Week 11: Insider Threat in the Healthcare Delivery System

What is a “Good” Healthcare system?

“A good health system delivers quality services to all people, when and where they need them,’’ (Consortium of Universities for Global Health) at an affordable cost with proactive best security control practices of e-PHI

Insider Threat or a malicious insider is “a current or former employee, contractor, or business partner who: has or had authorized access to an organization’s network, system, or data, and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems” (Cappel, D., Moore, A., Tizeciak, R., & Shimeall J., T. CERT). In the healthcare delivery system these occur when a healthcare provider employee intentionally and maliciously exfiltrate data or unintentionally violate e-PHI use policies, systems and networks, thereby compromising the confidentiality, integrity, and availability of such e-PHI. Insider users of a healthcare delivery system network resources and information are both the best defense and its foe. “The costs associated with losing, misusing, or abusing this information make insider threats one of the most dangerous (and most common) risks facing” healthcare organizations today (palantir.com).

How do you defend, prevent or protect e-PHI from insider threat? It starts by having an exact and full knowledge of what data or resources that the healthcare organization have, who have access to what and how they are used, stored and moved around the healthcare provider network. According to Sleeth, J., Bach P., & Summers, A., “health systems resources are the means that are available to a healthcare system for delivering services to the population. And to be effective and efficient, health system resources must be sufficient, appropriately utilized, managed,” and secured. There are four categories of healthcare systems resources; physical capital, consumables, human resources, and e-PHI. In this blog, we are concerned more with e-PHI resources.

With the rapid growth of malware and other cyber threats, you would expect that insider threat would be one of the least causes of data breach. Gartner reported that 70% of unauthorized access to data is committed by an organization’s own staff (Beaver, K. searchsecurity.techtarget.com). Cappel, D., Moore, A., Tizeciak, R., & Shimeall J., T. in their research findings observed three patterns and trends by type of malicious activity: insider IT sabotage, theft or modification for financial gain, and theft of information for business advantage (CERT). The study also proffered 16 best practices to mitigate (detect, defend, or prevent) these insider threats. It is appropriate to ask at this point, what are the most common insider threats faced by healthcare system providers and how can they be prevented? I shall be considering in this block a number of these insider threats that is prevalent in the health care delivery system:

1. IT sabotage: the use of IT by healthcare employee to cause a specific harm at the healthcare facility. Porter G., reported a security guard at a Texas based hospital used malware on dozen hospital computer systems and nurses’ workstation to access e-PHI. The insider also installed the remote access program LogMeIn on the hospital’s Windows controlled HVAC system. Although, this insider sabotage was prevented, but the need for proper background, credit, and security check, car insurance is necessary prior to hiring. Constant behavior monitoring of employee as allowed by federal, state and local laws and HIPAA regulations are imperative.

2. Theft or modification of e-PHI for financial gain: “Intern at a Florida based health care system used mobile device to take pictures of computer screens containing over 14,000 e-PHI (names, dates of birth, SSN, and more) with the intention to inevitably engage in criminal activity. Preventive measures, include, to consider threat from insiders and business associates, monitor and respond to suspicious or disruptive behavior, enforce separation of duties, and log, monitor, and audit employee online activities.

3. Sending out medical information via e-mail, instant messaging and mobile devices.  Patient health record, refill reminders, personal and financial information are sensitive e-PHI that are prune to insider threat. This threat can be prevented by the network administrator setting up policies and using network analyzer and filter keywords, specific attachments, client or server-based content filtering would catch or even block sensitive e-PHI from going out. Easier to manage perimeter-based or outsourced messaging security solutions, for example, behavior-blocking systems (BBS) that provide content filtering and blocking, could be deployed. The drawback in using any of these preventive measures is when message is encrypted they tend to function less effectively. In addition, a good firewall configuration will determine not only what is allowed in, also what is let out of the network (Beaver, K. searchsecurity.techtarget.com).

