What is an Insider Threat?
You may be familiar with the cases in the news about insider threats – employees who stole company secrets, patient information leaked, companies hacked, or individuals who risked security.
You, me, coworkers, and friends are all potential insider threats. Insider threats can be those that maliciously place information and assets at risk or those through their negligent behaviors leave information vulnerable for others to exploit. Your practice, and other healthcare institutions, is a high priority target of hostile intelligence agents to gain access to your patient information.
In the realm of healthcare, the stakes are even higher. Sensitive patient data is a lucrative target for cybercriminals and malicious insiders alike. Protecting this data is not just a regulatory requirement but a moral obligation to ensure the privacy and safety of your patients. In this blog, we will delve into understanding insider threats, identifying potential risks, and implementing effective strategies to safeguard your practice from internal vulnerabilities.
There are 3 types of Insider Threats
Malicious Person
- Who: An individual with access to your practice information or assets who intentionally sets out to exploit your critical assets and motivated by the desire for revenge, emotional thrill, ideological beliefs, personal or financial gain, or other conflicting loyalties.
- Motivations: Any deliberate actions taken with bad intentions. May do so for personal financial gains, professional growth, benefit of a competitor, sabotage, or revenge (disgruntled employee) Examples include,
-
- Attempting to access areas and information to which access is not granted.
- Posting negative, false, or damaging information to social media
- Purposefully and repeatedly violating your practice’s security policies.
-
Negligent Person
- Who: An individual with access to your practice information who exposes data by accident and with no intentions to do so or thoughtlessly violates security policies for convenience’s sake alone.
- Motivations: Actions take than inadvertently violate policy, create an elevated insider threat risk, or make information vulnerable. Examples include,
- Not following access control procedures
- Incorrectly classifying communications and documents
- Posting sensitive images and content on social media
- Violating acceptable use and sending practice information to personal email accounts
- opening suspicious emails or falling victim to defraud phone calls.
- discussing sensitive information outside of secure spaces.
Compromised Insider
- Definition: Individuals who have unwittingly been compromised by external attackers. This often occurs through social engineering, phishing, or malware, where attackers gain access to the insider’s credentials and use them to infiltrate the organization.
- Impact: Compromised insiders may unknowingly provide a gateway for cybercriminals, making it difficult to detect the source of the breach until significant damage has occurred.
External Threats
- Who: Hostile threats are those whose intentions are to gain access to your practice’s critical assets and compromise your employees or networks, infrastructure, products, and information by theft, mishandling, or sabotage. Remember that an external threat may be a competitor or an agent from a hostile service who recruits your employee with trusted access to become an insider threat.
Threat Cross Over
Internal and external threats cross over when external threats take advantage of negligent behavior or poor security practices to gain unauthorized access or when they recruit those with access to become insider threats. Hostile agents (external threats) are cunning and subtle in their approach to insiders to develop a relationship of trust. They are highly skilled in elicitation of sensitive company information through the exploitation of trusted insiders.
Hostile external threats may target trusted insiders:
- Conferences and trade shows
- Social events
- Chat rooms
- Social media
- Business contacts
The damage caused include,
- Loss of advantage
- Impact to integrity
- Economic loss
- Impact to patients
- Damage to reputation
Exploitable Behaviors
- Signs someone is attempting to collect information
- Unauthorized downloads, copying of files, or emailing company information to personal accounts.
- Attempting to access areas for which they are not authorized (physical or digital)
- Asking for information beyond the scope of their job
- Signs someone has been recruited
- Unexplained wealth or gifts from strangers
- Unexplained frequent contact with competitors
- Exploitable Weaknesses
- External threats may take advantage of negligent security practices or an individual’s behaviors that can be used for extortion or coercion.
Indicators of insider threats
All employees should remain alert to below given behavior which identify those who may be vulnerable to becoming the next insider threat.
- Appears dissatisfied with job, co-workers, or practice.
- Appears stressed about the job or personal issues (such as financial difficulty or changes in personal relationship)
- Takes proprietary and sensitive material from the workplace.
- Requests information about clients they do not support or information that is outside the scope of their job.
- Displays unusual measures to conceal workplace activity.
- Shows changes in behavior with no explanation.
- Engages in behavior that make them susceptible to extortion. (Illegal drug use, abuse of prescription drugs or alcohol, problems with the law, gambling addiction, etc.)
What Can You Do to Counter?
Deploy a layered security strategy
- Key Assets and Information Protected: The loss of key assets and information could result in damage to your practice brand, loss of an advantage, and potential loss of clients. You should diligently work to,
- Identify assets or information that, if lost, would pose grave consequences to the company or client interests.
- identify assets or information target priorities for sabotage or theft, and
- identify where critical assets and knowledge of the critical assets exist.
- Counterintelligence/Threat Analysis: The compromised insider can have an adverse impact on your practice’s security and industry. Counterintelligence techniques are deployed to reduce the risk of loss or compromise to critical assets. Your insider threat program should use counterintelligence measures to
- monitor all security related incidents to identify patterns and trends,
- develop and enforce policy,
- develop security training, and
- conduct security analysis using best practices.
- Security Culture: All employees are security warriors and are equally responsible for the protection of information and assets. We all have access to information systems, sensitive information, and make decisions every day that impact the integrity and security of your practice’s critical assets. Employees should act with a security mindset in all they do to,
- The protection of sensitive information must be considered in all aspects of business planning.
- adopt and positively reinforce security policies.
- remain vigilant to insider threat behaviors.
- be observant to recognize people who approach and ask for information that they do not have the need to know.
- proactively report suspicious behavior.