• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to secondary sidebar
  • Skip to footer

  • Opinion
  • Health IT
    • Behavioral Health
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Patient Engagement
    • Population Health Management
    • Revenue Cycle Management
    • Social Determinants of Health
  • Digital Health
    • AI
    • Blockchain
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • M&A
  • Value-based Care
    • Accountable Care (ACOs)
    • Medicare Advantage
  • Life Sciences
  • Research

3 Ways Healthcare Orgs Can Work to Prevent Insider Security Threats

by Sanjay Joshi, Global CIO Healthcare and Life Sciences at Tanium 08/16/2021 Leave a Comment

  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print
Why Healthcare’s Most Overlooked Security Threat Comes From Inside — and How to Prevent It
Sanjay Joshi, Global CIO Healthcare and Life Sciences at Tanium

Though it’s often “highly sophisticated” or “nation-state” attackers that make headlines, the truth is that healthcare’s most overlooked cybersecurity threats are within the IT ecosystem. In fact, according to Verizon’s 2021 Data Breach Investigations Report, nearly 40 percent of all global security incidents in 2020 were caused by inside actors. These insider threats are often not malicious in nature, but accidental errors, such as employees clicking on phishing links, using weak passwords, or improperly storing sensitive files. 

And while those activities, unfortunately, happen across every industry, the stakes are much higher in healthcare. Through more than three decades working in the healthcare space, I’ve seen first-hand how outages can routinely put hospitals and patients in extremely dangerous positions, and breaches can result in the exposure of highly sensitive data. Just last month, the personal information of more than 200,00 patients of a major provider was compromised after multiple employee email accounts were hacked. 

COVID-19 is only compounding the problem, as attackers are attempting to pounce on overworked health IT teams when they’re most vulnerable. From December 2020 to February 2021 alone, there was a 189% increase in phishing attacks targeting pharmacies and hospitals amidst the vaccine rollout.

But the biggest problem of all? The security industry and healthcare organizations have taken their eyes off the ball.

For a number of years, cybersecurity has suffered from the axiom, “It’s not a matter of if you’ll be attacked, but when,” a perspective that has led many to argue that attack prevention is a lost cause, and an organization’s resources are better spent on remediation. But considering all that healthcare organizations have at stake — for example, Universal Health Services lost $67 million due to a cyberattack last September — overlooking prevention isn’t just defeatist, it’s dangerous. 

The Case for Investing in Prevention

Business leaders and technical teams often have competing priorities when it comes to cybersecurity. Boards and executives tend to see security as a cost center that takes away from profits. But it’s imperative that healthcare CIOs, CISOs, and IT teams make the business case to invest in cybersecurity, particularly prevention. 

Cybersecurity Ventures predicts cybersecurity clean-ups will cost around $6 trillion globally in 2021 and up to $10.5 trillion by 2025. And the average fine levied by the Office of Civil Rights (OCD) for a reported healthcare breach reported by a single organization runs between $400,000 – $800,000. Cybercrime expenses include revenue and IP loss, productivity loss, and very often, massive reputational damage. Simply put, a breach can financially break an organization. 

By prioritizing cybersecurity prevention and training, healthcare organizations can significantly lessen the risks of a breach and all its damages. 

Three Ways Healthcare Organizations Can Work to Prevent Insider Threats

1. Prioritize staff education (without burning out employees)

Research shows that employees who receive security awareness training are significantly better at recognizing security threats than those who have not. Further, cybersecurity training programs are particularly effective at helping employees identify things like phishing and social engineering scams. This year’s Verizon DBIR report found that more than a third of all breaches involved phishing.  

Training should be required for all users. Cybersecurity impacts the entire organization. No one is exempt from this responsibility or immune to vulnerabilities. The real key to success lies in designing training programs that don’t lead to increased burnout, which is already a major issue in healthcare while maintaining continuity and currency. Ultimately training should be part of any continuing education (CE) curriculum.

2. Improve IT hygiene

Many security issues are caused by either a basic hygiene issue that could and should have been identified and fixed with the correct level of visibility and control or by simple human error. Protecting an organization from the impact of any attack — including insider threats — comes down to ensuring security defenses are up-to-date and appropriately configured, and by directing employee behavior towards best practices. Is everything patched? Are security tools up to date? Is there complete visibility into all endpoints within your perimeter? With more staff working from home, can you apply the same visibility and protection to all of your employees, regardless of their location? How fast can you monitor and remediate?

