While many security experts turn their focus to protecting your servers, firewalls and workstations, are you vulnerable to an insider threat? Unfortunately, the threat that looms within the organization is often overlooked. Insider threats are employees, and processes that can harm you. The signs are not always obvious. Insider threats could be as simple as not locking your server room, or your doors at night. If an employee leaves your ePHI wide open, that would be considered an insider threat. Not all insider threats have the internet involved. Employees who obtain sensitive information for the purpose of a financial gain are considered an insider threat.
Below are some examples.
Examples of Insider Abuse
- Unauthorized file copying
- Downloading of software, music, or other media
- P2P file-sharing
- Modems, and wireless access points
- Misuse of business or personal email
- Instant messaging
- Blogging and posting to message boards
- Personal web surfing.
Reasons for Insider Abuse
- Greed or Financial Need: A belief that money can fix anything.
- Excessive debt or overwhelming expenses.
- Anger/Revenge: Disgruntlement to the point of wanting to retaliate against the organization.
- Problems at work: A lack of recognition, disagreements with co-workers or managers, dissatisfaction with the job, a pending layoff.
- Divided Loyalty: Allegiance to another person or company, or to a country besides the United States.
- Vulnerability to blackmail: Extra-marital affairs, gambling, fraud.
- Adventure/Thrill: Want to add excitement to their life, intrigued by the clandestine activity, “James Bond Wannabe.”
How to Protect Yourself
- Internet policies
- Firewalls and web blocking
- Random internet browser history checks
- Up to date antivirus and antispyware
- Educate and regularly train employees on security or other protocols.
- Ensure that ePHI is adequately, if not robustly, protected.
- Use appropriate screening processes to select new employees.
- Provide non-threatening, convenient ways for employees to report suspicions.
- Routinely monitor computer networks for suspicious activity.
- Ensure security (to include computer network security) personnel have the tools they need.
A medical practice is a business, and just like all businesses, you have to be aware of your employees. Sometimes it is innocent, and sometimes it is not. You need to know; are you vulnerable to an insider threat? And if you are, come up with a plan to protect yourself.