Who is an insider?
An insider is any individual that has access to sensitive data in a company. A current or past employee, a third-party vendor or any business associate all have the ability to be or become an insider threat.
Here’s an example of an insider threat. An employee has been with a company for four years and is disappointed when they are passed up for promotion. An employee’s disdain can fester and develop into threatening, malicious behavior. On their last day at the company, they download sensitive patient data files to a USB.
Ad Statistics
Times Displayed: 56197
Times Visited: 1643 Ampronix, a Top Master Distributor for Sony Medical, provides Sales, Service & Exchanges for Sony Surgical Displays, Printers, & More. Rely on Us for Expert Support Tailored to Your Needs. Email info@ampronix.com or Call 949-273-8000 for Premier Pricing.
In the past, healthcare companies were able to filter out potential threats through background checks, however, this is now not enough. An employee that initially passes all background checks during onboarding can later change their behavior. The insider threat is constantly evolving.
Furthermore, vendors do not typically get screened at any point in the relationship, and they might have different security practices from your own. As they still have access to healthcare data, they are an inside risk waiting to fester.
The four types of insiders and how they relate to healthcare
There are four categories we recognize as typical insider threats.
Oblivious Insider – This insider is not malicious in nature, but their actions are leaving your organization open to threats. This individual may not be well-versed in cybersecurity safeguards and have no idea that their behavior is compromising the company. Also, this insider may not realize the organization is in a breached state.
Real case example:
● A cloud-based calendar was created and detailed with patient information, appointments and procedures resulted in a HIPAA fine of $100,000 for a physician group.
Negligent Insider – The negligent insider is aware of cybersecurity policies and practices, but ignores them. They may also be heedless in regard to ensuring safe practice with physical data storage devices (failing to lock a cabinet or writing the PIN to an office in plain sight). This individual may ignore the policies and practices in order to achieve workplace efficiency. Their careless approach places your company and data in danger. This insider is most vulnerable to a social engineering attack.
Real case example:
● In 2017 a cardiac monitoring vendor’s vehicle was broken into and a laptop containing EPHI and EHR was stolen. The theft of the laptop resulted in OCR concluding to a $2.5 million fine with the vendor.
● A private physician office was found in violation of HIPAA in 2016 when they lost an unencrypted flash drive that had EPHI on it.
