Back to Intelligence

Insider Threat Alert: Detecting Unauthorized Patient Data Access in Healthcare Environments

SA
Security Arsenal Team
July 10, 2026
7 min read

Introduction

The recent warning from the NHS to its staff regarding unauthorized access to patient records—explicitly citing potential prison sentences—serves as a stark reminder that the most dangerous perimeter is often the one you pay. In 2026, while we obsess over zero-day exploits in the cloud, the attack vector most likely to result in regulatory fines and reputational ruin remains the trusted insider with legitimate credentials abusing access.

This is not a theoretical risk. We are seeing a resurgence in "snooping" incidents where staff access records of VIPs, neighbors, or former partners out of curiosity or malice. As defenders, we must shift our mindset from "keeping people out" to "accounting for every action inside." This post outlines how to detect inappropriate data access (snooping) and harden your audit capabilities against insider misuse.

Technical Analysis

Vector: Privilege Misuse (Valid Accounts) Affected Platforms: Windows Workstations, Electronic Health Record (EHR) Systems, PACS (Picture Archiving and Communication Systems), File Servers storing PHI.

Attack Mechanics

Unlike external ransomware, this attack vector relies on abuse of inherent trust. The actor (a healthcare professional) logs in using their own domain credentials, launches the authorized EHR client or file explorer, and navigates to patient records they have no clinical justification to view.

  • The Mechanism: Most EHR systems rely on Role-Based Access Control (RBAC). If a nurse has access to the "ER Triage" application, they can often query any patient in that queue. If permissions are overly broad (e.g., access to the entire patient master index), nothing stops them from searching for a specific celebrity.
  • Exfiltration/Snooping: The data is viewed on screen. No malware is triggered. No C2 beacon is established. The attack is a legitimate application session doing something it shouldn't.
  • Exploitation Status: Confirmed active exploitation. The NHS warning confirms this is a recurring, current issue requiring immediate administrative and technical intervention.

Detection Strategy

Since the behavior looks like normal work, detection relies on contextual anomalies. We must look for:

  1. Volume: Accessing an abnormal number of records in a short timeframe (bulk scraping).
  2. Time: Accessing sensitive records outside of assigned shifts or during non-business hours.
  3. Scope: Accessing specific high-profile patient tags (VIP lists) or departments the user does not work in.

Detection & Response

The following rules and queries focus on identifying the observable artifacts of inappropriate access on Windows environments hosting EHR clients or file-based PHI repositories.

SIGMA Rules

These rules target file access patterns (often where scanned documents or exported reports live) and process execution anomalies associated with data exfiltration from clinical applications.

YAML
---
title: Potential Mass Access of Sensitive Patient Files
id: 8d2a4e10-6b8f-4c9e-9a1d-2f3b4c5d6e7f
status: experimental
description: Detects a user accessing a high volume of files in directories commonly used for patient data storage (e.g., .pdf, .doc, .dicom) within a short time window, indicative of bulk snooping or scraping.
references:
  - https://attack.mitre.org/techniques/T1213/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.collection
  - attack.t1213
logsource:
  category: file_access
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\\PatientRecords\'
      - '\\PHI\'
      - '\\MedicalImaging\'
    TargetFilename|endswith:
      - '.pdf'
      - '.docx'
      - '.dcm'
  timeframe: 5m
  condition: selection | count() > 20
falsepositives:
  - Legitimate bulk export by authorized admin staff
  - Automated backup processes scanning folders
level: high
---
title: EHR Client Spawning Command Shell
id: 9c3b5f21-7c9g-5d0f-0b2e-3g4c5d6e7f8g
status: experimental
description: Detects a known Electronic Health Record (EHR) client process spawning a command shell or PowerShell. This may indicate an attempt to script data extraction or bypass application controls.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059.001
  - attack.t1059.003
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\Cerner.exe'
      - '\Epic.exe'
      - '\Meditech.exe'
      - '\EMRClient.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
falsepositives:
  - Legitimate administrative troubleshooting by IT staff
level: high

KQL (Microsoft Sentinel / Defender)

This query hunts for users accessing specific file shares or directories containing Patient Health Information (PHI) during unusual hours (e.g., 2 AM). Adjust the SensitivePath list to match your environment's specific folder structures.

