Introduction
The recent warning from the NHS to its staff regarding unauthorized access to patient records—explicitly citing potential prison sentences—serves as a stark reminder that the most dangerous perimeter is often the one you pay. In 2026, while we obsess over zero-day exploits in the cloud, the attack vector most likely to result in regulatory fines and reputational ruin remains the trusted insider with legitimate credentials abusing access.
This is not a theoretical risk. We are seeing a resurgence in "snooping" incidents where staff access records of VIPs, neighbors, or former partners out of curiosity or malice. As defenders, we must shift our mindset from "keeping people out" to "accounting for every action inside." This post outlines how to detect inappropriate data access (snooping) and harden your audit capabilities against insider misuse.
Technical Analysis
Vector: Privilege Misuse (Valid Accounts) Affected Platforms: Windows Workstations, Electronic Health Record (EHR) Systems, PACS (Picture Archiving and Communication Systems), File Servers storing PHI.
Attack Mechanics
Unlike external ransomware, this attack vector relies on abuse of inherent trust. The actor (a healthcare professional) logs in using their own domain credentials, launches the authorized EHR client or file explorer, and navigates to patient records they have no clinical justification to view.
- The Mechanism: Most EHR systems rely on Role-Based Access Control (RBAC). If a nurse has access to the "ER Triage" application, they can often query any patient in that queue. If permissions are overly broad (e.g., access to the entire patient master index), nothing stops them from searching for a specific celebrity.
- Exfiltration/Snooping: The data is viewed on screen. No malware is triggered. No C2 beacon is established. The attack is a legitimate application session doing something it shouldn't.
- Exploitation Status: Confirmed active exploitation. The NHS warning confirms this is a recurring, current issue requiring immediate administrative and technical intervention.
Detection Strategy
Since the behavior looks like normal work, detection relies on contextual anomalies. We must look for:
- Volume: Accessing an abnormal number of records in a short timeframe (bulk scraping).
- Time: Accessing sensitive records outside of assigned shifts or during non-business hours.
- Scope: Accessing specific high-profile patient tags (VIP lists) or departments the user does not work in.
Detection & Response
The following rules and queries focus on identifying the observable artifacts of inappropriate access on Windows environments hosting EHR clients or file-based PHI repositories.
SIGMA Rules
These rules target file access patterns (often where scanned documents or exported reports live) and process execution anomalies associated with data exfiltration from clinical applications.
---
title: Potential Mass Access of Sensitive Patient Files
id: 8d2a4e10-6b8f-4c9e-9a1d-2f3b4c5d6e7f
status: experimental
description: Detects a user accessing a high volume of files in directories commonly used for patient data storage (e.g., .pdf, .doc, .dicom) within a short time window, indicative of bulk snooping or scraping.
references:
- https://attack.mitre.org/techniques/T1213/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.collection
- attack.t1213
logsource:
category: file_access
product: windows
detection:
selection:
TargetFilename|contains:
- '\\PatientRecords\'
- '\\PHI\'
- '\\MedicalImaging\'
TargetFilename|endswith:
- '.pdf'
- '.docx'
- '.dcm'
timeframe: 5m
condition: selection | count() > 20
falsepositives:
- Legitimate bulk export by authorized admin staff
- Automated backup processes scanning folders
level: high
---
title: EHR Client Spawning Command Shell
id: 9c3b5f21-7c9g-5d0f-0b2e-3g4c5d6e7f8g
status: experimental
description: Detects a known Electronic Health Record (EHR) client process spawning a command shell or PowerShell. This may indicate an attempt to script data extraction or bypass application controls.
references:
- https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.execution
- attack.t1059.001
- attack.t1059.003
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\Cerner.exe'
- '\Epic.exe'
- '\Meditech.exe'
- '\EMRClient.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
falsepositives:
- Legitimate administrative troubleshooting by IT staff
level: high
KQL (Microsoft Sentinel / Defender)
This query hunts for users accessing specific file shares or directories containing Patient Health Information (PHI) during unusual hours (e.g., 2 AM). Adjust the SensitivePath list to match your environment's specific folder structures.
