In today’s blog post, HCIs VP of Security and Technology, Ryan McDaniel, takes a look at what we, in the healthcare industry, currently do know about insider threat, as well as what we don’t know.
As Donald Rumsfeld once said, “There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don't know we don't know.” While he was speaking specifically of the Iraq war and WMDs, I find the quote perfectly relevant for the current state of healthcare security.
What do we know we know? We know that the data we protect is both core to our practice and, yet, is at constant risk of breach. Patient Health Information (PHI) is one of, if not the, most lucrative data obtainable and, unfortunately, healthcare, as a business, has often found itself behind other industries and adopting technology and practices to secure critical data. Hence, we know that we know that PHI is under constant threat and must be protected. Our ability to provide care depends on it.
What do we know we don’t know? We know that we don’t know what type of threat is coming next or from where that threat will originate. We battened every hatch and protected our exterior with physical security, firewalls, and network security. We’ve got to keep that unknown out; that much we know.
1) What is the Unknown Unknown?
That’s potentially the million-dollar question. A short year ago, I would have told you the most unrecognized unknown was that threat could originate from within. Data compiled from actual breaches clearly shows that threat from within, or insider threat, is the most common source of threat. I’ve engaged with talented healthcare teams and leaders across the globe: it’s infrequently a primary concern. Recently, however, I’ve noticed more leaders and organizations are beginning to recognize how critical insider threat is to the security of their data. In fact, I was recently hosting a panel discussion which gave me the opportunity to poll the audience as to which single factor of healthcare security most kept them up at night. The number one concern was Insider Threat with 71% of the audience reporting it as their primary concern.
2) How Can We Better Protect Ourselves Against Insider Threat?
The answer is, in essence, to make it a known known. By adopting solutions like secure information management (SIM), identity and access management (IAM), and user and entity behavioral analytics (UEBA) on top of practices which clearly delineate role, responsibility, and risk we can begin to understand not only the nature; but also, the magnitude of insider threat. By making insider threat a known known, we allow ourselves to build effective policy, increase data security, and, most importantly, reduce our risk.
So, what about the unknown unknown? Since the answer, by definition, is evasive, let’s address the question, itself. Threat as it exists in any environment is the sum of all risks across all facets of the environment; it’s comprehensive. In order to fully comprehend threat, we must effectively capture all users (inside and out), across all systems they use, and all ways in which they are used.
Fortunately, emerging technologies, like UEBA, are finally allowing organizations to aggregate and understand comprehensive risk. Solutions like UEBA, which is based on machine learning, aggregate and analyze user information and application data to establish normal behavior and escalate deviations from established behavior as comprehensive risk. Frequently solutions like UEBA escalate expected, or well understood, patterns of anomalous behavior, known generally as kill chains. However, because UEBA is applying advanced analytics to all available data captured in your environment, it can also capture emergent threat, complex novel behaviors, long-term changes, and new patterns – unknown unknowns.
If you would like to learn more about security, compliance, or how HCI can deliver four innovative technologies like UEBA to dramatically increase the security of your critical data, make sure to comment below.