When Being Aware is Simply Not Enough
Healthcare providers are expressing deep concerns about the security risks associated with insiders, whether due to negligence or malice. But are these organizations doing enough to mitigate risk of breach? HIMSS and SailPoint recently paired up to conduct a study on how healthcare providers view insider threats and what they are doing to address this issue. Responses from 101 health IT professionals revealed multiple insights. Here are a few of the takeaways from “Managing Healthcare Insider Security Threats.”
Level of Concern Leaves Room for Concern
When asked to rate on a scale of 1 to 10 their level of concern around insider threats to data security, respondents expressed acuity with a mean score of 8.2.
More importantly, the study indicates that an overwhelming number of them view threats from the inside equally or more pressing than from the outside. Such sentiment seems reasonable given that a recent and separate study by Verizon revealed more than half of breach incidents can be attributed to someone with authorized access.
However, the same study also indicated a number of respondents considered the threat posed from within their organization, to be moderate or low—assigning a score of 6 and below (out of 10). While it is uncertain whether the score is due to a lack of awareness or apathy, the results are concerning because of the potential impact that insiders can have on security and compliance. In fact, while many news headlines regarding hackers and phishing attacks condition us to associate data breaches with outsiders, it is important to remember that a breach is a breach. Regardless of whether it was triggered by someone from the outside or the inside, neglecting one or the other leads to the same result—a compromise of data security.
Another interesting finding around the level of concern with insider threats, is the pronounced difference in scoring between business/clinical leaders and IT. While business and clinical leaders are not as close as IT professionals are to the actual process of governing access, they may have greater sensitivity to the topic since the remediation process to any breach (regardless of whether the source of the breach was from inside or outside the organization) will have a negative impact on operational workflows.
What Provider Organizations are Doing to Address Insider Threats
As expected, the study found that training and awareness to be a common tactic for addressing insider threats. However, it also appears that many are leaving gaps by not deploying critical technology that enable secure governance. For instance, to secure data stored in files, many respondents look to manual permissions assignments. To say this is inefficient is an understatement. Worse yet, the security gaps resulting from manual processes can be highly significant with inconsistent access provisioning. To further exacerbate the issue, the joint study between HIMSS and SailPoint also found that even when certain identity technologies are deployed, they are not being fully utilized. To get more details of this study, visit SailPoint’s secure webpage to access the newly published whitepaper entitled, “Managing Healthcare Inside Security Threats”, which elaborates on these and other key findings.