Between remote work models, clinician burnout and an increased reliance on traveling healthcare professionals to meet shortages, the transient nature of the healthcare workforce in the pandemic era has deepened the risk of insider threats and data security.

With the common disconnect between IT and human resources departments, healthcare systems are often leaving terminated employees' access credentials active for potentially months after they’ve left an organization. It's a growing vulnerability exploited for cyberattacks. 

According to Joel Burleson-Davis, senior vice president of worldwide engineering, cyber at Imprivata, accidental or intentional insider threats are growing as a result. 

Healthcare IT News asked Burleson-Davis to discuss the risks of changing workforces and preventing attacks, like data exfiltration.

Q. How have malicious and accidental insider threats grown since the start of the pandemic and what is happening in the post-pandemic period? 

A. According to Ponemon’s 2022 Cost of Insider Threats: Global Report, insider threat incidents have risen 44% over the past two years, with costs per incident up more than a third to $15.38 million.

As the pandemic drove a shift toward remote work and the rapid adoption of new technologies, the healthcare industry saw an increased risk of malicious and accidental insider threats. 

Additionally, the pandemic has created a high-pressure environment for healthcare workers, which can increase the risk of accidental insider threats, such as unintentional data breaches or errors that result in compromised credentials. 

As automated as the world is becoming, humans still manually log into systems, access assets and review data every single day. In healthcare, the number of logins to the electronic health records to access protected health information can top the millions. 

That’s a lot of humans with a lot of room for error — and bad actors are all too eager to take advantage of that. They have also developed more sophisticated ways of breaching inactive credentials that have not had access privileges shut off. 

Accidental insider threats have risen as increased remote access to healthcare systems has created new vulnerabilities that attackers can exploit. Employees working from home or an unsecured remote location may be more distracted, unaware of security risks and susceptible to social engineering attacks, where a bad actor manipulates a user to give them access (or credentials), such as phishing. 

Malicious insider threats have also increased due to employees feeling disgruntled or stressed. With access, they may attempt to steal sensitive data or sabotage systems. This is the result of the Termination Gap. 

When employee access is not disabled immediately upon their departure, organizations are putting their sensitive data at risk. A disgruntled former (or soon-to-be former) employee could easily leak data, change assets or otherwise cause harm to an organization’s operational technology. 

As for the post-pandemic period, it is expected that remote work and access for IT teams will continue to be heavily relied upon. Healthcare organizations will need to continue to adapt and prioritize security measures and policies to mitigate insider threats associated with hybrid and remote work models. 

To reduce the risk of inactive credentials being breached and the risk of a terminated employee accessing or stealing data, organizations can adopt cybersecurity tools like automated identity governance and embed employment verification into their authentication workflows. 

The strategy can effectively disable access when an employee is terminated.

To detect either malicious or accidental insider threats and protect data, organizations can adopt insider threat detection or privacy monitoring solutions that leverage artificial intelligence and machine learning to identify anomalies or risky behavior.

Q. What are some common insider tactics and strategies healthcare IT teams should look for? 

A. Healthcare IT teams should be aware of the following tactics and strategies that insider threats may use:

1. Unauthorized access - Insiders may try to access sensitive data without authorization, either by exploiting vulnerabilities in the system or by using stolen credentials.
2. Misuse of privileges - Insiders who have legitimate access to healthcare data may misuse their privileges to access information they shouldn't be able to see, or to make changes to data that they are not authorized to make.
3. Data theft - Insiders may try to steal data or PHI from the organization, either to sell it on the black market or to use it for their own gain.

In addition to these tactics and strategies, there are several red flags that healthcare IT teams should look for when trying to identify insider threats. These include:

1. Unusual patterns of network activity - Insiders may abuse privileges to create new system users for malicious purposes. Also, users that have logged in from multiple locations simultaneously can be examples of compromised credentials.
2. Attempts to bypass security controls - Insiders may try to bypass security controls such as firewalls or RBAC to gain access to sensitive data.
3. Changes in behavior or activity levels - Insiders may exhibit changes in their behavior or activity levels, such as accessing data outside of their normal work hours or taking a sudden interest in data they don't usually work with.

By being aware of these tactics and red flags, healthcare IT teams can take proactive steps to detect and prevent insider threats before they can cause harm. 

This includes conducting regular user access reviews to ensure that employees only have access to the data and systems they need to do their jobs, and implementing robust provisioning, monitoring and alerting systems to detect unusual activity.

Q. When it comes to data exfiltration, how do you advise healthcare organizations that see legitimate uses for email, USB and cloud storage to monitor large data transfers?

A. Healthcare organizations should implement security controls that balance the need for legitimate use of email, USB, and cloud storage with the need to prevent data exfiltration. However, it's important to balance security with user productivity, so organizations should ensure that their data loss prevention (DLP) policies are well-defined and clearly communicated to employees. Steps organizations can take to protect and monitor large data transfers include:

1. Use DLP and Data Access Monitoring tools to gain visibility and control the access and transfer of sensitive data, such as patient records, outside of the organization.
2. Enforce policies and procedures that limit the use of personal email, USB and cloud storage for work-related data. 
3. Implement multi-factor authentication and access controls for cloud storage services to prevent unauthorized access.
4. Train employees on data security best practices and the risks associated with data exfiltration.

Q. How can healthcare IT departments improve collaboration with HR to address terminated or former employees' credentials to improve insider threat mitigation?

A. Collaboration between healthcare IT and HR is crucial for effective insider threat mitigation. To improve collaboration:

• Set up clear policies and procedures for revoking system access when employees leave the organization or change roles.
• Establish a streamlined process for de-provisioning user accounts and revoking access to systems and data.
• Automate user account provisioning and de-provisioning through implementing an automated identity governance and administration solution, with user permissions determined by role-based access policies agreed upon by HR and IT.
• Conduct regular reviews of system access permissions to promptly identify and revoke access for terminated employees.
• Provide HR with IT security training and education to increase awareness of insider threat risks and how to respond to security incidents.
• Establish a formal process for HR to notify IT when employees are terminated, which triggers an immediate review of system access.

Creating a close linkage between HR systems and access rights allows an organization to easily create role-based access, and develop a user access provisioning policy. 

An automated identity governance solution can ensure that when an employee gets hired, they are provisioned with all the access they need, both for HR and IT purposes. When that employee is terminated or their role changes, those access rights change alongside it, creating a seamless access provisioning lifecycle. 

The minute a user is no longer an employee, all their access rights are de-provisioned and the potential insider threat is gone before it ever arose.

Q. How do access behavior monitoring and analytics improve insider threat mitigation programs and move HIT departments toward more actionable detection and response postures?

A. There are two components of access governance that can help an organization prevent termination gap breaches: user access reviews and linking HR systems to access rights. 

Identity and access governance, when integrated with a behavior monitoring and analytics solution, can help healthcare IT departments detect and respond to insider threats by:

• Providing visibility into user activity and behavior patterns to identify anomalous behavior.
• Alerting IT teams to potential insider threats in real-time, allowing for faster response times.
• Enabling IT teams to conduct forensic investigations to determine the scope and impact of a security incident.
• Facilitating compliance with security regulations and standards by providing audit trails and access logs.
• Enabling continuous improvement of security policies and procedures based on insights gained from user behavior analytics.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.

Matthew Fisher will offer more detail in the HIMS23 session "A Confusing Muddle: Health Policy Post-Dobbs." It is scheduled for Tuesday, April 18, at 3 p.m. - 4 p.m. CT at the South Building, Level 1, S100 C.