Insider Threats: In the Healthcare Sector

Organizations are often too preoccupied with defending the integrity of their company and network from external threats to address the very real and dangerous risk that may lie within their own organization – insiders. The insider poses a threat because the legitimate access they have or had to proprietary systems discounts them from facing traditional cybersecurity defenses, such as intrusion detection devices or physical security. They also may have knowledge of the network setup and vulnerabilities, or the ability to obtain that knowledge, better than almost anyone on the outside. While an insider may be simply careless, others cause destruction with malice. The insider threat concept encompasses a variety of employees: from those unknowingly clicking on a malicious link which compromises the network or losing a work device containing sensitive data to those maliciously giving away access codes or purposely selling PHI/PII for profit.

Example

An insider victimized one Texas hospital when an employee built a botnet, using the hospital network, to attack rival hacking groups. The individual was eventually caught after he filmed himself staging an “infiltration” of the hospital network and then posted it on YouTube for public viewing. The video clearly shows the individual using a specific key to “infiltrate” the hospital, which revealed his identity as Jesse McGraw, a night security guard of the building. The investigation revealed that McGraw had downloaded malware on dozens of machines, including nursing stations with patient records. Additionally, he installed a backdoor in the HVAC unit, which, if failed, would have caused damage to drugs and medicines and affected hospital patients during the hot Texas summer. McGraw pled guilty to computer tampering charges and is serving a 9-year sentence in addition to paying $31,000 in fines.

Recommendations

The best way to detect an inside threat is often other insiders. Training your users and employees on how to recognize and report an insider threat, or prevent them from inadvertently becoming one, is the best way to protect your organization. There are many open source resources on insider threats with training programs and educational materials for organizations and their employees. These include explanations on what suspicious activity and behavioral changes employees should be looking for in colleagues, and when and who to report it to. The Carnegie Mellon CERT tracks insiders and is a great place to start.