Defending Against Insider ThreatsEffective Strategies for Healthcare Organizations
Healthcare organizations aren't performing enough analysis of user behavior to detect possible insider threats, says security consultant Mac McMillan.
"They don't do enough of that type of analysis where we're actually looking at behavior, and that's really important because that's how you catch fraud, and that's how you catch insiders that are doing things that they're not supposed to," he says in an interview with Information Security Media Group [transcript below].
Numerous tools are available that produce audit logs with respect to user activity, McMillan says. Those logs can give indicators of when suspicious behavior is occurring, he explains.
"You could have a rogue IT person, for instance, who's making changes in the system that are affecting performance or allowing data to go out in a manner that it shouldn't go out," he says. "By monitoring configuration changes on systems, [it] will tell you when somebody is making an unauthorized change."
In the interview, McMillan also discusses:
- Steps organizations can take to mitigate insider threats;
- Why fraud is the biggest emerging threat in healthcare;
- How a data loss prevention system can help with HIPAA Omnibus Rule compliance.
McMillan is co-founder and CEO of CynergisTek Inc., an Austin, Texas-based consulting firm specializing in information security and regulatory compliance in healthcare, financial services and other industries. He has more than 30 years of security and risk management experience, including 20 years at the Department of Defense, most recently at the Defense Threat Reduction Agency. He is also chair of the Healthcare Information and Management Systems Society's privacy and security task force.
The Insider Threat
MARIANNE KOLBASUK MCGEE: Incidents involving health record snooping, medical identity theft and fraud have all grabbed headlines. What do you think are the biggest cybersecurity threats that insiders pose to healthcare organizations and why?
MAC MCMILLAN: They really fall under three broad categories. The first one is threats that involve people looking at information that they're not supposed to be looking at or sharing that information with unauthorized other persons. The second area is in the medical or financial identity theft arena - fraud. The last one is one we don't think about too much, which is sabotage, where they actually damage data or destroy data on their way out the door because they're disgruntled or they're unhappy.
MCGEE: What kinds of healthcare organizations are most at risk for cybersecurity incidents involving insiders, and what sorts of insiders pose the biggest threats?
MCMILLAN: Everybody is at risk of insider threat, and generally there are lots of things you can look for. But it's people who are disgruntled: people who feel like they have been passed over; people who are having some kind of difficulty at home; people who are in some kind of financial stress; people who ideologically don't agree with the philosophy or the direction that their boss is going or the organization is going. There are lots of factors that contribute to why a person might do something that they shouldn't do. In some cases, when you're talking about snooping, it's just people who are curious. It's not necessarily that they're bad; they just can't help themselves from looking at things that they shouldn't.
Steps to Mitigate Risks
MCGEE: What steps should healthcare organizations take to mitigate these threats?
MCMILLAN: The biggest thing is have a very strong program of monitoring what people are doing in your systems - and that's one of the areas, unfortunately, that we're extremely weak in within healthcare. We still have a lot of our organizations that aren't auditing or monitoring what people are doing in the system proactively. They're not using a tool so they can [monitor] in an automated fashion, or [are] using a very limited capability of that tool. We fall into that category of "we don't know what we don't know." What that does is it makes us even more susceptible to that insider threat.
MCGEE: You mentioned monitoring tools. Are there other key security technologies that healthcare organizations can implement to protect themselves against insider threats?
MCMILLAN: Just about any tool out there that produces some form of an audit log with respect to activity that can give us indicators of when things are not happening in a way that they should be happening. You could have a rogue IT person, for instance, who's making changes in the system that are affecting performance, or allowing data to go out in a manner that it shouldn't. By monitoring configuration changes on systems, [it] will tell you when somebody is making an unauthorized change.
We talked about log management. We've talked about privacy monitoring tools, implementing those tools to be more proactive about looking at what people are doing. [It's] not just [about] the obvious, like looking at somebody's record with the same name or looking at their own record, but actually using those tools in the manner that they were intended, which is to look at the behaviors of people. If, for instance, the average admitting clerk during a shift looks at, say, 100 records ... if they look at 150 or they look at 200, the system could provide an alert or an alarm that says this person is potentially looking at more records then what they need to be looking at to perform their job. What are they doing? We don't do enough of that type of analysis where we're actually looking at behavior, and that's really important because that's how you catch fraud. That's how you catch insiders that are doing things that they're not supposed to.
Let me give you an example. The case down in Florida where you have the [hospital] clerks who were stealing the information related to [patients] who had been in car accidents and selling it to disreputable lawyers, basically they weren't doing anything that the system would catch because they were authorized users. They had access to the system. They had access to the records for admitting purposes. But when you looked at those peoples' profile against other admitting clerks when this thing finally broke, what they found was that the two individuals involved had a tremendous spike in the number of records that they looked at in a given day or given shift, as opposed to their peers. The only way you're going to catch that is if you do the behavioral analysis.
Emerging Insider Threats
MCGEE: What new and emerging insider threats should healthcare providers be watching out for?
MCMILLAN: The biggest one is fraud. We have a tremendous amount of information in the [healthcare] industry that's very valuable and it's got a great street value out there, even more so than financial data. Unfortunately, we're going to have folks who are going to either take advantage of that for purposes of greed or, like I said, because they're in some kind of financial straits, or they could even be susceptible to blackmail. Somebody who has done something that they shouldn't, somebody finds out about it and says, "Look, I'll tell on you and you'll lose your job unless you give me this information." People will do things that you never imagined when they're put in the right circumstance.
Data Loss Prevention
MCGEE: Changing subjects a bit, are there any key security technologies that covered entities and business associates should be considering to implement to help with their HIPAA Omnibus Rule compliance?
MCMILLAN: ... One of the main ones right now is data loss prevention. [That's] because of where we are with respect to transitioning the network, how we deliver services and how we deliver data in basically this ubiquitous environment that has bring-your-own-device and all these connections. ... You have to protect the data where the data is. You need technologies that put protections around the data itself as opposed to worrying about where all these endpoints are.