Prompted by an uptick in healthcare data breaches perpetrated by employees and ex-employees, the government is encouraging hospitals and healthcare organizations to better prevent, detect, and remediate insider threats.

As part of its quarterly newsletter, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently outlined best practices on how to safeguard critical data like health information.

To halt data leakage carried out by malicious, unauthorized individuals, HHS stresses that organizations should be able to identify that activity as soon as possible, starting with how an insider behaves with the organization's information systems.

According to the OCR:

• “An organization should understand where its data is located, the format in which it resides, and where its data flows throughout its enterprise. This knowledge is crucial to conducting an accurate and thorough assessment of the risks to the confidentiality, integrity, and availability of an organization's critical data. Once these risks are understood, policies and procedures can be developed or updated and security measures implemented to reduce these risks to a reasonable and appropriate level.”
• “An organization should establish who is permitted to interact with its data and what data those users are permitted to access in determining appropriate access controls. Access controls can take many forms. For example, physical access controls as simple as doors that need keys for opening can limit an unauthorized person's ability to enter sensitive facilities or locations; network access controls can limit access to networks or specific devices on a network; role based access controls can limit access to certain devices, applications, administrator accounts, or data stores to only a defined group of users. Organizations should leverage their risk analysis when establishing and implementing access controls.”
• “Another important consideration is how an organization's users will interact with data. Do the duties of the user's job require the capability to write, download or modify data or is read-only access sufficient? Do users need to access data from laptops, smart phones, or mobile storage devices (such as thumb drives)? Such devices are more difficult to safeguard and control, especially if they are "personal" devices owned by the user. An organization should consider limiting unnecessary mobile device use and implementing security controls to prevent copying sensitive data to unauthorized external devices. If users are given access to mobile or storage devices, the organization must implement appropriate security controls to safeguard the data when using such devices.”

The note goes on to highlight the difficulties associated with cloud computing, mobile devices, and internet of things (IoT) technology when it comes to detecting suspicious behavior, like visiting forbidden websites or transferring data to USB devices. To combat this, OCR says orgs should periodically review audit logs, access reports, and security incident tracking reports for anomalous activity.

It's also important to have policies in place for when users move, OCR notes, either laterally through an organization - or if they leave the organization entirely - in order to adjust their access to data accordingly. "Organizations should be particularly sensitive to the risk of insider threats in cases of involuntary separation,” OCR says in its guidance, “Organizations should have policies and procedures in place to terminate physical and electronic access to data, before any user leaves the organization's employ. Such actions should include disabling all of the user's computer and application accounts (including access to remote and administrative accounts if applicable), changing or disabling facility access codes known to the user, and retrieving organization property including keys, mobile devices, electronic media, and other records, etc."

OCR's write-up cites a statistic from Verizon's 2019 Data Breach Investigations Report (DBIR): Trusted insiders were responsible for 59 percent of all security incidents and breaches, both malicious and inadvertent.

The word ‘inadvertent’ is key here, as this year’s DBIR suggests, more often attackers aren’t being intentionally malicious as much as they’re being careless. To address insider misuse, the DBIR urged organizations to "routinely assess user privileges" and to "limit the amount of damage an employee acting inappropriately or malicious can do with existing privileges."

While the OCR’s newsletter is merely advice for healthcare organizations, it does outline common sense efforts that can be taken to minimize risks around insider threats. Much of the OCR's guidance is based on recommendations published in the Health Insurance Portability and Accountability Act, or HIPAA, namely the HIPAA Security Rule. (45 C.F.R. §§ 164.302 – 318.)

The OCR’s guidance coincides with the nation's first ever Insider Threat Awareness Month, an effort the Department of Defense, alongside the National Counterintelligence and Security Center (NCSC) and the National Insider Threat Task Force (NITTF) kicked off at the beginning of September to spread awareness around the threats insiders can pose to both governments and companies.