Insiders Are Most Common Threat Actors In Healthcare

Healthcare data breaches from insiders topple 59% in recent study

Add bookmark

Rebecca Wynn

Most people do not enjoy going to the doctor's office or to the hospital, but once it becomes unavoidable we all need to believe fervently that the good women and men who are providing us care are just this side of perfect. Spoiler alert: they are not.

Healthcare is not only fast paced and stressful, it is also a heavily-regulated industry. Those who work in this vertical need to do things right, do things fast, and remain in compliance with legislation such as HIPAA and HITECH (in the US). That in itself is a pretty tall order, but when one combines that with the fact that the most common threat actors in this industry are internal to the organization, it can paint a rather challenging picture.

See Related: “Looking At New Tech And True Threats To Healthcare

With internal actors (insiders), the main problem is that they have already been granted access to your systems in order to do their jobs. One of the top issues for Healthcare was privilege abuse by insiders against databases. Effectively monitoring and flagging unusual and/or inappropriate access to data that is not necessary for valid business use or required for patient care is a matter of real concern. Across all industries, insider breaches have become more difficult to detect, more often taking years to detect than do those breaches involving external parties.

Security Challenges With Mail

The Healthcare industry has a multifaceted problem with mail, in both electronic and printed form. The industry is not immune to the same issues we see in other sectors such as phishing emails sent to trick users into clicking and entering their email credentials on a phony website. The stolen login information is then used to access the user’s cloud-based mail account, and any patient data that is in the Inbox, or Sent Items, or other folder is considered compromised. It's disclosure time.

See Related: “Healthcare CISO Explores A Recent Outbreak Of Breaches

Misdelivery, or sending data to the wrong recipient, is the most common error type that leads to data breaches in the Healthcare industry. Documents are a commonly compromised asset. This is commonly due to errors in mailing paperwork to the patient’s home address or by issuance of discharge papers or other medical records to the wrong recipient.

Ransomware “Breaches”

Most ransomware incidents are not defined as breaches in this study due to their lack of the required confirmation of data loss. Unfortunately for Healthcare organizations they are required to disclose ransomware attacks as though they were confirmed breaches due to U.S. regulatory requirements. This compulsory action will influence the number of ransomware incidents associated with the Healthcare sector. Acknowledging the bias, this is the second straight year that ransomware incidents were over 70% of all malware outbreaks in this vertical.

59% Of Healthcare Data Breaches Are From Insiders

The Verizon 2019 Data Breach Investigations Report (DBIR, May 8 2019) is built upon analysis of 41,686 security incidents, of which 2,013 were confirmed data breaches.

  • Incident: A security event that compromises the integrity, confidentiality or availability of an information asset.
  • Breach: An incident that results in the confirmed disclosure, not just potential exposure, of data to an unauthorized party.

In this year’s data sample, the confidence interval is at least +/- 2% for breaches and +/- 0.5% for incidents.

Healthcare stands out due to the majority of breaches being associated with insiders.

Behind the breaches:

  • 42% perpetrated by outsiders
  • 59% involved insiders
  • 4% involved partners

Top Patterns (81% combined):

  • Miscellaneous errors
  • Privilege misuse
  • Web Applications


  • 83% of breaches were financially motivated
  • 6% of breaches were motivated by fun
  • 3% of breaches were motivated by convenience
  • 3% of breaches were motivated by a grudge
  • 2% of breaches were motivated by espionage

Data Compromised:

  • 72% medical data
  • 34% personal data
  • 25% credentials (uses to access systems, applications, databases, etc.)

If You Aren't Already Then ...

  1. Know where your major data stores are, limit necessary access, and track all access attempts. Start with monitoring the users who have a lot of access that might not be necessary to perform their jobs, and make a goal of finding any unnecessary lookups.

  2. Work on improving phishing reporting to more quickly respond to early clickers and prevent late clickers.

  3. Know which processes deliver, publish or dispose of personal or medical information and ensure they include checks so that one mistake doesn’t equate to one breach.

See Related: “BYOD Rules And The Future Of Medical Data Security