search menu icon-carat-right cmu-wordmark

Insider Threats in Healthcare (Part 7 of 9: Insider Threats Across Industry Sectors)

Josh Vasko
• Insider Threat Blog
Josh Vasko

This post was co-authored by Carrie Gardner.

Next in the Insider Threats Across Industry Sectors series is Healthcare. As Healthcare-related information security conversations are predominantly driven by security and privacy concerns related to patient care and data, it's important to recognize the magnitude of security lapses in this sector. Patients can face severe, permanent consequences from medical record misuse, alteration, or destruction. And medical record fraud vis-a-vis identify theft, otherwise known simply as Fraud in our incident corpus, is one of the primary types of security instances observed in this sector.

Defining and enforcing security and privacy protections in this sector is the 1996 Health Insurance Portability and Accountability Act of 1996 (HIPAA), which has since been expanded. The HIPAA Privacy Rule specifies data-access standards for personal health information (PHI) (i.e., who may access PHI). The HIPAA Security Rule defines requirements for ensuring that proper authentication and authorization policies and practices are in place for accessing electronic PHI in medical records.

In our National Insider Threat Center (NITC) Incident Corpus, we identified 88 malicious insider incidents impacting Healthcare organizations. These incidents do not include unintentional insider threats who may have accidentally left a laptop at a bus stop or sent an email containing PHI to a party that it wasn't intended for. The 88 malicious insider incidents map to 91 healthcare organizations that were directly victimized in the attack (i.e., in some incidents, there is more than one direct victim organization). Of these victim organizations, Health Networks make up the largest subsector. Health Networks, also known as Integrated Health Systems, are networks of hospitals and private practices that are dedicated to bringing healthcare to a specific region.

Bar graph of Healthcare Organizations Impacted by Insider Threat Incidents, 1996 to present. The bars show the number of victim organizations by subsector. Health Network: 25. Diagnostics, Support Services, and Medical Manufacturing: 21. Private Practices, Walk-In Clinics, etc.: 20. Healthcare Insurance: 10. Pharmacology: 7. Hospitals: 6. Advocacy Services: 2.

In addition to the 91 direct victim organizations, 20 victim organizations indirectly employed the insider in some sort of trusted business partner relationship or non-regular full-time employment (e.g., contractors).

Pie chart of Healthcare Victim Organization Relationship to Insiders. 91 organizations, or 82%, employed the insider. 20 organizations, or 18%, did not directly employ the insider.

Sector Overview

Fraud is the most prevalent case type across all of the insider threat incidents within the Healthcare Sector. It occurred in some form in about 76% of all incidents. This rate of fraud is at a higher observed frequency than across the entire NITC corpus (68%). Within these fraud cases, we generally see individuals with access to patient payment records taking advantage of their access to customer/patient data to create fraudulent assets such as credit cards in order to make a profit.

Bar chart of Insider Incidents within Healthcare by Case Type, 1996 to present. The bars show the number of incidents per case type. Fraud: 67. Theft of IP: 12. Sabotage: 8. Sabotage and Fraud: 1.

Sector Characteristics

Below is a summary of the Healthcare Fraud incidents that are contained within the NITC corpus.

Insider Fraud Incidents in Healthcare Who? Most healthcare fraudsters began their malicious activities within their first five years of working for the organization (64.3%). A majority (78.2%) misused their authorized access (e.g., a privileged account or PII data access). Insiders were distributed fairly evenly throughout each age group: twenties (27.8%), thirties (25.9%), forties (31.5%), and fifty and older (14.8%). Nearly all of the healthcare insiders (82.0%) were full time employees. What? Over half (52.7%) of fraud incidents within the healthcare sector involved the theft of customer data, while 37.5% of incidents directly targeted financial assets (e.g., cash). When personal identifiable information (PII) was stolen, almost all of it was customer data (94.9%) versus employee data (5.1%). When? Of the incidents where the attack time was known, 70% of the incidents solely took place during work hours. The other 30% of incidents took place both during work hours and outside of work hours. Where? Of the incidents where the location of the activity was known, a majority occurred only onsite (72.7%). Some involved both onsite and remote activity (23.6%). A couple of incidents involved activity that only occurred remotely (3.6%).	How? Most incidents used rudimentary techniques. In almost one half of incidents, the insider either received or transferred funds (25.8%) and/or abused their privileged access (24.2%). In over a third of incidents (36.4%) the insider tried to conceal their activity in some manner, such as by modifying log files, using a compromised account, or creating an alias. Why? More than three quarters of the insider healthcare fraud incidents (84.8%) took place due to the insider's desire for financial gain. The only other stated motives were entitlement (e.g., the insider felt entitled to pay for time not worked) and the desire to gain a competitive business advantage, both of which took place once.


Although Healthcare may be an industry defined by unique regulations (e.g., HIPAA), the statistics gathered for it are similar to the statistics gathered from the broader NITC corpus. For almost all of the insider fraud cases within healthcare, the insider followed a similar path of improperly using patient PII or PHI to acquire some asset in order to gain a profit.

Financial impact differs slightly from the Healthcare sector to the broader NITC corpus. From the incidents with a reported financial impact, eight healthcare organizations (11.6%) recorded a financial impact of greater than $1 million. A higher percentage of fraud incidents (16.9%) outside of the Healthcare sector in the NITC corpus recorded the same financial loss. Notably, we did not find a significant difference in high financial impact. This is noteworthy because, given the gravity of healthcare data and the legal and reputational penalties associated with a breach, we might expect a potentially higher frequency of significant financial loss for the Healthcare sector.

Final Thoughts

Healthcare information security should be of the utmost importance for administrators and IT staff alike. Although identity theft is the most common misuse of patient data, patients could face severe medical debt from identity theft.

To better protect healthcare organizations from insider threat incidents, it is suggested that organizations participate in an Information Sharing and Analysis Center (ISAC) to receive pertinent information and help propagate a collaborative security environment. In addition to participating in an ISAC, it is also suggested that organizations enforce least privilege concerning organizational roles and data access along with tracking and blocking data exfiltration.

Stay tuned for the next post, in which we spotlight the Entertainment sector. Or subscribe to a feed of the Insider Threat blog to be alerted when any new post is available. For more information about the CERT National Insider Threat Center, or to provide feedback, please contact

Entries in the "Insider Threats Across Industry Sectors" series:

About the Author