In a recent newsletter, HHS OCR revealed key steps organizations should take to mitigate and better detect malicious insider threats through risk assessments, data inventory, and other methods.
In light of an increasing number of breaches caused by insiders with malcious intent, the Department of Health and Human Services Office for Civil Rights released guidance on ways healthcare organizations can better prevent, detect, and respond to insider threats.
A recent report from Egress showed that the healthcare sector has been the hardest hit by breaches. And about 60 percent of those security incidents were caused by human error, such as incorrect disclosure or posting or faxing data to the wrong recipient.
Meanwhile, Verizon’s annual Data Breach Investigations report found healthcare is hindered by privilege misuse and other miscellaneous insider errors.
For OCR, the threat posed by malicious insiders is a greater risk and can put organizations at risk of data loss, reputational damage, civil liability disclosure, and potential federal and state regulatory enforcement actions.
“Detecting and preventing data leakage initiated by malicious authorized users is a significant challenge facing security professionals today,” OCR officials explained. “Identifying potential malicious activity as soon as possible is key to preventing or mitigating the impact of such activity. To identify potential suspicious activity, organizations should consider an insider’s interactions with the information system.”
To begin, organizations need to create a full data inventory to understand where the data is located within the network, the format of the data, and where it flows throughout the enterprise. Officials stressed that this information is crucial to an accurate risk assessment and protecting the confidentiality, integrity, and availability of critical data.
User permissions should be targeted next, by establishing who is permitted to interact with data, as well what data the user is permitted to access in order to establish appropriate user controls.
“Physical access controls as simple as doors that need keys for opening can limit an unauthorized person’s ability to enter sensitive facilities or locations,” officials wrote. “Network access controls can limit access to networks or specific devices on a network; role based access controls can limit access to certain devices, applications, administrator accounts, or data stores to only a defined group of users.”
When establishing access controls, organizations will need to leverage their risk analyses and determine how users can interact with data. For example, IT or security teams should create controls based on the user’s job function to establish permissions around accessing data from outside of the network, the specific devices, or even their own personal device.
According to OCR, organizations should limit unnecessary mobile device use or external storage device to reduce risk. If access is necessary, the’ll need to implement appropriate security controls.
Real-time visibility can significantly reduce risk to an organization, especially as the use of third-party vendors, cloud computing, and mobile devices increases, officials explained.
“To minimize this risk, an organization may employ safeguards that detect suspicious user activities, such as traffic to an unauthorized website or downloading data to an external device,” officials wrote.
“Maintaining audit controls and regularly reviewing audit logs, access reports, and security incident tracking reports are important security measures, required by the Security Rule, that can assist in detecting and identifying suspicious activity or unusual patterns of data access,” they added.
Lastly, organizations will need to continuously seek to improve awareness to address the dynamic nature of security.
For one, access can and should change over time, which organizations should address in their policies and procedures. When a user is promoted, demoted, or transferred to another department, for example, their access may change. Organizations should evaluate privileges during those situations to address the potential risk.
The risk of insiders increases when an employee is involuntarily let go from an organization. As a result, OCR stressed that organizations will need to implement policies and procedures to terminate both physical and electronic access to the data before the user leaves their employment, such as disabling all of the user’s accounts, changing or disabling facility coders, and retrieving the organizations’ property.
“The healthcare sector is a tempting target for malicious insiders who seek to disclose or steal an organization’s sensitive information,” OCR officials wrote. “However, by recognizing the risks and implementing appropriate safeguards, organizations can manage this risk and comply with the law.”
Date: September 18, 2019
Source: Health IT security