Q: But given that hospitals and physicians want to do the right thing and protect their patients' data, what are some pieces of advice you'd give to healthcare provider organizations that are looking to do this the right way?

A: Any organization needs to start by doing an enterprise-wide risk assessment, which includes identification of critical assets. At any point in time, an organization should be able to identify and prioritize assets, and then apply security controls appropriately, based on the criticality of those assets.

For example, you mention patient data – certainly that would be part of the risk assessment process as something that has to be protected, and then putting controls in place to where we could identify if any type of threat to this critical asset could be exploiting a particular vulnerability.

We'd certainly say there are threats that exist outside the organization, but also ones that originate inside the organization.

Certainly we want to have monitoring strategies on that information asset to ensure that nobody within the organization who does not have authorized access to do so is modifying the integrity of the data. So if someone is trying to expose information, is trying to exfiltrate information, those are the types of threats to those critical assets that controls should be placed around to ensure we are protecting the assets appropriately.

Now, when insiders are involved, it gets a little more difficult in that, in a number of the cases we have analyzed over the years, individuals have had authorized access to critical assets, and they do something to impact the confidentiality, availability or integrity.

So it's not as easy as saying we would prohibit everyone from accessing that asset. There are individuals who do need to have access to those assets to protect. And then we need to apply appropriate controls to ensure those individuals aren't causing harm to those assets, in terms of their integrity or confidentiality.


Q: What are some specific ways to do that, tools and strategies that should be deployed?
 Is it a matter of technology, or of building a culture of awareness about the value and importance of the data?

A: I would certainly say it needs to be a combination of the two. It all starts with training your workforce to protect your assets appropriately. But certainly communicating what assets need to be appropriately protected, and what are the protection strategies that should be applied. So it starts with training of the user community: the audience that is actually accessing the information  you're protecting.

But to add to that, a defense in depth strategy is recommended where you do have technical controls that can be put in place.

So if you're trying to identify an insiders who threaten the confidentiality of the data you're trying to protect, one of the ways they might do that is to exfiltrate data off the network. If we're talking technology, there are a number of tools in the data loss prevention general category that can stop information from leaving. We've seen across a number of incidents over the years individuals have downloaded information to removable media. Again, controls can be applied to the usage of USB devices, to where information can't be downloaded onto it.

Other ways information might leave would be through email. Certainly there are monitoring strategies that can keep information from going off the network if it contains certain categories or classifications of data.

A different type of threat might be someone who could commit fraud, or perform fraudulent activity on your network and systems. There are several categories of tools that can detect fraud.

All too often we see organizations looking for an insider threat tool that addresses all of the threats posed by insiders, and unfortunately we haven't found one of those do data. So what you really need to do is start by looking at what could threaten the asset, what could be done to that asset, and apply the appropriate protection strategy at that level. Which in many cases requires organizations to have more than one strategy in place, more than one tool. A defense in depth strategy is very important.

Q: Is there a way to asses whether an organization has done enough? Or is it always an ongoing process?

A: It's certainly an ongoing process, but there are some organizations that have released things along the lines of best practices and minimum standards and guidance for insider threat programs. The White House in 2011 released an executive order that requires government organizations that handle or access classified information to build formal insider threat program. As part of that, they stood up the National Insider Threat Task Force, which has published minimum standards for what such a program is and what it should do, including the organizational components that should be involved.

If you're looking to build a program, we certainly recommend that you look around to see what other organizations recommend for best practice. There's a wealth of information that's publicly available, including at the CERT program here we manage and maintain a guide for mitigating insider threats within an organization. Another group is INSA, the Intelligence National Security Alliance, which has put together a wealth of information around insider threat mitigation.