Healthcare organisations need to take insider security threats seriously. As noted in a recent Verizon report, 60 percent of healthcare data breaches involve insiders.
There are two types of insider threats that healthcare organisations can face: malicious and accidental. Malicious actors aim to do harm; unintentional insiders are often employees that were trying to do the right thing but made a mistake or acted in ignorance.
“If an insider is bored, depressed, frustrated or angry based on a situation involving an organisation or workplace, there is a high likelihood that they may act out maliciously,” says Mike McKee, CEO of insider threat management company ObserveIT. “Money is another significant motivator for malicious insider threats.”
Even politics can contribute to security risks. Incidents of state-sponsored insider threat attacks and corporate espionage have been reported.
Meanwhile, unintentional insider threats are often caused by human error or ignorance. For example, an employee or contractor with access to the organisation’s systems and data may be a risk for becoming an insider threat if they aren’t necessarily tech-savvy or used to considering the security implications of their actions.
Healthcare organisations can take administrative countermeasures to protect themselves against insider threats.
“These include continuous workforce education, active training via simulated phishing emails with immediate feedback and training, and progressive disciplinary measures for repeat offenders, although this has been slow to adopt in my experience,” says Fernando Martinez, chief digital officer at the Texas Hospital Association, which created and promotes a cybersecurity awareness programme.