KQL — Microsoft Sentinel / Defender
let SensitivePaths = dynamic(["\\FileServer01\\PHI", "\\FileServer01\\ScannedDocs", "C:\\Data\\PatientRecords"]);
let OffHoursStart = 20h; // 8 PM
let OffHoursEnd = 6h;    // 6 AM
SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID in (4656, 4663) // Handle requested or Object Access
| where ObjectName has_any (SensitivePaths)
| extend Hour = bin(TimeGenerated, 1h)
| where Hour between(datetime(2026-01-01 00:00:00) .. datetime(2026-01-01 23:59:59)) // Just to extract hour logic effectively in KQL, actually better:
| let AccessTime = hourofday(TimeGenerated);
| where AccessTime >= OffHoursStart or AccessTime < OffHoursEnd
| project TimeGenerated, Computer, SubjectUserName, ObjectName, AccessMask, Activity
| summarize count() by TimeGenerated, SubjectUserName, Computer
| where count_ > 5 // Threshold for multiple accesses
| order by TimeGenerated desc

Velociraptor VQL

This artifact hunts for EHR client processes that have been running for an unusually long time or are accessing unusual network endpoints, focusing on process longevity which can indicate session hijacking or idle-snooping.

VQL — Velociraptor
-- Hunt for long-running EHR sessions or suspicious child processes
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime, StartTime
FROM pslist()
WHERE Name IN ('Epic.exe', 'Cerner.exe', 'Meditech.exe', 'PACSViewer.exe')
   AND (now() - StartTime) > 4h
   OR ParentName IN ('cmd.exe', 'powershell.exe')

Remediation Script (PowerShell)

This script performs an audit on a specified PHI directory structure to identify users with excessive permissions (like "Modify" or "FullControl") that should likely only have "Read" access. This helps enforce the principle of least privilege.

PowerShell
# Audit PHI Permissions for Excessive Access
# Usage: .\Audit-PHIPermissions.ps1 -Path "C:\PatientRecords"

param(
    [Parameter(Mandatory=$true)]
    [string]$Path
)

Write-Host "[+] Scanning $Path for excessive permissions..." -ForegroundColor Cyan

if (-not (Test-Path $Path)) {
    Write-Host "[-] Path not found." -ForegroundColor Red
    exit
}

# Get ACLs recursively
$Acls = Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object { Get-Acl $_.FullName }

$Report = @()

foreach ($Acl in $Acls) {
    foreach ($Access in $Acl.Access) {
        # Check for Write, Modify, or FullControl
        if ($Access.FileSystemRights -match "Write|Modify|FullControl" -and $Access.IdentityReference -notmatch "BUILTIN\\Administrators|NT AUTHORITY\\SYSTEM|DOMAIN\\Domain Admins") {
            $Report += [PSCustomObject]@{
                Path = $Acl.Path
                User = $Access.IdentityReference.Value
                Rights = $Access.FileSystemRights
                Type = $Access.AccessControlType
            }
        }
    }
}

if ($Report) {
    Write-Host "[!] Found excessive permissions:" -ForegroundColor Yellow
    $Report | Format-Table -AutoSize
    $Report | Export-Csv -Path ".\PHI_Permission_Audit_$(Get-Date -Format yyyyMMdd).csv" -NoTypeInformation
} else {
    Write-Host "[+] No excessive non-admin permissions found." -ForegroundColor Green
}

Remediation

To effectively mitigate the risk of insider data snooping, implement the following defensive controls immediately:

  1. Implement Role-Based Access Control (RBAC) with "Break-Glass" Procedures:

    • Restrict EHR access to the minimum necessary data set required for the user's current shift and role.
    • Implement "Context-Aware Access" that denies access to patient records if the user is not clocked in for a shift at that specific facility.
  2. **Deploy User Behavior Analytics (UBA):

    • Enable UEBA (User and Entity Behavior Analytics) in your SIEM (e.g., Sentinel, Splunk). Create baseline models for "normal" record access volume per user. Alert when a user deviates >2 standard deviations from their mean.
  3. **Audit and Alert on "VIP" Access:

    • Create specific alert logic for any access to patient records tagged as VIP, Employees, or Board Members. These require immediate secondary review.
  4. Mandatory Privacy Screens and Session Timeouts:

    • Enforce aggressive session timeouts (e.g., 5 minutes of inactivity) on all workstations accessing PHI.
    • Implement privacy screen filters physically and enforce "Clean Desk Policies".
  5. Executive Education and Legal Warning:

    • As the NHS has done, reissue acceptable use policies explicitly stating that unauthorized access is a criminal offense (e.g., under the UK Computer Misuse Act 1990 or US HIPAA violations).

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachinsider-threathealthcare-securityehr-monitoringdata-privacynhs

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.