Healthcare and Insider Attacks: An Ounce of Prevention
Recently a woman in Winton Hills, Ohio sued the University of Cincinatti Medical Center because her bitter ex-boyfriend, who worked at the hospital, and two other employees posted her medical records on Facebook. If proven, this activity represents a tragic breach of HIPAA and illustrates how an insider can put a healthcare organization at risk.
A recent Information Security study suggested that American healthcare organizations spend six percent of their budget or more on implementing security tools, policies and training but that almost all of the budget is spent preventing attacks from outsiders. A 2010 study by the US Secret Service found that attacks from outside sources were as much as five times the number of attacks from insiders, but that attacks from insiders were more often successful and caused more than three times the financial damage despite their small numbers. This underscores the nature and threat of insider attacks and the underlying fact that no matter how much we spend on the next security gadget, the real threat to our success is human behavior, not from the failure of technology. At the end of the day, no amount of training, no policy, no whizz-bang technology would ever have prevented a vengeful employee from disseminating that information.
If this is true then the next question becomes, as St. Luke asked, “What then must we do?” Well, for starters let’s take another look at the insider. There are different kinds of insiders, such as the innocent insider and the nefarious insider. The innocent insider is the well-meaning employee who succumbs to social engineering and gives private information to someone masking as an authority figure or who accidentally leaves a loaded laptop on the table at Starbucks. Security has been defeated by human behavior. The nefarious insider is different. He is interested in either money or sabotage or revenge for perceived slights. Many times, the nefarious insider is a former employee still in possession of his own or someone else’s credentials. In fact, the Secret Service reports that 60 percent of the successful insider attacks they investigated were perpetrated by former employee fired for cause, whose credentials had not been revoked more than a year after their leaving the company. How can this be? Surely password revocation would be right up there with taking back the identity badge during the exit interview. But apparently this is not the case. Woody Allen once said that “Eighty percent of success is just showing up.” In this case, this means focusing on the simple things, the basic things we SHOULD be doing, such as revoking the credentials of dismissed employees immediately.
Thwarting inside attacks is hard. It’s harder still because we must implement measures to protect the organization from the very people we’ve hired and entrusted to promote the success of the organization in the first place. We have no way of knowing who the weak link is but we must constantly screen for them, and we must depend on the honest insiders to assist us in this cause. This is accomplished through good security policy and constant training. For example, social engineering is one of the most effective mechanisms for discovering sensitive information, therefore employees must be inoculated against it by training them that all persons unknown to them are potential threats, especially on the phone. Appeals to authority, threats of punishment and intimidation from unknown authority figures must be ignored and real misunderstandings must be forgiven. Passwords should be changed frequently to thwart former employees who have discovered another employee’s credentials. Sleep timers for computers should be at the minimum acceptable by the people who use computers to prevent someone from hijacking another’s session when they get up for coffee, and employees should be encouraged to lock their screens when they leave for any period and not depend on the sleep timer. In addition, employees should be compartmentalized and audit logs of failed log on attempts should be examined for random fishing attempts. And most importantly, default passwords MUST be eliminated and passwords randomized – a study by Verizon showed that the top 25 most popular passwords were responsible for half the successful attacks in 2010, while that Information Security study found that more than half of all US healthcare organizations used ONLY username and password authentication for their primary security. The conclusion is glaringly obvious – we cannot stop all nefarious insider activity, but we can stop the vast majority of insider attacks simply by going back to the basics and doing the things that Woody Allen claimed would make us successful.
Jay Bazzinotti serves as a Product Manager at Park Place International. Jay has 25 years of product management experience bringing technology solutions to market. He holds patents in networking, security, load-balancing, and failover, with the technology deployed in thousands of sites worldwide. Jay’s current mission is to assist in the design, development, and delivery of technology solutions that enable MEDITECH hospitals to deliver services to their users securely and reliably.