3. Implement a Zero Trust approach

Given the surge in telemedicine and remote work, the perimeter is gone, and traditional approaches to cybersecurity will no longer suffice. The focus needs to be on the “5 Ps”: Policy, People, Process, Products, and Third-Party vendors.

With a modernized Zero Trust approach, organizations continuously verify the access of each single user or device. By default, no one is trusted. Identity-awareness, perimeter definition, and multi-factor authentication (MFA) technologies are primary components of the enterprise-scale visibility and monitoring process. This extra layer of security can greatly reduce risk exposure and prevent breaches.

The healthcare industry is a prime target for attackers, but there’s no reason to have a head-in-the-sand attitude. By taking these steps, healthcare organizations can immediately improve their security posture and minimize the risk of potential breaches.


About Sanjay Joshi

Sanjay Joshi is Global CIO, Healthcare and Life Sciences at Tanium. Based in Seattle, he has spanned the gamut of life-sciences from clinical and biotechnology research to healthcare informatics to medical devices. Sanjay is currently focused on data, policy and process approaches for security, trust and privacy using scalable systems, data and cloud infrastructures for devices, genomics, proteomics, microbiomics, imaging, the phenotype (EMR), and their interoperability, and trust along the customers’ journey.


  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print

Tagged With: Cybersecurity

Tap Native

Get in-depth healthcare technology analysis and commentary delivered straight to your email weekly

Reader Interactions

Primary Sidebar

Subscribe to HIT Consultant

Latest insightful articles delivered straight to your inbox weekly.

Submit a Tip or Pitch

Featured Insights

2025 EMR Software Pricing Guide

2025 EMR Software Pricing Guide

Featured Interview

Paradigm Shift in Diabetes Care with Studio Clinics: Q&A with Reach7 Founder Chun Yong

Most-Read

Medtronic to Separate Diabetes Business into New Standalone Company

Medtronic to Separate Diabetes Business into New Standalone Company

White House, IBM Partner to Fight COVID-19 Using Supercomputers

HHS Sets Pricing Targets for Trump’s EO on Most-Favored-Nation Drug Pricing

23andMe to Mine Genetic Data for Drug Discovery

Regeneron to Acquire Key 23andMe Assets for $256M, Pledges Continuity of Consumer Genome Services

CureIS Healthcare Sues Epic: Alleges Anti-Competitive Practices & Trade Secret Theft

The Evolving Role of Physician Advisors: Bridging the Gap Between Clinicians and Administrators

The Evolving Physician Advisor: From UM to Value-Based Care & AI

UnitedHealth Group Names Stephen Hemsley CEO as Andrew Witty Steps Down

UnitedHealth CEO Andrew Witty Steps Down, Stephen Hemsley Returns as CEO

Omada Health Files for IPO

Omada Health Files for IPO

Blue Cross Blue Shield of Massachusetts Launches "CloseKnit" Virtual-First Primary Care Option

Blue Cross Blue Shield of Massachusetts Launches “CloseKnit” Virtual-First Primary Care Option

Osteoboost Launches First FDA-Cleared Prescription Wearable Nationwide to Combat Low Bone Density

Osteoboost Launches First FDA-Cleared Prescription Wearable Nationwide to Combat Low Bone Density

2019 MedTech Breakthrough Award Category Winners Announced

MedTech Breakthrough Announces 2025 MedTech Breakthrough Award Winners

Secondary Sidebar

Footer

Company

  • About Us
  • Advertise with Us
  • Reprints and Permissions
  • Submit An Op-Ed
  • Contact
  • Subscribe

Editorial Coverage

  • Opinion
  • Health IT
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Population Health Management
    • Revenue Cycle Management
  • Digital Health
    • Artificial Intelligence
    • Blockchain Tech
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • Value-Based Care
    • Accountable Care
    • Medicare Advantage

Connect

Subscribe to HIT Consultant Media

Latest insightful articles delivered straight to your inbox weekly

Copyright © 2025. HIT Consultant Media. All Rights Reserved. Privacy Policy |