Healthcare firms’ cybersecurity at risks due to negligence

The US Department of Health and Human Services (HHS) Cybersecurity Program recently published a guide on the risks and mitigation tactics for dealing with cyber insider threats in healthcare settings – so-called insiders with access to assets or privileged information.

The guide classifies the types of insider threats as careless or negligent employees, malicious agents (insiders), internal actors, disgruntled employees and outsourcers.

The handbook warns that even though most companies invest more resources to combat malicious insiders, it is more common for threats to come from negligent employees. According to the 2020 report on insider threats published by Ponemon, they account for 62 per cent of all incidents, ahead of malicious insiders and credentialed criminals.

An example of negligent employee is the one who leaves the laptop with critical data unattended and with an open session. By doing so, equipment can be stolen or privileged information copied without authorization. Another carelessness is leaving Alexa devices while working from home, and confidential meetings are being held.

Disgruntled employees can also pose a significant cyber threat if they have access to systems. They are considered emotional actors intent on causing damage to the company. According to CERT, an employee is typically disgruntled because of an unmet expectation or an unfortunate event.

Agora imagine essas ameaças internas decorrentes de negligência ou insatisfação em um ambiente que nos últimos anos se viu inundado pela confusão, insegurança generalizada e trabalho muito intenso trazido pela pandemia de Covid-19. Desde hospitais lotados de pacientes e até empresas farmacêuticas desenvolvendo vacinas, todos com funcionários sobrecarregados, era mais do que natural que, por descuido, informações críticas ficassem vulneráveis e ​​expostas de forma sem precedentes.

The 2021 Healthcare Data Risk Report by Varonis compiled 3 billion files across 58 healthcare organisations and revealed that, on average, each employee had access to more than 11 million files – almost 20% of the organization’s total files. In mid-sized and small companies, employees had unrestricted access to almost one in four files.

The Varonis table below shows the volume of compromised healthcare data in 2021. The average terabyte contains 1.3 million files. By assessing risk per terabyte, we can get a clearer picture of the typical attack surface by organization size and which ones are most vulnerable.

Approximately 2% of files contain confidential information, such as patient data, research information and intellectual property. Smaller companies have a staggering amount of exposed data. According to Varonis, newly hired employees at small organisations have instant access to more than 11,000 files, and almost half of them contain confidential data. Larger organisations tend to have more problems with permissions systems.

This exposure of critical information poses a virtually incalculable risk, both in terms of attack surface and non-compliance of data breach laws. Compared to financial services companies, the average healthcare and biotech organization has about 75% less data. However, they present a larger number of files open to any employee.

To mitigate the damage caused by insider threats, the HHS guide recommends that healthcare organisations:

– Promote awareness programs and speak periodic training on cybersecurity for all employees.

– Promover programas de conscientização e falar periodicamente sobre ciber-segurança para todos os funcionários.

– Define cybersecurity contracts for any cloud services, especially with access restrictions and monitoring features.

– Make sure that confidential information is available only to those who need to access it.

– Use correlation mechanisms or security information and event management (SIEM) systems to record, monitor and audit employee actions.

– Develop a formal insider threat reduction programme.

O HHS mantém um Centro de Coordenação de Cibersegurança para o setor de saúde (HC3) para ajudar na proteção de informações críticas relacionadas à saúde. O centro destaca tópicos relevantes sobre cibersegurança, ameaças atuais, principais agentes de invasão, melhores práticas e táticas de mitigação. Também fornece informações e contexto situacional para grupos técnicos e executivos.