This week I found myself in Memphis, Tennessee. Home of great music and BBQ – as you can see from the photo below. But this trip was not all pork shoulder and blues bands. I was speaking at the United States Army Medical Command (MEDCOM) Information Assurance and HIPAA Summit. My talk was on data security and insider threats, the title of my presentation: Evil Employees Hacking their Bosses.
Healthcare providers are a treasure trove of PII, up to and including credit card numbers, addresses, and social security numbers. This information exists as structured and unstructured data at rest, in motion, and in use, which yields a scenario that is difficult to manage even without security in mind. Making information easily available to those that need it when they need it, while also ensuring those with nefarious intent or careless insiders are mitigated, is a challenging task. While specific technologies such as DLP, DAM, Context-aware SIEM, encryption, and identity management solutions do help, there is more to it.
Addressing insider threats requires a combination of technology, talent, and techniques. I’ve mentioned some of the technology above. In addition to this tech, any successful strategy must also integrate other security controls such as firewalls and IPS as secondary feeds, and most importantly, the solutions need to be connected so that data enriches network, network enriches endpoints, and so on. Only in this way can the yellow flags that make up suspicious insider activity be detected.
Still, technology isn’t the panacea. Beyond the tech, there is a need for talent and techniques. By talent I mean that an insider threat mitigation program must include more than just IT. Executive leadership, involvement from legal, HR, and other relevant groups is necessary. Programs driven entirely from IT generally fail. For techniques, processes must be well defined. Anonymous whistleblower solutions need to be in place. Low-tech methods such as whistleblower programs have proved to be beneficial year after year, and a definition of what is a terminable offense must be clear. And perhaps most importantly, the process of investigation and oversight, augmented by supporting IT details such as “who accessed what, when, and how, how much, from where, for how long, who else, what else” must be in place to allow more effective and efficient incident analysis and response.
When it comes to insider threat mitigation, nothing beats talent and techniques, but talent and techniques should be augmented by technology that can glean contextual information regarding users’ interactions with data.
By Brian Contos