4. Exploiting e-PHI via remote access software. This means that insiders exploit e-PHI through the use of offsite software as Terminal Services (TS), GoToMyPC, and Citrix. There is less likelihood that such stealing of sensitive e-PHI would be caught. A worst scenario is if the remote access computer is left unattended, lost or stolen. An effective protective policy is to ensure “solid share and file permissions are critical, as is OS and application logging. Tighter security controls can also be achieved with many remote access solutions, on certain features and systems access, by monitoring employee usage and behavior in real-time and generating usage logs (Beaver, K. searchsecurity.techtarget.com).  A good system or network configuration to determine which features and audit trails can provide better management, reporting and provide better security controls is necessary. Some insider abuses take place after business hours, hence, the need to remote access to network by remote users. In the case of guessed logins, a strong, hard to crack password or passphrase and hard drive/network encryption may be considered, especially in the event of losing these systems or devices. The other consideration is when a healthcare employee is no longer in service, the security control preventive measure is to deactivate the employee account.

5. Insecure wireless network usage: This may be considered one of the most unintentional insider threat. With the growing availability of free unsecured Wi-Fi, Bluetooth usage on smartphones and PDAs, WLAN in healthcare facility, Public libraries, at airports, shopping malls, and hotels, critical e-PHI are put at risk of being compromised. The control of airwaves outside a healthcare delivery system premises is beyond the network administrator responsibility, however, secure hot spots can be enabled for Wi-Fi users as a matter of policy. For instance, “a VPN may be used for remote network connectivity, firewalls for PCs connecting to healthcare provider WLAN, and SSL/TLS for all IM (Webmail via HTTPS, POP3s, IMAPs and SMTPs)” (Beaver, K. searchsecurity.techtarget.com). In addition, for enhanced security of e-PHI, there is need to employ appropriate biometric controls, for example, encryption and authentication (better with WPA or WPA2) and logging. Another technology control is the use of directional antennae to drop down the power levels on the access points to ensure that wireless signals are kept within the building premises.

6. Cloud computing and Insider Threat in the healthcare delivery system. Cloud computing with mass of systems/complexity of processes can offer Inside Threat much coverage in criminal activity. The big data housing e-PHI presents ample potential for theft of information for business advantage. Network administrators can mitigate against insider fraud by deploying robust layered threat management program approach.

In conclusion, insiders are the most valuable defense measures for sensitive e-PHI; at the same time, they are the most vulnerable threat to critical e-PHI. In personnel security management, best practice is to seek to merge technology with business processes to reach a safe playing ground. This will for some time to come remain a continuum.   

References

Sleeth, J., Bach P., & Summers, A. Health Systems Resources and Resource Constraints.

(2012=3). Retrieved (2016-26-2) from http://www.cugh.org/sites/default/files/content/resources/cugh-health-systems-resources-and-resource-constraints.pdf

Cappel, D., Moore, A., Tizeciak, R., & Shimeall J., T. Common Sense Guide to

Prevention and detection of insider Threats. CERT. Carnegie Mellon University. 3^rd Ed. V3.1 (2009-1). Retrieved (2016-24-2) from https://cyberactive.bellevue.edu/bbcswebdav/pid-7726596-dt-content-rid-10880935_2/courses/CIS608-T302_2163_1/cert_common_sense_guide_to_prevention_and_detection_of_insider_threats.pdf

Whitman, E. M., & Mattord, J. H., (2014). Management of Information Security. 4th ed.

Boston: Cengage Learning

Insider Threat (2016). Retrieved (2016-26-2) from https://www.palantir.com/solutions/insider-threat/

Beaver, K. Five Common Insider Threats and How to Mitigate Them. (2016) (SIEM:

Gartner 2015 Report). Retrieved (2016-26-2) from http://searchsecurity.techtarget.com/tip/Five-common-insider-threats-and-how-to-mitigate-them

Porter, G. The Insider Threat: A Brief Overview. (2013-27-9). Retrieved (2016-26-2)

from http://www.americanbar.org/content/dam/aba/administrative/healthlaw/ehealthwebinar/aba_insider_threat_brief_gporter_09_27_13.authcheckdam.pdf