While security strategies have traditionally focused on keeping external attackers out, organisations of all shapes and sizes are increasingly having to consider the threats that lie within. 

A report from the Ponemon Institute reveals that insider threat incidents increased 44% in the two years between 2020 and 2022, with costs per incident rising to as much as USD$15.38mn.  

Such threats are prompting companies to adapt their cybersecurity strategies. Indeed, insider threats are particularly concerning because they are underpinned by legitimate access to systems, leaving many traditional cyber defences such as intrusion detection systems redundant. 

Of course, there are a variety of different types of insider threat.

Those that intend to seek harm include insider agents – individuals that work with an external threat actor, typically for their own personal financial gain. Equally, organisations are at risk of disgruntled employees stealing, leaking, or deleting data in the aim of causing damage to their current or former employers.

However, not all insider threats are malicious. In fact, according to the Ponemon Institute, just 26% of insider threat incidents are driven by intentional actors, with more than half (56%) of all incidents stemming from carelessness or mistakes.

Furthermore, third-party vendors, subcontractors, business partners and other members of the digital supply chain may also be the catalyst of insider breaches as they often require access to an organisation’s IT systems or data to deliver their intended service. This is particularly worrisome for healthcare providers, which are increasingly outsourcing key business functions in an effort to propel digital transformation initiatives. 

US: HHS cybersecurity warning

Regardless of malicious or negligent intent, insider threat incidents often stem from the fact that too many individuals or contractors are often given excessive privileges, enabling them to access and alter sensitive data or critical systems. 

To change this, governments and industry regulatory bodies are highlighting the dangers associated with privileged access misuse, raising awareness and implementing guiding principles to improve the defences of healthcare organisations.

Back in April 2022, for example, the U.S. Department of Health & Human Services (HHS) issued a warning regarding insider threats within the healthcare and the public health (HPH) sector.

As well as calling attention to the various types of insider threat, attack risk factors, and real-world examples, the document provided a list of key recommendations, advising US healthcare entities to align their operations with the Cybersecurity and Infrastructure Security Agency’s (CISA) recommendations. 

“There are various types of insider threats, and the best approach for any organisation is to be proactive, stay vigilant, have a plan, and implement recommendations made in this presentation where needed,” the report reads. “CISA offers free cybersecurity services and tools, along with pertinent guidelines and updates that can help large and small organisations in the health sector.”

UK: NHS Cyber Strategy for safer hospitals

More recently in the UK, the government has published a new NHS Cyber Strategy aimed at improving the resilience of the country’s health and social care sector.

While the policy document covers several distinct areas including ransomware, pointing to a particularly impactful attack which affected Health Service Executive (HSE) in Ireland in which 80% of its IT functions became encrypted, it also specifically highlights the threat of “people working in or near to the health and social care sector seeking to misuse their privileged access”.

This latest strategy aligns closely with the country’s wider Cyber Essentials Scheme that is driven by the National Cyber Security Centre (NCSC). However, a unique set of requirements tailored to healthcare organisations has been established, as is outlined via the new Data Security and Protection (DSP) Toolkit.

Specifically, these requirements apply to NHS Trusts and associated entities such as clinical commissioning groups, local authorities, GP practices and key business partners, many of which will be required to complete regular self-assessments to ensure compliance. 

Currently, the DSP demands the close management of “privileged user access to networks and information systems supporting the essential service”. Those subjected to the requirements are asked to ensure that “logs, including privileged account use, are kept securely and only accessible to appropriate personnel”, and “stored in a read only format, tamper proof and managed according to the organisation information life cycle policy with disposal as appropriate”.

Additional points of interest include the expectation that organisations will disable or remove unnecessary user accounts, such as former employee or guest accounts on internal workstations, while also ensuring that third parties are only granted privileged access if they truly need it to “mitigate the danger of security breaches”.

Improving best healthcare security practice with PAM

In both the case of the HHS warning and NHS Cyber Strategy, there is significant emphasis on improving awareness, training and education surrounding cyber threats. And while this is incredibly important to reduce the sort of carelessness that results in breaches, such efforts must also be supplemented with technologies to guarantee security best practices. 

Here, Privileged Access Management (PAM) is a critical tool, specifically designed to protect organisations against insider threats, it is an identity security solution that works to monitor, detect, and prevent unauthorised privileged access to critical resources.

While identity access management (IAM) solutions are a standard security solution, requiring users to prove their identity in order to access resources, PAM takes this a step further, applying additional policies that determine which systems and resources each user can access and with what privilege level. 

For healthcare entities that are increasingly at risk of insider threats, incorporating access management protection tools such as PAM into the wider security setup is critical. From improving compliance with key regulations, such as those laid out by HHS or the NHS, to mitigating insider threats, the merits of embracing such solutions are clear.