By Prashant Gupta Head of Solutions, South East Asia & India, Verizon Business Group
In 2019, the global healthcare industry saw a substantial increase in the number of breaches and incidents. Out of 3,950 confirmed breaches, the number of data breaches in this sector came in at 521 versus 304, in 2018. Verizon’s Data Breach Investigative Report revealed that financially motivated criminal groups continue to target the healthcare industry via ransomware attacks. Lost and stolen assets also remain a problem while basic human error is alive and well in this vertical.Miscellaneous Errors,Web Applications and Phishing or Business Email Compromises represented 72%of breaches in the healthcare sector.
The majority of the data under attack in the healthcare sector is personal data followed by medical data and credentials. Criminals are after one piece of information – personally identifiable information (PII) and protected health information (PHI). Your PII or PHI may be collected or created by a healthcare provider, health insurer or employer. The information can usually contain a person’s name, address, phone number, medical insurance details, beneficiary information, financial account numbers, biometric data, facial images etc. There is a tremendous amount of information flow in Healthcare – prescription information sent from clinics to pharmacies, billing statements mailed, discharge papers physically handed to patients, copies of identity and insurance cards filed and so on.
In my opinion, unless you really protect data at its core, no matter how many network level protection or end point level protections you put in, it won’t really keep you secured for too long. Healthcare organizations need to conduct a proper risk assessment to prioritize investments and focus on the issues that matter the most and mitigate the risk or bring the risk to an acceptable level. These organizations need to follow the defence-in-depth approach to safeguard their critical systems and data as our research tells us that by increasing the number of layered controls (in essence the number of steps that an adversary has to clear) to protect systems/data could be very effective in decreasing the probability of occurrence of a data breach.
In the 2019 report, we showed Privilege Misuse at 23% of attacks, while in 2020, it has dropped to just 8.7%. Does that indicate that insiders are no longer committing malicious actions with the access granted to them to accomplish their jobs? Well, we wouldn’t go quite that far. However, it will be interesting to see if this continues as a trend when next year’s data comes in.
Another change that goes along with decreased insider misuse breaches is the corresponding drop in multiple actor breaches. The Healthcare sector has typically been the leader in this type of breach—which usually occurs when External and Internal actors combine forces to abscond with data that is then used for financial fraud. The multiple actor breaches last year were at 4%, and this year we see a drop to 1%. The 2019 DBIR reported a first in that the Healthcare vertical had Internal actor breaches (59%) exceeding those perpetrated by External actors (42%). This year External actor breaches are slightly more common at 51%, while breaches perpetrated by Internal actors fall to 48%. However, this is a small percentage, and Healthcare remains the industry with the highest amount of internal bad actors.
As with many things in life, as one attack grows more prevalent, others begin to decrease. So the story goes with the Miscellaneous Errors pattern. While it has frequently graced the top three patterns in this sector, it took the gold this year. In case you are curious, the top mistake within Healthcare is our old friend, mis-delivery.
This error tends to fall into two major categories:
• Someone is sending an email and addresses it to the wrong (and frequently wider) distribution—it’s an added bonus if a file containing sensitive data was attached with their patients, they create additional lucrative attack surfaces.
• An organization is sending out a mass mailing (paper documents) and the envelopes with the addresses become out of sync with the contents of the envelope. If sampling is not done periodically throughout the mailing process, then it’s bye, bye, bye to your patients’ sensitive information
When thinking of the Healthcare vertical, one naturally thinks of Medical data. And, unsurprisingly, this is the industry in which that type of data is the most commonly breached. However, we also see quite a lot of both Personal data (which can be anything from basic demographic information to other covered data elements)and credentials stolen in these attacks.
The second most common pattern for Healthcare is the Web Applications attack. As more and more organizations open patient portals and create new and innovative ways of interacting with their patients, they create additional lucrative attack surfaces.
Finally, we see a good deal of the Everything Else pattern, which is not unlike a lost and found for attacks that do not fit the criteria of any other attack pattern.
It is within this pattern that the Business Email Compromise resides. If you’re not familiar with this attack, it is typically a phishing attack with the aim of leveraging a pretext (an invented scenario to give a reason for the victim to do what the attacker wants) to successfully transfer money (by wire transfer, gift cards, or any other means). Although these are common attack types across the dataset, it is a good reminder to Healthcare organizations that it isn’t only patient medical data that is being targeted.
Recommended best practices
This year we’ve aligned our findings with the Center for Internet Security Critical Security Controls to provide you with a way to translate DBIR data into your security efforts. Here are the top controls that our data suggests will be worthwhile for most organizations.
• Continuous Vulnerability Management—Use this method to find and remediate things like code-based vulnerabilities; also great for finding misconfigurations.
• Secure Configuration – Ensure and verify that systems are configured with only the services and access needed to achieve their function.
• Email and Web Browser Protection – Lockdown browsers and email clients to give your users a fighting chance when facing the Wild West that we call the Internet.
• Limitation and Control of Network Port,Protocols and Services— Understand what services and ports should be exposed on your systems, and limit access to those.
• Boundary Defense—Go beyond firewalls to consider things like network monitoring,proxies and multi-factor authentication.
• Data Protection—Control access to sensitive information by maintaining an inventory of sensitive information, encrypting sensitive data and limiting access to authorized cloud and email providers.
• Account Monitoring—Lockdown user accounts across the organization to keep bad guys from using stolen credentials. Use of multi-factor authentication also fits in this category.
• Implement a Security Awareness and Training Program —Educate your users,both on malicious attackers and on accidental breaches.