On the 21st of April, the U.S. Department of Health and Human Services (HHS) published a caution about the risk of internal security threats for the healthcare providers. Also, it states the increase in data breach incidents that refer to individuals in health organizations. It concerns workforce members, vendors, and business associates (BAs).
What are Internal Security Threats and Why is This Topic Important?
HHS clarifies an internal security threat as a workforce member or vendor, that can access assets, data about internal security methods, or computing systems. It’s because such individuals can use this information against the organization. They may take part in frauds, data thefts, and ruin computing systems. Such individuals are called “insiders”. They can provide those data to third parties or workers that want to harm the healthcare organization.
State groupings of hackers, as well as hackers-loners, have already chosen the healthcare field to target. The media make a lot of efforts to highlight these external threats. But it’s a misconception to think that most of the threats are external. A great number of data breaches and violations occurs inside the company. Insiders can be not only employees that steal or damage data and systems deliberately. They also can do it by accident and without their understanding.
Statistical Data of Internal Security Threats from the Previous Years
According to the Verizon 2021 Data Breach Report, since 2017 there had been a tendency of decrease in the number of external threats for 3 years. While the number of internal threats tended to grow. It concerns especially incautious individuals, who make data breaches unintentionally. Based on the Ponemon Institute’s 2020 Insider Threats Report, these individuals cause more than 60% of internal threats incidents. While those who do it consciously cause less than 15% of cases. Due to these incidents, organizations in the healthcare field lose more than 11K USD annually.
How to Avoid Such Cases?
As can be seen from the statistical data written above, it is vital to invest not only in employee monitoring tools and platforms but also in their education. Undeliberate data breaches are a greater number of internal security threats. They are caused simply by the lack of employees’ knowledge of the organization’s safeguards. That’s why HHS encourages healthcare organizations to pay attention to the education of their workforce and provide periodical reminders about security policies in the organization. It’s better to provide it when a new worker takes up employment and as an advanced training further.
Employees should have access only to sources needed for their work obligations. It’s important to apply strict methods and measures of access and passwords management. An official program of internal security threats alleviation should be developed as well as a plan of case responding. It is necessary to act fast and efficiently in case of internal security threats detection.
Also, it’s vital not to forget about monitoring services. They are important in threats detection, which demands a permanent control of users’ activity, scheduled access controls, and logs on the activity. So, to maintain all these duties it’s necessary to consider security information and event management (SIEM) solutions.
Other HHS Recommendations Regarding Internal Security Threats Reduction
In its caution, the U.S. Department of Health and Human Services (HHS) gives a piece of advice to review and upgrade policies and guiding principles of cybersecurity, limit preferential access and set access supervision based on roles to reduce internal security threats. You can take a look at the whole information regarding internal security threats provided by HHS on their website.
Check our latest news to stay up to date!
