While media headlines tend to focus on external breaches and would-be hackers, the overwhelming majority of IT professionals at healthcare provider organizations see insiders as an equal or greater threat to unwanted exposure of sensitive data, according to a recent survey.
A recent study conducted by HIMSS on behalf of SailPoint took a look into how hospitals and healthcare systems perceive and manage insider cybersecurity threats. The survey is based on responses from 100 healthcare IT professionals. SailPoint Technologies is an Austin, Texas-based company that provides identity governance solutions.
While most providers are leveraging various technology to keep outsiders out of their IT infrastructure, the information security gap continues to widen because data exposure is often due to someone from within the organization.
According to the survey responses, when asked to rate the level of concern around insider threats to data security (1 to 10 scale), the mean score of respondents was 8.2. Digging deeper, the study indicates a noticeable difference between business and clinical respondents versus those who work in IT. Fifty-two percent of non-IT respondents rate their concerns around insider threats, at 9 or 10. This is a 10-point difference compared to IT respondents.
“Typically, business and clinical leaders are not as close as IT professionals are to the actual process of governing access. However, should an event occur, the remediation process will likely have a negative impact on operational workflows—a fact that seems to be understood by these end users,” the report states.
Among those implementing or managing cybersecurity solutions, 43 percent states they are more concerned about insider threats to data security than external breaches and 35 percent said they were equally concerned about both internal and external threats. Among all respondents to the survey, 41 percent said they were equally concerned about insider threats to data security and external threats, and 34 percent said they were more concerned about insider threats than external breaches.
The survey also found that training continues to be a staple for addressing threats posed by insiders, with three-fourths of respondents stating that they rely on this tactic. As indicated in the study, roughly half of the respondents are leveraging Identity governance for data stored in files (56 percent) or data loss prevention (DLP) tools (58 percent). “Training without enablement tools and technology is insufficient for closing critical security and even compliance gaps,” the report states. What’s more, 48 percent of organizations use access behavior monitoring and analytics.
The survey results also indicate that a unified governance approach to digital identities and their access continues to mature, but has room to grow. Two-thirds of respondents said their organizations have incorporated less than half of their applications into an identity governance program.
The 48 percent of respondents stated they use manual permissions assignments to govern and manage the ever-growing volume of data stored in files. According to the report authors, this is an extremely inefficient way of managing data and cannot be effectively scaled, creating large security gaps.
The report notes that provider organizations must look at insiders through the lens of application and data access entitlements, including employed- and non-employed staff, volunteers, vendor partners, contractors and even patients who access their personal health records via online portals. Each of these individuals may expose sensitive data for any one of three reasons—accidental, negligence and malicious activity. Accidental exposure refers to unauthorized exposure of sensitive information often the result of users lacking awareness of processes or best practices, while those who knowingly disregard established policies due to negligence have various reasons, but their intent is not malicious. There are also users who intentionally expose sensitive data for various reasons, whether for financial gain or espionage.