let SensitivePaths = dynamic(["\\FileServer01\\PHI", "\\FileServer01\\ScannedDocs", "C:\\Data\\PatientRecords"]);
let OffHoursStart = 20h; // 8 PM
let OffHoursEnd = 6h; // 6 AM
SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID in (4656, 4663) // Handle requested or Object Access
| where ObjectName has_any (SensitivePaths)
| extend Hour = bin(TimeGenerated, 1h)
| where Hour between(datetime(2026-01-01 00:00:00) .. datetime(2026-01-01 23:59:59)) // Just to extract hour logic effectively in KQL, actually better:
| let AccessTime = hourofday(TimeGenerated);
| where AccessTime >= OffHoursStart or AccessTime < OffHoursEnd
| project TimeGenerated, Computer, SubjectUserName, ObjectName, AccessMask, Activity
| summarize count() by TimeGenerated, SubjectUserName, Computer
| where count_ > 5 // Threshold for multiple accesses
| order by TimeGenerated desc
Velociraptor VQL
This artifact hunts for EHR client processes that have been running for an unusually long time or are accessing unusual network endpoints, focusing on process longevity which can indicate session hijacking or idle-snooping.
-- Hunt for long-running EHR sessions or suspicious child processes
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime, StartTime
FROM pslist()
WHERE Name IN ('Epic.exe', 'Cerner.exe', 'Meditech.exe', 'PACSViewer.exe')
AND (now() - StartTime) > 4h
OR ParentName IN ('cmd.exe', 'powershell.exe')
Remediation Script (PowerShell)
This script performs an audit on a specified PHI directory structure to identify users with excessive permissions (like "Modify" or "FullControl") that should likely only have "Read" access. This helps enforce the principle of least privilege.
# Audit PHI Permissions for Excessive Access
# Usage: .\Audit-PHIPermissions.ps1 -Path "C:\PatientRecords"
param(
[Parameter(Mandatory=$true)]
[string]$Path
)
Write-Host "[+] Scanning $Path for excessive permissions..." -ForegroundColor Cyan
if (-not (Test-Path $Path)) {
Write-Host "[-] Path not found." -ForegroundColor Red
exit
}
# Get ACLs recursively
$Acls = Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object { Get-Acl $_.FullName }
$Report = @()
foreach ($Acl in $Acls) {
foreach ($Access in $Acl.Access) {
# Check for Write, Modify, or FullControl
if ($Access.FileSystemRights -match "Write|Modify|FullControl" -and $Access.IdentityReference -notmatch "BUILTIN\\Administrators|NT AUTHORITY\\SYSTEM|DOMAIN\\Domain Admins") {
$Report += [PSCustomObject]@{
Path = $Acl.Path
User = $Access.IdentityReference.Value
Rights = $Access.FileSystemRights
Type = $Access.AccessControlType
}
}
}
}
if ($Report) {
Write-Host "[!] Found excessive permissions:" -ForegroundColor Yellow
$Report | Format-Table -AutoSize
$Report | Export-Csv -Path ".\PHI_Permission_Audit_$(Get-Date -Format yyyyMMdd).csv" -NoTypeInformation
} else {
Write-Host "[+] No excessive non-admin permissions found." -ForegroundColor Green
}
Remediation
To effectively mitigate the risk of insider data snooping, implement the following defensive controls immediately:
-
Implement Role-Based Access Control (RBAC) with "Break-Glass" Procedures:
- Restrict EHR access to the minimum necessary data set required for the user's current shift and role.
- Implement "Context-Aware Access" that denies access to patient records if the user is not clocked in for a shift at that specific facility.
-
**Deploy User Behavior Analytics (UBA):
- Enable UEBA (User and Entity Behavior Analytics) in your SIEM (e.g., Sentinel, Splunk). Create baseline models for "normal" record access volume per user. Alert when a user deviates >2 standard deviations from their mean.
-
**Audit and Alert on "VIP" Access:
- Create specific alert logic for any access to patient records tagged as VIP, Employees, or Board Members. These require immediate secondary review.
-
Mandatory Privacy Screens and Session Timeouts:
- Enforce aggressive session timeouts (e.g., 5 minutes of inactivity) on all workstations accessing PHI.
- Implement privacy screen filters physically and enforce "Clean Desk Policies".
-
Executive Education and Legal Warning:
- As the NHS has done, reissue acceptable use policies explicitly stating that unauthorized access is a criminal offense (e.g., under the UK Computer Misuse Act 1990 or US HIPAA violations).
Related Resources
Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.