Treating Healthcare’s Insider Threat
Originally published by Authomize here.
Written by Gabriel Avner, Authomize.
There’s an old joke about why bank robbers rob banks. Because that’s where the money is.
Given the valuable assets under their care, banks, fintech, insurance, and other financial institutions have understood that they have to take special care to avoid data breaches and other threats.
But if the past week’s steady stream of news stories regarding data exposure at hospitals is any indication, then it should be pretty clear that the healthcare industry faces its own set of serious challenges when it comes to keeping themselves secure.
According to reports from last week coming out of DataBreaches.net, Phoenixville Hospital in Pennsylvania and Cheyenne Regional Medical Center in Wyoming both experienced incidents of employees accessing patient data that they were unauthorized to view.
In their reports, the insiders viewed data elements including: name, address, date of birth, date of encounter, diagnoses, vital signs, medications, test results, and provider notes. In a few instances, a partial Social Security number (last 4 digits), and medical insurance company name and identification numbers.
Needless to say, the unauthorized employees who (allegedly) illicitly accessed the data have since become former employees.
Stories such as these are hardly rare. Especially in recent years as healthcare organizations have found themselves both increasingly under attack and a bigger spotlight for data breaches.
Healthcare in the Crosshairs
The Geneva Convention calls for avoiding attacks on hospitals, but apparently hackers missed the memo on that one. Or just burned after reading.
In recent years, infosecurity news has been peppered with the latest incidents of hospitals being ransomwared. Often by crews in Russia far outside of the reach of Western law enforcement or extradition treaties. These attacks have led to stoppages in care to patients due to the inability to access critical patient data such as medical records.
In some instances, people have even died when they were redirected to other hospitals due to the closer facility being unable to operate after an attack.
But beyond the straight up ransomware attack that shuts down operations, hospitals are ideal targets for criminal hackers — especially those whose moral compass is duct taped to a giant magnet.
Healthcare has this crosshairs on its back because it holds massive troves of valuable data, and despite serious regulation and fines/lawsuits for breaches, is less well guarded than say a bank.
Taking a look at just some of the personal identifiable information (PII) laid out in last week’s breaches, it is more than enough for a fraudster to steal and profit off of patients’ identities. Simply the ability to defraud insurers with some of that PII is likely to be worth plenty of coin in the wrong hands.
But beyond the standard, practical criminal uses, Healthcare data is extremely personal. People expect privacy with their doctors, and place a premium on keeping it protected. As concerns regarding potential prosecution for health decisions in some states have arisen in recent weeks, many are putting additional focus on keeping their medical data away from prying eyes.
This all makes healthcare an exceedingly regulated space, with the Health Insurance Portability and Accountability Act (HIPAA) being the most recognized among the many compliance requirements for securing healthcare data against external and internal threats.
The Insider Risk in Healthcare
Electronic health records have been modern miracles for healthcare, making it far easier to access, share, analyze, and utilize important patient data. But like anything nice, what makes life easier for users also makes it easier for bad actors to steal.
According to the Verizon Data Breach Investigations Report for 2022, external actors were behind 61% of data breaches in healthcare. That leaves the remaining 39% of cases in the hands of insiders. Healthcare is by far the category in the report with the highest number of incidents where an insider was behind the incident.
Insiders are difficult nuts to crack from a security perspective because by default you have to give them access to your assets so that they can do the jobs you hired them to do. Striking the right balance between efficiency and security is a heavy lift.
5 Steps to Reducing Insider Threat Risks
The insider threat is always present so long as there are people working in an organization. But thankfully there are steps that we can take to reduce the risk and damages from an incident.
Below are a couple of tips for mitigating your risk from insider threats.
1. Perform Access Reviews
Not just for compliance, Access Reviews are your opportunity to understand who has access to what and validate if they should actually have that access.
Whether you need to run them periodically for certification that you are in line with HIPAA regulations, or because you have specific concerns about the security of a given team, app, or service, Access Reviews can help to clear out insecure/inappropriate access privileges.
Once you understand what access everyone should have as a secure baseline, you can start the work of reducing privileges down to the absolute minimum.
2. Limit Privileges to Reduce Blast Radius
Bad actors will eventually gain access to your environments.
They can compromise an identity with stolen credentials or use their own credentials to cause harm if they are an insider. It is important to remember that even an innocent insider with excessive privileges can be a threat if they are used by an external malicious actor who utilizes their credentials.
Our job is to make sure that whoever the bad actor is walks away with as little to nothing of value as possible.
Especially in the cloud, identity is our tool for how we segment access, using authorizations to control what an authenticated user can access. If the user does not have privileges to access an asset, then they should not be able to harm it.
By sticking to the Principle of Least Privilege where every identity has the minimal level of access privileges that they need to do their job and no more, we can reduce your users’ ability to do harm by limiting what they are able to access.
So even if they do manage to access some level or amount of assets, hopefully the damage will be minimal and contained.
3. Monitor Access Privilege Activity
Understanding access privileges requires visibility beyond just what you can see from your identities’ perspective. Your assets have an important story to tell as well.
How are the access privileges to those assets being used? Are there identities from outside your organization (possibly people’s personal Gmail accounts) that are accessing resources?
Continuous access privilege usage monitoring is how we understand what our effective access is, getting the de facto picture. Once we have that visibility, there are a number of ways that we can use policies to alert us to risky activities and enable us to make smarter actions.
If, for example, we want to protect oncology patient records, we can set policies to monitor when those patient records are accessed. If that is too wide of a scope, then you can hone in and receive alerts for whenever a specific asset is accessed by an identity that does not normally access it, or is accessing it for the first time.
There are multiple ways to use security policies, but they all start with implementing monitoring of your access privilege activity.
4. Stop Privilege Sprawl
Internal migration within the organization and ad hoc needs for access are pretty standard. The problem arises when folks hold onto those additional privileges when they no longer need them.
If we are trying to keep to our Principle of Least Privilege, then we know that every additional privilege held equals a wider threat surface and opportunities for exploitation.
Monitor access privilege usage to see which privileges are no longer being used and verify if you can simply revoke them.
It is easier to revoke privileges and restore them later if necessary than to deal with a security breach later.
5. Eliminate Partial Offboarding for Leavers
When an employee leaves the organization, you want to make sure that all they leave with are good memories.
A not uncommon security risk is when an employee leaves but still retains access to a portion of the assets. For example, let’s say that an employee has their access to AWS (an IaaS) revoked when they leave, but still retain access to repos in GitHub because the identity that they are using their personal one (which GitHub allows you to do under their “Bring Your Own Identity” policy).
Leaving open access privileges for those who have left your organization creates the opportunity for a malicious former insider, or someone who has compromised that person’s credentials, to cause significant harm.
Mitigate this risk by identifying inactive access privileges and promptly revoking them. Make sure that you have visibility across all of your environments to ensure that no access privileges remain behind.
Securing Healthcare Against Cyber Threats Will Get Harder
The job of cybersecurity defenders in healthcare is not going to get any easier.
In the past week, the Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings that North Korean state-sponsored hackers are working to hit healthcare and public health organizations with ransomware.
More locally, news of new data breaches and the resulting lawsuits continue to hound healthcare providers. The probability that we will hear about another insider incident in the coming week is more than zero.
Given the incentives for attackers, healthcare is likely to remain a prime target for the foreseeable future. The more that the blue team can do to make themselves harder nuts to crack from both the insiders and outsiders, the better their chance of keeping their valuable assets secure.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.