Hacking Healthcare: The Threat From Your Employees

by Colin Konschak

 

I promised you a second part to the last blog about the role of your employees in breaching your internal systems. The last blog was about the benefits of employees in protecting your system, but this one is about the ability of your employees to attack your system.

In fact, says cybersecurity expert John Gomez, CEO and founder of the cybersecurity firm Sensato, insider threats are growing in frequency, often continue for months or even years before you discover them, and are extremely hard to defend because your employee is supposed to be there. He told the story of a nurse printing out lists of auto accident victims brought into the emergency department (where she did not work) and selling them to lawyers.

Spotting potential employees-as-hackers requires an understanding of motivation and watching closely for behavioral indicators.

  • Motivation. Motivation to breach your system includes ego, the desire for approval (they want to get caught so you will be impressed they were able to do this), problems at work (they were fired or reprimanded), and stress (they need time off from work and can’t get it so they break the system and, thus, can’t work).
  • Behavioral indicators. These are subtle actions such as an ongoing interest in areas outside their current assignment; accessing the network at unusual times; anger if you block sites or highlight the fact that all online activity is tracked; a sudden interest in the consequences of being caught; and/or a sudden change in behavior, i.e., a loner who suddenly becomes a social butterfly (there is safety in numbers).

Combating the threat requires organizational changes:

  • Partner with human resources to develop an incident response plan.
  • Classify the information employees have access to on three levels: important, very important, and “we’re screwed if they breach this.”
  • Limit administrator access only to those who need. For instance, even your CEO doesn’t need to be classified as an administrator.
  • Reset access controls after employees leave.
  • Develop a strong bring-your-own-device policy – or don’t allow employees to bring their own devices to work or access your system from their own phones, tablets, and computers.

How safe is your company from employee breaches?

About Divurgent

Divurgent is a leading healthcare IT consulting firm and EHR specialist. Since 2007, we’ve led more than 700 projects across the US and Canada, drawing from a team of over 22,000 experienced subject matter experts. As a 100% privately-owned company, we’re accountable only to our clients, ensuring they achieve measurable improvements in patient care and organizational performance.

At Divurgent, we’re dedicated to helping organizations achieve their vision through innovative solutions and exceptional service. We collaborate closely with our clients to deliver tailored solutions that drive success in an ever-evolving healthcare landscape, from EHR implementation and go-lives to managed services, analytics, talent augmentation, and digital strategy. With decades of combined healthcare experience on both sides of the table, our team has overcome the challenges faced by our clients and helped them get the most out of their investments in healthcare technology.