BreachExchange mailing list archives
Internal healthcare security threats: Knowing what to look for
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 17 Sep 2014 19:47:54 -0600
http://healthitsecurity.com/2014/09/17/healthcare-internal-security-threats-knowing-what-to-look-for/ Medical identity theft, fraud and negligence are prevalent healthcare data breaches these days because of the integration of financial data and these incidents aren’t going away any time soon, so it’s up to organizations to figure out who the insider threats are and how to reduce those risks. Regardless of whether it’s a relatively harmless (but careless) employee that misuses or inappropriately accesses patient data or it’s an insider with malicious intent, healthcare organizations should have plans in place to be aware of these internal threats. During last week’s HIMSS Privacy and Security Forum, a panel of two healthcare Chief Information Security Officers (CISOs) and an FBI officer talked about how they handle internal security measures and policies within their organizations. Bruce Forman, UMass Memorial Health CISO, explained to the audience that he sees any employee or a contractor who has access to a provider’s network as an insider threat and inappropriate use could be either accidental or purposeful. Anahi Santiago, Director Information Security and Support Services at the Einstein Healthcare Network, extended Forman’s insider definition further and said organizations are extending their networks with business associates (BAs) in cloud environments, for example, and “their employee insider are now our threats as well.” Insider threat experiences Healthcare organizations are better equipped to prepare and defendant against internal attacks or data exposures once they’ve actually experienced one of these types of incidents. Santiago discussed how, for instance, one of Einstein’s employees was caught stealing face sheets with Social Security numbers during her first year on the job. The employee was using patient Social Security numbers to open up fake credit card accounts, but wasn’t part of a fraud ring. “That’s a benign but significant example of what an insider threat could be, but the examples are vast,” she said. “[These actions] could be scaled all the way up to people who collude as criminals and steal and sell information on the black market.” Forman cited an example of an employee leaving their laptop inside their laptop bag in the front of their car. Though the laptop wasn’t stolen, the laptop bag was taken and since the bag held patient face sheets it was a reportable breach. “The devices that have encryption on them never seem to get stolen, but the ones that are brought in will almost always go missing,” he said. High-level internal concerns Like most CISOs, Forman is concerned about all insider threats, but the ones he’s most concerned about are the intentional breaches from the inside. There’s no easy answer for organizations trying to actively seek internal misuse without potentially making innocent employees feel uneasy. “There are many that are very difficult to identify – how do you prevent an insider with appropriate access from using the information inappropriately,” he said. “That’s what we worry about most, because you can’t identify them proactively. We’re starting to look at log events to determine whether there is some anomalous activity.” Santiago added that there’s no silver bullet when it comes to detecting internal data misuse, but said Einstein regularly reviews access to patient information to look for anomalies; this includes employees looking at other employee or family information. “We have data loss prevention (DLP) software that looks at what’s going out onto the Internet to make sure it’s appropriate,” she said. “Obviously, education and awareness are huge components of combatting these insider threats because, as we discussed, a lot of these incidents are unintentional.” Carmine Nigro, FBI Special Agent, said that a lot of what the FBI looks at is based on previous investigations. It reviews some of the personal factors, such as an employee who’s so disgruntled to the point where they want to retaliate. Other factors include a pending layoff or someone who’s spoken out against the company. As for when a healthcare organization should call the FBI, Nigro cited the Boston Children’s incident as an example of appropriately looking for assistance. "We’ll often get a call when an employee has been laid off or terminated and they’re off on a plane to a foreign country with a lot of intellectual property. If the hospital believes that an employee has had a lot of issues before and may leave the country, after talking with legal counsel, they may want to give us a call."
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Internal healthcare security threats: Knowing what to look for Audrey McNeil (Sep 24)