insider threats to patient data

Healthcare Insiders Pose the Greatest Threats to Operational Interruption and Patient Data Loss.

Healthcare and Pharma remain primary targets.

For the 14^th year in a row, the Healthcare and Pharmaceutical industries remain the most targeted by cyber criminals, and the costliest per incident. According to the 2025 Ponemon Report: Cost of a Data Breach, Healthcare’s attack costs per incident are nearly double the averaged individual costs reported in other verticals. Additionally, Healthcare breaches take roughly five weeks longer to identify and contain when compared to other sectors. There are myriad reasons for healthcare’s inflated breach costs: elevated data value stemming from extensive personal patient information, significant regulatory fines for HIPAA violations, lawsuits and legal fees, and highly complex incident responses which take longer to fix.

But why is healthcare so popular? Cybercriminals are a lot like schoolyard bullies—they target out those who a.) have a lot of lunch money, and b.) those who put up the least amount of resistance in the face of duress. Knowing that healthcare systems can ill afford prolonged service interruptions, they historically do whatever it takes to restore operations as quickly as possible, which increases the likelihood of ransom payments. They also know that the larger attack surfaces that exist in healthcare systems exponentially increase the odds of an attack’s success—like a dartboard with an 18” bullseye. Consider these 3 common traits found in literally every healthcare system: Complexity of networked–often dated–technologies and machines, numerous third parties with access to myriad internal systems, and most critical, a stressful, frenetic work environment for fatigued employees which can often lead to security policy negligence and data management errors. This last trait is a major contributor to what constitutes an Insider Threat, which on its own accounted for nearly 79% of data breaches in healthcare in 2024.

The Three Insider Types.

Counter to what we once thought, the insider category is no longer confined to disgruntled or unscrupulous employees. The very definition of Insider Threat has evolved to include every employee in your organization that has network system access, and there are three major threat categories that an insider can fall into. To get a better understanding of how to mitigate Insider Threats, we first need to identify these three types of insiders most leveraged in a cyber threat, both intentionally and unintentionally.

1. The Malicious

The first insider type—as we’ve just mentioned previously—is the Malicious Insider. This is the bad actor with intent to do harm and is the only one of the three whose behaviors are purposefully fraudulent. Year over year, the malicious insider threat percentages remain fairly consistent: of the three insider types, the malicious insider accounted for 25% of the total number of insider-caused incidents.

2. The Accidental

Accounting for roughly 50% of insider-caused attacks, the second—and most common—threat type is the Accidental Insider. This is the employee who unwittingly creates an opportunity for breach with seemingly innocuous events or behaviors:

Weak password usage
Insufficient training
Detail fatigue
Ignoring security protocols
Unencrypted devices containing data lost to theft
Good old human error

With its 12-hour shifts, complicated procedures, and life and death situations, the fast-moving, high-stress field of healthcare delivers the optimal environment for accidental insider vulnerabilities.

3. The Outwitted

The third and costliest threat is the Outwitted Insider. Being unintentional by nature, this threat classification could potentially be a subset of Accidental Insiders, but since it abets outsiders directly targeting individual employees, it merits its own category. As the name implies, the insider is lured into responding to an engineered attack via tactics such as phishing and deep fakes designed to steal that employee’s network credentials. Once those credentials are compromised, the attacker is able to bypass all defense mechanisms protecting password vaults and corporate account information.

Insider Education

Protecting the network and patient data inside of the firewall remains a constant challenge. But knowing that nearly 80% of cyberattacks emanate from internal threat, and more than half of those internal attacks occur on an employee’s personal device or network, internal threat defense should carry equal or greater importance as external threat defense. As the healthcare industry increasingly steers toward becoming mobile, protecting employee endpoint devices outside of the firewall greatly expands the degree of difficulty. Malicious insiders and ever-evolving attacks from the outside will never go extinct. But eliminating the accidental and outsmarted insider threats—controlling the things that are within your control—is a goal that is within reach.

Ongoing internal threat risk management programs must be mandatory for all employees who have access to the network. Complete employee comprehension and buy-in to security policies must be enforced.

• All employee endpoint devices must be vetted, whitelisted, and updated regularly.

• Only secured networks may be used for personal devices that are also used for work.

• Patient and company data must be encryption-protected at all times.

To ensure that data and operational recovery can be achieved post-cyberattack, all employees must regularly back up sanitized data redundantly to offline, encrypted external drives such as Apricorn Aegis Secure Keys, Aegis Padlock, Fortress, and the high-speed Aegis NVX.

Why Hardware Encryption is the Right Choice for Protecting Data

Patient data can live anywhere—beyond care facilities networks, there are diagnostic centers, insurance groups, home care providers, etc.. Each transfer introduces a new avenue for attack. Hardware encryption isolates security functions from vulnerable operating systems, ensuring that sensitive data remains encrypted even if the host is compromised. It’s a vital safeguard for protecting data at rest—the state where many breaches begin.

Benefits of Hardware Encryption:

- Encrypts data on the device, independent of any software.
- Aligns with FIPS 140‑2 / 140-3 validation to support DOE, NERC, and federal standards
- Deters tampering with PIN‑authenticated, tamper‑evident designs that prevent unauthorized access or manipulation.
- Minimizes key‑exposure risk by eliminating reliance on software‑based encryption methods.

Apricorn: Trusted Hardware Encryption for All Facets of Healthcare

Apricorn’s Aegis Secure Drives and Secure Keys offer software‑free, hardware‑encrypted storage designed to safeguard data wherever it lives. Every encryption process occurs entirely within the device, keeping keys and credentials off the host system.

Why Major Healthcare Organizations Around the World Choose Apricorn:

Enables plug and play across Windows, macOS, Linux, and industrial platforms—no software or drivers.
Delivers FIPS 140 2 / 140-3 Level 3 (pending) protection
Supports TAA compliant procurement for regulated buying programs.
Withstands dust, water, and extreme field conditions with rugged construction.
Streamlines local provisioning with Aegis Configurator; enforces PIN/policy settings and retains setup logs—no cloud or centralized management. Provisioning can also be performed directly on the device via Admin mode.

Device Selection Guide (Quick Specs)

Device	Interface / Speed	Certifications	Best For
Aegis NVX	USB‑C 10Gbps; up to ~1000MB/s	IP68; FCC; CE; VCCI; TAA	high speed requirements, imaging, rugged environs
Fortress L3	USB Type-A and Type C; 5Gbps up to ~370MB/s SSD	FIPS 140‑2 Level 3; 140-3 pending, FCC; CE; TAA	Multi-user , adaptible USB interfaces A and C
Aegis Padlock DT FIPS	USB Type-A 5Gbps (desktop) up to 160MB/s	FIPS 140‑2 Level 2; 140-3 pending, FCC; CE; TAA	Offline backups, DR vaults
Aegis Secure Key 3NX	USB Type-A 5Gbps up to 160MB/s	FIPS 140‑2 Level 3; 140-3 pending, IP67; FCC; CE; TAA	Pocketable, vendor exchanges, firmware
Aegis Secure Key 3NXC	USB Type-C 5Gbps up to 160MB/s	FIPS 140‑2 Level 3; 140-3 pending, IP67; FCC; CE; TAA	Pocketable USB‑C, vendor exchanges, firmware
Aegis Secure Key 3	USB Type-A 5Gbps up to 195/160MB/s	FIPS 140‑2 Level 3; 140-3 pending, IP67; FCC; CE; TAA	Fastest USB-A, larger capacity up to 2TB

Note: All Aegis devices are software‑free and authenticate/encrypt on‑device; provisioning is performed locally via Aegis Configurator or directly on the device (Admin mode).

Use Cases:

Offline Backups: Protect recovery data on encrypted drives stored off‑network.
Clean Media Policies: Deploy pre‑configured Read‑Only devices for field updates.
Air‑Gapped Forensics: Capture investigation data securely, even from compromised systems.
Controlled Vendor Access: Assign individual encrypted drives with revocable credentials.
Audit Readiness: Use local Aegis Configurator setup logs to demonstrate policy enforcement and chain‑of‑custody for configured devices.

Building a Ransomware‑Resilient Healthcare Ecosystem

As healthcare systems evolve, cybersecurity must evolve too. Hardware‑based encryption provides an essential layer of defense—isolated, verifiable, and aligned with the highest federal and industry standards. With Apricorn’s rugged, FIPS 140‑2 / 140-3 (pending) validated devices, healthcare providers can protect data integrity across multiple platforms—ensuring reliability, compliance, and trust across every level of operation.

Looking ahead, Apricorn remains committed to advancing its technology by attaining FIPS 140‑3 certification, ensuring that our devices continue to meet and exceed the evolving security and compliance needs of the global healthcare sector. Our mission is to provide data protection that keeps pace with innovation—empowering organizations to operate confidently in a connected, data‑driven world.

A Patient’s wellness isn’t the only thing that must be protected.