By Nadia ElKaissi and Emma Nehring
Picture this: It is 2035, and another pandemic has struck the health care community, impacting hospitals nationwide. As facilities are managing the surge in patients and strained resources, the health care team is also engaged in a battle to protect patients and employees, all while attempting to maintain a robust cybersecurity program. Unfortunately, while some of the hospitals were focusing on the seamless functionality of critical medical systems, their infrastructures were neglected, and critical security updates were delayed.
One day, a few individuals decided to test out some of the hospitals’ security and launched a significant security breach. Through the attack, the individuals were able to infiltrate several of the hospitals’ networks, gaining unauthorized access to patient records, confidential information and critical medical systems. Soon after the breach occurred, one of the first questions the health care professionals had was if this threat was an act of an insider or outsider threat? Throughout this article we will discuss the differences between insider and outsider threats, how they occur and the warning signs.
In the ever-evolving world of cybersecurity, health care organizations constantly face the struggle to protect their sensitive information from threats that come from outside and from within. The majority of these threats can be categorized into two sections: outsider threats and insider threats. The differences are fairly easy to decipher, as the outsider threats come from an external source, while an insider threat emanates from within an organization. Being able to understand these threats will help in developing a strong and comprehensive cybersecurity strategy.
When the words, “security breach,” are said, they are typically associated with a situation where unauthorized access has occurred, potentially leading to the compromise of sensitive information. The statement can often trigger thoughts of an external source infiltrating an organization, or in other words, an outsider threat. The reason for the attack could be for financial gain or theft of confidential medical information. The threat also often targets a hospital’s network vulnerabilities to achieve malicious objectives. In order to be able to mitigate outsider threats, there are several common warning signs that a good cybersecurity program should be designed to detect. They are the following: unusual network activity, malware infections, unusual data access, security software alerts, and unusual system behaviors. As a proactive step, hospitals or health care organizations need to have a strong cybersecurity program that incorporates a robust monitoring solution. There should be strict access controls in place, regular network monitoring, enforcement of anti-virus software, multi-factor authentication (MFA) when possible and encryption methods to protect sensitive data. By developing a proactive cybersecurity program, it will increase the defense against outsider threats in a hospital setting.
Now, let us move on to insider threats. An insider threat is a threat that is exploited by someone who has access to personnel, facilities, information, data, equipment, network and/or systems. While some findings of insider threats do occur with malicious intent, it was found that 61% of insider threats occur unintentionally [Managing Risk of Insider Threats in Healthcare Cybersecurity (healthitsecurity.com)]. Think of all the sensitive information accessible to various individuals in a medical center – it’s a lot! Unintentional threats can occur in different forms such as falling victim to phishing attacks or unintentionally exposing confidential information. Below are some scenarios that an insider threat could occur at a company or hospital unknowingly.
- During a busy shift an employee leaves an unattended computer without logging out. The patient charts are left unsecured on the desk while the employee is attending to a patient. In doing so, patient information is left visible and vulnerable.
- During a project implementation, an unauthorized individual needs access to physical and virtual environments that require an authorized health care professional to monitor the use. During this period, the health care professional is pulled away to complete another task which left the unauthorized individual alone with sensitive information.
- During a new patient appointment, a health care professional was given a CD and/or a USB of patient medical records. The health care professional inserted the CD/USB into their laptop without having the drive scanned by appropriate personal and malware was unknowingly transferred to the laptop.
- During a business trip, a health care professional used guest Wi-Fi to view patient information and sensitive data. While being on the guest Wi-Fi a cyber-attack occurred and unauthorized individuals gained access to that data.
- A health care professional received an email by an unknown sender and opened the email and in doing so, was a victim of phishing.
- A health care professional refused to upgrade a system or allow the computer to update as needed. Due to this, the device was unsupported, vulnerable and unpatched.
While these examples are not the only ways an outsider and insider threat could occur at your facility or company, it is important to recognize and mitigate all risks. With outsider and insider threats, it is important to note and understand the warning signs and how it may affect the hospital if not evaluated[Insider Threat Mitigation Guide_Final_508.pdf (cisa.gov)]. Sensitive information is only sensitive if you treat it that way.