Of all U.S. industries, healthcare is the most highly regulated – even more so than the heavily scrutinized banking and finance sector.
There are health-related laws such as HIPAA, which among other things safeguards the privacy of patient records, plus an array of regulations that seek to protect individuals from health risks while boosting overall public health and welfare. Compliance is not optional.
Given this stringent regulatory environment, healthcare companies go to great lengths to safeguard their security as well, especially where patient data and their own valuable intellectual property are concerned.
So it should come as no surprise that these companies mobilized quickly when they started experiencing major data breaches several years ago, including cases where trusted insiders stole information and either sold it or left and took it to a competitor.
Indeed, the 2019 edition of Verizon’s widely read Data Breach Investigations Report (DBIR) confirmed the trend. Verizon noted that 15 percent of all breaches were in healthcare, as compared to 10 percent for finance.
The DBIR further found that trusted insiders were responsible for 59% of the security incidents and breaches it analyzed. Some of those were due to malicious intent while others were accidental or caused by negligence, and the actors could be found at every level of a company – from customer service representatives to IT staff to senior executives.
Importantly, the DBIR also found that: “Financial gain is still the most common motive behind data breaches where a motive is known.”
The federal government has weighed in as well. A few months ago the Office of Civil Rights (OCR) under the U.S. Department of Health and Human Services warned of the dangers posed by insider threats in the medical field – where employees had exposed confidential medical information for financial gain or as retribution.
OCR presented its own recommended best-practice guidelines on how best to manage an insider threat program. It said all organizations should:
- Understand where their data is located, the format in which it resides and where it flows throughout the enterprise;
- Establish who is permitted to interact with their data and what data those users are permitted to access, in order to determine appropriate access controls; and
- Consider how an organization’s users will interact with data.
OCR additionally recommended achieving greater real-time visibility and situational awareness through systems that detect suspicious user activities, audit controls and audit-log reviews and security incident tracking reports. And it advocated for understanding the human element of risk through continuous awareness, assessments and preventive actions in the face of changing personnel circumstances such as promotions, demotions, transfers and – especially – involuntary separations.
There are broader lessons to be learned from the way the healthcare industry has responded to data breaches and other attacks, in particular with an increased focus on insider threat mitigation.
Healthcare companies are now required to conduct risk assessments to uncover potential data breaches. Moreover, they must document the assessment findings and address any vulnerabilities they have found. And you can bet that identifying signs of financial stress or motivation is a key component of their assessments, along with monitoring exfiltration methods and analyzing peer groups within the organization.
Even if your company isn’t nearly as tightly regulated as those in the healthcare industry, there are benefits to following their lead on standing up an integrated insider risk mitigation program that combines clearly articulated policies, cross-departmental cooperation and leadership buy-in with the right analytical processes and tools.
It’s not just good corporate practice – it can save your company from loss of data, reputational damage, civil liability exposure and, potentially, federal and state regulatory enforcement actions.
# # #
Note: Want to conduct a risk assessment to find your hidden insider threats, regardless of whether their intent is malicious or – whether they are unwitting or negligent actors? Contact a Haystax rep or click here to find out how.