Guest Column | December 21, 2016

The 3 Types Of Insider Threats And How To Stop Them

Santosh Varughese, President of Cognetyx

By Santosh Varughese, President of Cognetyx

Healthcare cybersecurity threats are rising at an alarming rate. According to the U.S. Department of Health and Human Services, there were 253 reported instances of healthcare breaches in 2015 resulting in the theft of over 112 million records. According to a Ponemon Institute study, 90 percent of organizations reported suffering from at least one data breach in the last two years, with 45 percent reporting five or more breaches.

With no safety in sight, the healthcare industry is looking more closely at how these attackers make their way into protected networks and systems. What they found was over half of all security breaches result from insider actions within an organization. According to an IBM study, 31.5 percent of breaches stem from malicious insiders, with another 23.5 percent resulting from actions by inadvertent actors. All of these insider threats fall under one of three types: the malicious insider, the negligent/unknowledgeable employee, and the third party contractor.

The Malicious Insider
This type of insider threat is likely the most difficult to face, and the threat they pose is not easily mitigated by more stringent protocols or advanced information security training. Whether a criminal agent who poses as a legitimate candidate and secures work with a healthcare business, or a disgruntled employee looking to retaliate against an employer, this type of insider has secured a set of legitimate credentials and uses it to breach the network. This also applies to an external hacker logging into the network using stolen credentials; once in, they have free rein to roam around unfettered. Whether it is collecting personal information of coworkers and patients, or planting malicious software into the system, the malicious actor works with legitimate credentials for his own criminal agency.

The Negligent/Unknowledgeable Employee
Negligent and unknowledgeable employees can inadvertently compromise the security and safety of a healthcare network. In March of 2016, the Feinstein Institute for Medical Research paid $3.9 million in a HIPAA settlement for a data breach that compromised the data of 13,000 patients. The cause? A laptop stolen from an employee’s car. Part of the problem stems from the fact digital technologies are relatively new to the healthcare industry, which was very slow to adopt electronic records yet implemented them rapidly once they saw the benefits it provided. However, such rapid deployment of technology often resulted in inadequate training on information security procedures. Often, protocols aren’t strict enough to protect against sophisticated modern cybersecurity attacks, and even if they are, there is no guarantee employees will always follow protocol. In the modern IT landscape, employees can log onto secure networks with their personal phones, laptops, pagers, and other less secure devices. They may use the same or similar credentials for many accounts — including the ones they use to access secure hospital networks. They may even log into work email or electronic patient files while out and about, tapped into an unsecure public network. All of these provide ample opportunity for malicious actors to steal credentials and log into networks for criminal purposes.

The Third Party Contractor
Similar to the negligent or unknowledgeable employee, third party contractors provide another opportunity for malicious hackers to compromise a hospital or healthcare provider’s network security. Whether it’s as simple as the maintenance company contracted by a hospital, or the lab a practice outsources testing to, all of these third party contractors must be given some degree of access to a healthcare organization’s network to function. And depending on the strength of cybersecurity protocols employed by these third party contractors, their networks might provide an easy gateway to compromising the entire network of the healthcare organization. Strong internal security protocols cannot ensure that these contractors, or their employees, may not suffer a breach that then leads to compromise in the network of the organization they contract with.

The Solution
Education and training are central to any good cybersecurity strategy. Employees should be taught data security is part of everyone’s job, and everyone should be taught to employ data security best practices including maintaining strong passwords that are changed on a regular basis and not logging on or transmitted data to work related networks from personal devices or unsecured networks. Additionally, organizations should implement physical security procedures to secure network hardware and storage media (such as flash drives and portable hard drives) through measures like maintaining a visitor log and installing security cameras, limiting physical access to server rooms, and restricting the ability to remove devices from secure areas.

However, security mistakes are bound to happen, and these measures alone are not enough to truly secure from malicious insiders who purposely violate protocol or attackers who have already gotten their hands on legitimate credentials. That is where modern artificial intelligence and computer learning technology comes to the rescue.

Many organizations are beginning to employ network surveillance techniques in an attempt to detect and shut down the misuse of login credentials. Using behavior analysis and constant computer surveillance that combines artificial intelligence with machine learning algorithms, it becomes possible to create ambient, always-on network surveillance that can catch deviations in system use, even with legitimate login credentials, humans would miss. Not only will this stop outside hackers and malicious insiders, it can also flag employees who violate cybersecurity policy.

The core concept rests in determining normal user behavior. A baseline pattern of behavior is established by analyzing the usage data of a particular user. Because the ambient program is constantly surveilling the system and gathering information, this baseline is continuously improved and refined. Any actions that deviate from this baseline behavior, such as logging in from a new location or accessing a new part of the system, are flagged. Depending on the problem, the user may be required to provide further authentication to continue or may be forbidden from proceeding until a system administrator can investigate the issue.

While the concept is both simple it is only until recently that technology has advanced to the point where such an ambient surveillance system had become both feasible and financially accessible. Machine learning artificial intelligence can now sort through large amounts of data to set patterns and detect anomalies, and the declining cost of data storage and processing power from cloud computing have made this technology available to the mass healthcare industry market.

Insider threats will continue to be a challenge for the healthcare industry, but with the right protocols and education, backed by a machine learning AI-based ambient surveillance system, the healthcare industry can overcome this threat. This single best technological defense against the misuse of login credentials by criminal agents is the most powerful weapon the healthcare industry has in its war against cybercriminals, even when the attacks emerge from insider threats.

Santosh Varughese is President of Cognetyx, the world’s first “Ambient Cognitive Cyber Surveillance” to help safeguard medical information. Cognetyx uses advanced machine-learning artificial intelligence to detect rogue users.