Healthcare, like many sectors, is grappling with the increasing risk posed by insider threats.
According to the 2022 Ponemon Institute Cost of Insider Threats: Global Report, insider threats have grown 44% since 2020, with costs per incident up more than a third to $15.38m.
Between insider agents actively working with threat actors for financial gain, and disgruntled employees looking to enact revenge on their employers through the stealing, leaking, altering, or deleting data; many insider threats are unfortunately driven by malicious intent.
Yet this is not always the case.
Interestingly, while malicious actors account for 26% of insider threat incidents, more than half (56%) of all incidents are actually the result of negligence, with many employees failing to follow security protocols through either careless or inadvertent actions.
It’s not just employees, either.
Be it malicious or negligent, the critical point is that too many internal user accounts are often provided with excessive privileges, enabling them to access and alter sensitive data or critical systems
Equally, as healthcare organisations increasingly outsource key business functions, external solutions providers can cause similar problems, either through supply chain attacks if those partners are breached themselves, or simply through enacted improper changes.
“Be it malicious or negligent, the critical point is that too many internal user accounts are often provided with excessive privileges, enabling them to access and alter sensitive data or critical systems,” warns James Nadal of access security specialist, Osirium.
“In turn, it becomes too easy for damaging changes to occur, as we saw with the UK Home Office in 2021 when 15,000 individuals’ data were deleted from police records.”
The NHS Cyber Strategy aims to improve the resilience of the UK's health and social care sector
The NHS Cyber Strategy and DSP
The growing dangers associated with privileged access misuse have been outlined in the new NHS Cyber Strategy, aimed at improving the resilience of UK’s health and social care sector by 2030.
“The policy document covers several distinct and important areas for healthcare entities to be aware of,” said Nadal.
“There is a major focus on the threat of ransomware, for example, where it affirms that such attacks could ‘lead to significant distress and potential harm for patients, service users, and staff’.
“Alongside this, insider threats have been highlighted as a key concern, the document specifically pointing to the threat of ‘people working in, or near, to the health and social care sector seeking to misuse their privileged access’.”
The key question for many healthcare organisations is how they can best respond to these requirements and ensure compliance
The NHS Cyber Strategy echoes many of the advisory points outlined by the National Cyber Security Centre (NCSC) in its Cyber Essentials Scheme via the new DSP Toolkit.
Similarly, the DSP comprises a key set of cyber security best-practice requirements that health and social enterprises are expected to adhere to.
Here, NHS trusts and ‘arm’s length’ bodies, such as clinical commissioning groups, are required to complete regular self assessments, while associated providers, such as those from local authorities, GP practices, and business partners are also expected to comply.
Nadal said: “In relation to the insider threat, there are several specific points of compliance in the DSP.
“NHS IT leaders are asked to ‘closely manage privileged user access to networks and information systems supporting the essential service’.
“Further, the DSP states that logs should be ‘kept securely and only accessible to appropriate personnel’, and be ‘stored in a read-only format, tamperproof, and managed according to the organisation information life cycle policy with disposal as appropriate’.
“Health and social care organisations are also expected to disable unnecessary user accounts, removing privileged access when it is no longer required or appropriate.
“And the Data Security and Protection Toolkit asks organisations to consider which third parties are being granted privileged access and take limiting actions wherever possible to ‘mitigate the danger of security breaches’.”
Technologies can support best practice
The key question for many healthcare organisations is how they can best respond to these requirements and ensure compliance.
Nadal advises: “Many of the DSP Toolkit’s requirements focus on training and awareness in the aim of reducing the opportunity for human error.
“And, while education is an undoubtedly critical piece of the puzzle, technologies can also be used in a supplementary manner.
PAM is an identity security solution that helps protect organisations against cyber threats by monitoring, detecting, and preventing unauthorised privileged access to critical resources
“Looking at the NCSC’s guidance, which aligns closely with the DSP, Privileged Access Management (PAM) is outlined as a key solution capable of providing a ‘strong deterrent against the insider threat, where a legitimate system administrator may consider abusing their access’.
“As defined by Microsoft, PAM is an identity security solution that helps protect organisations against cyber threats by monitoring, detecting, and preventing unauthorised privileged access to critical resources.
“Instead of simply requiring users to provide their identity, PAM puts additional policies in place that determine which systems and resources each user can access, and with what privilege level.
“In other words, while standard identity management systems focus on proving a user is who they say they are, PAM controls exactly what each user can do and how they can do it.
“It is a solution that ensures users are only able to access those systems they need, with the least amount of access privileges.
“And, for healthcare organisations that are becoming increasingly exposed to insider threats, enhancing the security posture in this way has never been more important.
“Not only can PAM software help to limit the security risks around privileged access, but it can also play a key role in achieving DSP compliance.”