HHS Warns of Insider Threats in the Healthcare Sector

April 27, 2022

Recently, HHS published a warning about insider threats in healthcare and the public health sector—sixty one percent of data breaches that involve an insider are unintentional and caused by negligent insiders

Janette Wider

On April 21, the Department of Health and Human Services (HHS) issued a warning regarding insider threats when it comes to healthcare and the public health (HPH) sector. “An insider threat in the HPH Sector is potentially a person within a healthcare organization, or a contractor, who has access to assets or inside information concerning the organization's security practices, data, and computer systems,” the warning says. “The person could use this information in a way that negatively impacts the organization.”

Insider threats within an organization include:

Careless or negligent workers
Malicious insiders
Inside agents
Disgruntled employees
Third parties

The warning adds that, “While most companies invest more money on insider threats with malicious intent, negligent insider threats are more common." According to Ponemon’s ‘2020 Insider Threats Report,’ 61 percent of data breaches involving an insider are primarily unintentional, caused by negligent insiders.

Lack of awareness about security policies and a failure to provide security awareness training
Twenty-seven percent of employees saw security policies less than once a year; 39 percent received security awareness training less than once a year
Unintentional insider threats pose a major risk to the health sector
An example is an employee leaving an unencrypted mobile device or laptop containing sensitive data unattended. The device(s) could be stolen, or data could be copied while the device is unattended.
Alexa on while sensitive meetings are going on (i.e., working remote) could cause sensitive data to be leaked”

The warning adds that malicious insiders are individuals that have a grievance against a company and act on it. More money is allocated to protect against these types of threats, studies have shown that they pose less of a threat to organizations than insider threats.

“It is important to mention that there are different studies on this with varied metrics,” the warning adds. “According to the Ponemon Institute’s ‘2020 Insider Threats Report:’

Malicious Insiders – 14 percent of Insider Threat Incidents
Negligent Insiders – 61 percent of Insider Threat Incidents
Negligent Insiders (credentials stolen) – 25 percent of Insider Threat Incident”

According to the warning, inside agents work on behalf of an external group to compromise an organization’s network and carry out data breaches or other attacks. Additionally, “disgruntled employees” pose significant risk because of their access to an organization’s systems and are considered “emotional threat actors.” Third parties are also a type of insider threats, 94 percent of organizations give third parties access to their systems and in 72 percent of case studies, third-party vendors had advanced permissions on said systems.

As what organizations can do to prevent insider threats, some criteria include: