CISA Releases New Guidance to Combat Rising Insider Threats in Critical Infrastructure
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued new guidance to help critical infrastructure organizations particularly in healthcare proactively defend against insider threats, a growing source of data breaches. According to a 2018 Verizon study, insiders were responsible for 56% of healthcare data breaches, surpassing external actors (43%). A 2024 report by Metomic found that the percentage of healthcare organizations reporting no insider incidents dropped from 34% in 2019 to just 24%, highlighting the escalating risk.
Insider threats stem from negligence, malicious intent, or policy violations, such as employees snooping on medical records or exfiltrating patient data for financial gain or personal motives. These incidents can lead to severe consequences, including reputational damage, financial losses, and operational disruptions. CISA warns that insiders’ legitimate access and institutional knowledge make detection particularly challenging.
To address this, CISA’s new resource provides a framework for assembling a multi-disciplinary insider threat management team, emphasizing collaboration across cybersecurity, physical security, human resources, legal, and external partners like law enforcement and mental health professionals. The guidance outlines a four-stage POEM framework Plan, Organize, Execute, and Maintain to structure threat mitigation efforts. Key steps include scoping the team’s role, fostering a culture of reporting, enforcing policies, and continuously refining the program.
Acting CISA Director Dr. Madhu Gottumukkala emphasized that insider threats "erode trust and disrupt critical operations," while CISA Executive Assistant Director Steve Casapulla noted that organizations with mature programs are better equipped to withstand disruptions. The guidance aims to help state, local, tribal, and territorial governments, as well as critical infrastructure sectors, reduce the frequency and impact of insider incidents.
Source: https://www.hipaajournal.com/cisa-issues-guidance-proactively-defending-against-insider-threats/
Cybersecurity and Infrastructure Security Agency cybersecurity rating report: https://www.rankiteo.com/company/cisagov
"id": "CIS1770197400",
"linkid": "cisagov",
"type": "Breach",
"date": "2/2026",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'industry': 'Healthcare',
'location': 'U.S. (state, local, tribal, and '
'territorial governments)',
'type': 'Healthcare organizations'},
{'location': 'U.S. (state, local, tribal, and '
'territorial governments)',
'type': 'Critical infrastructure sectors'}],
'attack_vector': 'Insider access (legitimate credentials)',
'data_breach': {'data_exfiltration': 'Possible (for financial gain or '
'personal motives)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (personally identifiable '
'information, medical records)',
'type_of_data_compromised': ['Patient data',
'Medical records']},
'description': 'The U.S. Cybersecurity and Infrastructure Security Agency '
'(CISA) has issued new guidance to help critical '
'infrastructure organizations, particularly in healthcare, '
'proactively defend against insider threats, a growing source '
'of data breaches. Insider threats stem from negligence, '
'malicious intent, or policy violations, such as employees '
'snooping on medical records or exfiltrating patient data for '
'financial gain or personal motives. These incidents can lead '
'to severe consequences, including reputational damage, '
'financial losses, and operational disruptions.',
'impact': {'brand_reputation_impact': 'Reputational damage',
'data_compromised': 'Patient data, medical records',
'operational_impact': 'Operational disruptions'},
'lessons_learned': 'Insider threats are a growing risk, particularly in '
'healthcare, and require a multi-disciplinary approach for '
'detection and prevention. Organizations with mature '
'insider threat programs are better equipped to withstand '
'disruptions.',
'motivation': ['Financial gain',
'Personal motives',
'Negligence',
'Policy violations'],
'post_incident_analysis': {'corrective_actions': 'Implementation of CISA’s '
'POEM framework, '
'multi-disciplinary insider '
'threat management team, and '
'continuous program '
'refinement.',
'root_causes': ['Insider negligence',
'Malicious intent',
'Policy violations']},
'recommendations': 'Adopt CISA’s POEM framework (Plan, Organize, Execute, and '
'Maintain) to structure insider threat mitigation efforts. '
'Assemble a multi-disciplinary insider threat management '
'team, foster a culture of reporting, enforce policies, '
'and continuously refine the program.',
'references': [{'source': 'Verizon 2018 Data Breach Investigations Report'},
{'source': 'Metomic 2024 Report on Insider Threats in '
'Healthcare'},
{'source': 'CISA Insider Threat Guidance'}],
'response': {'enhanced_monitoring': 'Framework for insider threat management '
'team'},
'stakeholder_advisories': 'CISA guidance emphasizes collaboration across '
'cybersecurity, physical security, human resources, '
'legal, and external partners like law enforcement '
'and mental health professionals.',
'threat_actor': 'Insiders (employees, contractors, or trusted individuals)',
'title': 'CISA Releases New Guidance to Combat Rising Insider Threats in '
'Critical Infrastructure',
'type': 'Insider Threat',
'vulnerability_exploited': 'Lack of insider threat detection and prevention '
'measures'}