A report from Clearwater sheds light on the continued risk careless users pose to healthcare data security, including exposed endpoints, susceptibility to phishing, and improper access.
Employees are one of the healthcare sector’s greatest vulnerabilities, impacting three key areas that put healthcare data, endpoints, and access at risk of data loss and other threats, according to the latest report from Clearwater CyberIntelligence Institute.
Clearwater sought to address the tangible threats posed by insiders, following reports that found insiders – both malicious and inadvertent – are behind more than half of healthcare data breaches.
In May, Verizon’s Data Breach Investigations Report found 59 percent of all security incidents were caused by trusted insiders. Meanwhile, an August Egress report showed that 60 percent of data breaches this year were the result of human error.
Researchers from Clearwater analyzed threats found in its analysis database, with a focus on those threats specific to users, alongside data around administrative, technical, and physical vulnerabilities.
Want to publish your own articles on DistilINFO Publications?
Send us an email, we will get in touch with you.
The report showed careless users result in critical and high-risk ratings around endpoint data loss, susceptibility to malware and phishing attacks due to untrained or untested staff, and improper access to sensitive application and devices caused by weak passwords.
In fact, the vulnerabilities caused by careless users make up about 83 percent of all critical and high-risk ratings.
Endpoint Data Loss
The top security vulnerability was endpoint data loss, accounting for nearly 54 percent of negative risk ratings. Endpoint data loss is a “catch-all” term that includes a wide range of potential mechanisms, such as patient data, payroll data, or intellectual property, especially any device employed by a user to access the organization’s data.
Examples of endpoint data loss include users leaving workstations with data displayed on monitors, emailing unencrypted data to an outside third-party, or faxing sensitive information from a multi-function printer to the wrong number.
“Because of the many ways in which sensitive data can potentially escape an organization’s control through user endpoints, it is best to have multiple layers of security controls in place to combat the problem,” researchers explained.
Healthcare organizations should develop and provide users with policies that bar users from engaging in risky behavior, while implementing preventative measures, like not allowing users to store data locally on their work computers, or personal devices used for work.
Users should also be prohibited from copying files out to data ports, such as USB and Firewire, as well as external media. Clearwater also recommended providers implement a lock screen function to turn off monitors after a brief period of inactivity.
“Less typical, but a much more effective security control, is the use of data loss prevention applications to scan for any file or data movement off of an endpoint to any other location, like a data port or an Internet file sharing service, and to stop it unless the movement is specifically authorized,” researchers noted.
“However, this control is both expensive and fairly difficult to administer, so many organizations choose to implement a simpler variation of this by screening all outgoing email for certain sensitive data patterns, e.g. Social Security Numbers, and stopping or automatically encrypting it if it is being sent outside the organization,” they added.
Without one or more of these controls, the risk of endpoint data loss was the highest, according to the report.
Untrained, Untested Staff Vulnerabilities
The second largest vulnerability was untrained or untested staff. Clearwater found users must be continuously trained on how to recognize security threats, which should be a fundamental part of any healthcare organization’s internal security policies.
Users also need to be tested on those skills, in order to apply the training in a real-world situation.
“Without this training, and corresponding testing, it is likely only a matter of time before a user falls prey to some security exploit, such as a phishing email, that compromises their workstation and possibly spreads it throughout the enterprise,” researchers explained.
Just last week, two providers reported lengthy data breaches caused by employees falling victim to phishing schemes. Phishing is one of the largest threats to users in the healthcare sector. Threats evading email security functions have increased 25 percent this year, according to GreatHorn.
As a result, training and testing users is crucial to providing a last line of defense when those security defenses fail. A study from JAMA in March confirmed that phishing education and training greatly reduce healthcare cyber risk. But Kaspersky found 24 percent of US health employees have never received cybersecurity training.
Clearwater researchers stressed that healthcare organizations need to go farther on training around security policies and procedures: “It’s equally important to ensure that any other parties with access to the organizations sensitive systems and data also have been properly trained.”
Organizations should also implement back-up measures that will protect against any training failures, to make it more difficult for users to accidentally infect the system with malware. This includes not allowing executable programs like .exe or .com files on USB keys, flash drives, and discs to automatically execute or read to prevent them from installing malware possibly hidden on the device.
Clearwater also recommended screening all internet requests through a content filter to prevent users from accessing websites known to host malware, as well as whitelisting the types of programs allowed to be installed on an employee’s workstation to prevent anything malicious from being installed.
“Implementing controls that prevent users from storing any of the organization’s data on their local workstations is, therefore, another effective way of thwarting malware should it somehow manage to avoid the organization’s other security measures and still get installed on a user’s computer,” researchers wrote.
“Careless Users are certainly not a new phenomenon in healthcare,” they continued. “It is imperative that healthcare organizations work to strengthen the controls noted in this bulletin to better manage the cyber risk associated with careless users.”
The Department of Health and Human Services’ Office for Civil Rights has also provided in-depth guidance on methods healthcare organizations can use to prevent, detect, and respond to insider threats, including a full data inventory, user permissions, access controls, and risk analyses, among other key steps.
Source: Health IT Security