Leading a team of eager cyber problem-solvers, Suneel Sundar, senior manager of cyber new professionals at MITRE, researches the tactics, techniques and procedures used by known insiders in IT environments.

Sundar will present "We see you when you're sneaking: Insider techniques and trends across IT systems," an educational discussion at the HIMSS Healthcare Cybersecurity Forum, which will take place December 5 and 6 in Boston.

His session will address insider threats and share several of their techniques examined through objective evidence-based analysis using the Insider Threat TTP (Tactics, Threats and Procedures) Knowledge Base. The knowledge base, created by researchers at the nonprofit MITRE Engenuity Center for Threat-Informed Defense, launched in February with more than 50 examples of insider threat TTPs. 

Inspired by MITRE ATT&CK and tools such as the Ransomware Support Center for hospitals and health systems, Sundar and his colleagues launched the new community-driven insider threat knowledge base to guide insider threat mitigation programs toward actionable detections and response. The submission platform authenticates users and anonymizes submissions. 

"It abstracts out the relevant data so that an organization that contributes isn't airing its dirty laundry; they're sharing the bare minimum that will allow us to do analysis and not more. That could be embarrassing or could compromise their own legal equities," Sundar told Healthcare IT News. "We're not looking for dirty laundry, we're looking for new fabrics."

Advancing cyber-defenders' collective understanding of insider threats requires hospitals, healthcare systems and providers of all sizes – and at all stages of technology – to participate in this cross-industry collaboration, according to Sundar.

An organization with less sophisticated IT may identify some insider technique that nobody else has seen, he explained.

"Once that technique is identified one time and it goes into the knowledge base, then everyone in the health sector and the security community at large can build in detections and defenses for that." 

A path to understanding healthcare's insider threat schemes

According to a Ponemon Institute report released in January, insider incidents are up 44%.

The Health Information Sharing and Analysis Center and other healthcare organizations use the knowledge base and share their use cases because it helps create a broader dataset to validate against, Sundar said.

"For organizations that don't have their own insider threat program or are looking to stand up their insider threat program, this will give them a punch list," he said. 

For those working with security partners, the data provides an objective way to measure that the security function is identifying the most harmful insider events to that organization.

"Based on that data that is authenticated to the user and anonymized from the organization, we'll be able to analyze what is more prominent as an insider threat for the health sector."

In the future, users may be able to sort the insider threat data by sector. 

"Contributing and building the knowledge base with insider case submissions is essential to furthering the research into understanding how insider threats in healthcare differ from threats in other sectors," Sundar explained.

The most common insider threat

The most common insider threat is data exfiltration, which includes taking personal information and patient health information, and it is most commonly removed through external media and e-mail, Sundar said.

"We're also seeing a rise in cloud storage," he added.

Defense is typically monitoring common exfiltration channels or adding regulations on how and when users use those channels. 

However, those are also critical data-sharing methods that support healthcare interoperability, and organizations must weigh the business benefit of allowing a technology against the security risks of its usage.

"We acknowledge there are legitimate uses for email, and legitimate uses for USB, and legitimate uses for cloud storage, which is what makes it so challenging to catch the insider that is using those tools in a way that would cause harm to the organization," Sundar said.

However, there are discernable patterns in insider data breaches. Users will download data packages over days or several hours, he said.

"There's a trend that we observed from the data, which is that insiders – they have some intention. Insiders will stage the data they intend to steal prior to exfiltration. So what that means is a pattern that we can see, that a security operations center could see is a user download, download, download, download." 

It's not as simple as the insider saving to their local drive. 

"We are seeing that insiders plan out what they might take, put it into a package and then send it in one lump," Sundar said.

The HIMSS 2022 Healthcare Cybersecurity Forum takes place December 5 and 6 at the Renaissance Boston Waterfront Hotel. Register here.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS publication.