the source of the breach was from inside or outside the organization) will have a negative impact on operational workflows.   

What Provider Organizations are Doing to Address Insider Threats
As expected, the study found that training and awareness to be a common tactic for addressing insider threats. However, it also appears that many are leaving gaps by not deploying critical technology that enable secure governance. For instance, to secure data stored in files, many respondents look to manual permissions assignments. To say this is inefficient is an understatement. Worse yet, the security gaps resulting from manual processes can be highly significant with inconsistent access provisioning. To further exacerbate the issue, the joint study between HIMSS and SailPoint also found that even when certain identity technologies are deployed, they are not being fully utilized. To get more details of this study, visit SailPoint’s secure webpage to access the newly published whitepaper entitled, “Managing Healthcare Insider Security Threats”, which elaborates on these and other key findings.

Sources
1 SailPoint: Managing Healthcare Insider Security Threats
Verizon: 2018 Protected Health Information Data Breach Report


More AEHIS News