Post-Lapsus$, HHS Warns Healthcare Industry of Insider Threat Risks
Following last month's Lapsus$ hacks, federal authorities are reminding healthcare organizations about the danger of insider threats.
The U.S. Department of Health and Human Services is again reiterating to the public health industry the dangers of insider threats.
In a datasheet released last week, HHS' Office of Information Security broke down the different types of insider threats, some indicators around malicious insiders, and tips on how to prevent, detect, and respond to attacks.
While the group wasn't directly named in the brief, it’s probably safe to assume the emergence of Lapsus$, a cyber extortion group that made headlines last month for stealing source code and healthcare data, prompted the release.
A handful of firms, including Microsoft and identity management platform Okta disclosed breaches involving the group; the latter, it’s believed, ultimately resulted in the compromise of a number of healthcare providers.
Before a number of Lapsus$ members were arrested late last month, the group largely relied on convincing insiders at firms to secure them access, usually through stolen credentials, to get them access to internal systems and data. The group said at the time that it wasn't interested in corporate data stolen from insiders but instead coveted the access itself.
HHS is hoping its notice will remind organizations in the sector what an insider threat looks like so it can help prevent the next Lapsus$-style attack. The release follows up a seperate alert the HHS HC3 issued earlier this month, specifically on Lapsus$.
In the datasheet, HHS references a survey carried out by Forrester last year said that a quarter of respondents who experienced a data breach included at least one insider threat. It contrasts that statistic with a more recent one - that there were 30 healthcare beaches last month - suggesting that a chunk of those may have also involved an insider aspect.
The report also references talking points from recent reports, including the shifting trends around insider threats illustrated by Verizon’s 2021 Data Breach Investigations Report and the difference between malicious, careless, and accidental insiders as broken down in Ponemon’s 2020 Insider Threats Report.
Because they require an elevated level of trust and access that insiders have in the first place, insider threats can be difficult to completely prevent outright. There are steps organizations can take, the HHS says in its guidance, including ensuring data loss prevention tools are deployed across an organization to stop data loss.
Organizations, if they haven’t already, should revise and update their cybersecurity policies to incorporate a formal insider threat mitigation program. They should also:
• Limit privileged access and establish role-based access control
• Implement zero trust and MFA
• Manage USB devices across the network
Solutions that specialize in and allow defenders to carry out incident detection and response, logging and auditing – like a SIEM, user activity monitoring, and educate employees about the importance of detecting insider threats early can help too.
While insider threats have always been on that radar of defenders, the HHS guidance helps reframe the concept and ensure all organizations are on the same page and following best practices.