Industry Trends

Why Employees Could Be the Biggest Threat to Healthcare Data Security

By Susan Biddle | December 14, 2016

Human beings are prone to making all kinds of mistakes. It’s the nature of being human. However, there are differences in the gravity of mistakes we make based on context – the what, when, where, why, and how often they happen. When it comes to handling healthcare data, human mistakes can sometimes lead to very serious security issues, and the wrong kinds of mistakes could even put patient lives in danger.

While we’ve learned that successful data breaches against healthcare institutions are “big wins” for cybercriminals, they aren’t the only ones posing threats to the industry. Data breaches and lost data caused by employee mistakes, or simply through sheer negligence is also on the rise, and healthcare IT professionals need to take note.

So, how exactly are employees possibly the most dangerous threat to healthcare data security? Let’s take a closer look.

Phishing Scams

As network security solutions at healthcare organizations have evolved and become more effective, cybercriminals have had to look for different ways to break in. As a result, brute force attacks giving way to phishing scams. They have once again become very popular techniques, with employees unfortunately proving to be easy targets. One reason is that today’s phishing campaigns are more sophisticated than ever, making them a serious threat to security.

These email and social engineering attacks involve cybercriminals attempting to trick employees into providing personal or sensitive information, including user names and network passwords. It’s very common for today’s social engineering attackers to take the time to learn about the target employee, and create customized email addresses and messages very believable. Cybercriminals commonly use layered phishing scams (gathering a little bit of data at a time) to collect and use what they learn against another employee while at the same time maintaining the appearance of legitimacy.

Once these attackers manage to gather the information they need, they either log in to systems using the usernames and passwords they have managed to acquire, or install malware to steal or otherwise jeopardize patient information.

Unapproved Device Usage

Businesses across industries are also incorporating bring your own devices (BYOD) into their corporate IT cultures. By doing so, employees are now able to work on the device or devices that they are comfortable using, while saving costs that would accompany providing work-sponsored devices.

However, because of the ease of onboarding mobile device, including connected wearables, it has now become commonplace at some organizations for unauthorized devices to find a way to connect to the network.

Sriram Bharadwaj, director of information services at the University of California (UC) Irvine Health in Orange, Calif., has said, "In the old days, you accessed electronic health records from a PC at your desk. There were a very small number of laptops, and login onto the system was controlled. Today, that same information is available in a broader, less controlled way, and multiple devices can be used to access the same data because all of these applications are now mobile compatible."

As a result of the expansion of mobile devices, the threat landscape has expanded at a breakneck speed, and many IT teams are struggling to keep pace.

Accessing Insecure Websites and Apps

Employees can also do serious damage to a network’s security without even knowing it by accessing insecure websites or downloading apps while at work. While the apps that are available on official app stores are typically secure, there have been instances where “pirated” apps have found their way onto connected devices. When employees download compromised applications they can inadvertently inject spyware or malware into the network that can access sensitive data through the compromised device.

The same goes for accessing insecure websites. Employees that visit infected websites, sometimes even bypassing protocols that block these sites, can expose the data stored on their personal devices, or even in the healthcare network itself, to theft or corruption. These same employees are also often prone to man-in-the-middle attacks, which occur when a malicious surreptitiously actor inserts themselves into a conversation between two individuals in an attempt to gather information or ultimately gain network access.

Building and Managing a Cyber Aware Organization

Despite the clear risks that employees pose, organizations are still struggling to educate the workplace. Recent research has shown that only 35 percent of employees say senior management believes it’s a top priority for them to understand the risks they pose and to be knowledgeable about data security.

Today’s healthcare organizations need to take the time to educate their workforce through continuous awareness training. And at the end of these training courses, these organizations should be sure to test the workforce, and test often, to evaluate their awareness, in an effort to reduce risk in the work environment.  In speaking with our customers, many are using the Carrot and Stick approach of Motivation, rewarding employees for good behavior or going so far as to cut-off access to employees who repeatedly fail to avoid phishing test emails.  Further, it’s important for senior leadership to lead by example and embody security leadership. Simple measures such as locking screens when away could encourage another employee to do the same.

At the same time, IT security teams need to take the reality of human error into account when planning and deploying their security solutions. While proper training can reduce human mistakes, they’re not going away entirely any time soon. IT teams would do well to become more familiar with error-prone human nature, and take that into account when designing and deploying networks.

Let’s get a conversation going on Twitter! How is your organization protecting itself against the threats posed by its employees?