Internal healthcare security threats: Knowing what to look for

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://healthitsecurity.com/2014/09/17/healthcare-internal-security-threats-knowing-what-to-look-for/

Medical identity theft, fraud and negligence are prevalent healthcare data
breaches these days because of the integration of financial data and these
incidents aren’t going away any time soon, so it’s up to organizations to
figure out who the insider threats are and how to reduce those risks.

Regardless of whether it’s a relatively harmless (but careless) employee
that misuses or inappropriately accesses patient data or it’s an insider
with malicious intent, healthcare organizations should have plans in place
to be aware of these internal threats. During last week’s HIMSS Privacy and
Security Forum, a panel of  two healthcare Chief Information Security
Officers (CISOs) and an FBI officer talked about how they handle internal
security measures and policies within their organizations.

Bruce Forman, UMass Memorial Health CISO, explained to the audience that he
sees any employee or a contractor who has access to a provider’s network as
an insider threat and inappropriate use could be either accidental or
purposeful. Anahi Santiago, Director Information Security and Support
Services at the Einstein Healthcare Network, extended Forman’s insider
definition further and said organizations are extending their networks with
business associates (BAs) in cloud environments, for example, and “their
employee insider are now our threats as well.”

Insider threat experiences

Healthcare organizations are better equipped to prepare and defendant
against internal attacks or data exposures once they’ve actually
experienced one of these types of incidents. Santiago discussed how, for
instance, one of Einstein’s employees was caught stealing face sheets with
Social Security numbers during her first year on the job. The employee was
using patient Social Security numbers to open up fake credit card accounts,
but wasn’t part of a fraud ring.

“That’s a benign but significant example of what an insider threat could
be, but the examples are vast,” she said. “[These actions] could be scaled
all the way up to people who collude as criminals and steal and sell
information on the black market.”

Forman cited an example of an employee leaving their laptop inside their
laptop bag in the front of their car. Though the laptop wasn’t stolen, the
laptop bag was taken and since the bag held patient face sheets it was a
reportable breach. “The devices that have encryption on them never seem to
get stolen, but the ones that are brought in will almost always go
missing,” he said.

High-level internal concerns

Like most CISOs, Forman is concerned about all insider threats, but the
ones he’s most concerned about are the intentional breaches from the
inside. There’s no easy answer for organizations trying to actively seek
internal misuse without potentially making innocent employees feel uneasy.

“There are many that are very difficult to identify – how do you prevent an
insider with appropriate access from using the information
inappropriately,” he said. “That’s what we worry about most, because you
can’t identify them proactively. We’re starting to look at log events to
determine whether there is some anomalous activity.”

Santiago added that there’s no silver bullet when it comes to detecting
internal data misuse, but said Einstein regularly reviews access to patient
information to look for anomalies; this includes employees looking at other
employee or family information. “We have data loss prevention (DLP)
software that looks at what’s going out onto the Internet to make sure it’s
appropriate,” she said. “Obviously, education and awareness are huge
components of combatting these insider threats because, as we discussed, a
lot of these incidents are unintentional.”

Carmine Nigro, FBI Special Agent, said that a lot of what the FBI looks at
is based on previous investigations. It reviews some of the personal
factors, such as an employee who’s so disgruntled to the point where they
want to retaliate. Other factors include a pending layoff or someone who’s
spoken out against the company. As for when a healthcare organization
should call the FBI, Nigro cited the Boston Children’s incident as an
example of appropriately looking for assistance.

"We’ll often get a call when an employee has been laid off or terminated
and they’re off on a plane to a foreign country with a lot of intellectual
property. If the hospital believes that an employee has had a lot of issues
before and may leave the country, after talking with legal counsel, they
may want to give us a call."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!