Data Breaches in Healthcare Comes From Within
We always come across reports of serious security breaches in the health service, and the number has steadily increased. More than a hundred thousand health records were exposed or stolen during this period, affecting the life of the people.
This isn’t typical, either. Of all large data breaches across all sectors, hospitals accounted for around 30 percent of them from 2009 to 2016.
That is not typical. Of all major data breaches in all sectors, hospitals accounted for around 40 percent between 2016 and 2018.
Even small data breaches, such as the accidental exposure of individual patient records, are very common.
One reason that so many data breach problems are reported in the healthcare sector could be the fact that the sector has very stringent security requirements due to the sensitivity of the information it processes and the stringency of HIPAA.
In the health care industry, employees, whether nurses, doctors, or administrative staff, have access to patient records to get their work done. However, an alarming number of employees can abuse this privileged access or make mistakes that lead to data breaches.
According to a new Verizon report on data breaches, insider attacks in 2018 were responsible for the majority of security breaches in the healthcare sector (59%), compared to external attacks (42%). The healthcare industry is the only industry where there are more insider attacks than outside.
In all industries, external threat actors are still the main cause of attacks (69% of violations), with insiders accounting for 34%.
Verizon analysed more than 40k cyber security incidents and over 2,000 data breaches from 86 countries to investigate cyber attacks from malware to cyber espionage inside threats and to identify trends.
According to a Verizon analysis, there were 466 cyber-security incidents in health care last year, 304 cases with confirmed disclosure of data.
The top three patterns among cybersecurity incidents were miscellaneous errors, privilege misuse, and web applications represent 81% of incidents within healthcare. The majority of healthcare cyber attacks were financially motivated, according to the report, while some bad actors or hackers did it for fun (6% of incidents), for convenience (3%), because of a grudge (3%) or for espionage (2%).
Unsurprisingly, medical data is 18 times more likely to be compromised in this industry, and when an internal actor is involved, it is 14 times more likely to be a medical professional such as a doctor or nurse, according to the report.
Looking at who is carrying out cyber attacks and what assets they are going after, the two biggest threats in healthcare appear to be hackers using stolen credentials to servers and email and employees, or insider actors, abusing their privileged access to get access to databases, according to the report. Another significant threat is phishing emails sent to dupe users into clicking and entering their email credentials on a phony site. The freshly stolen login information is then used to access the user’s cloud-based mail account, and any patient data in the user’s inbox or other folders is considered compromised.
“Effectively monitoring and flagging unusual and/or inappropriate access to data that is not necessary for valid business use or required for patient care is a matter of real concern for this vertical. Across all industries, internal actor breaches have been more difficult to detect, more often taking years to detect than do those breaches involving external actor,” the report said.
The report also highlighted key cybersecurity trends across all industries:
1. C-level executives who have access to a company’s most sensitive information are now the major focus for social engineering attacks. Senior executives are 12x more likely to be the target of social incidents and 9x more likely to be the target of social breaches than in previous years—and financial motivation remains the key driver. Successful pretexting attack on senior executives can reap large dividends as a result of their, often unchallenged, approval authority, and privileged access into critical systems, the report said.
2. There was a substantial shift towards the compromisation of cloud-based email accounts via the use of stolen credentials last year. In addition, publishing errors in the cloud are increasing year-over-year. Misconfiguration led to a number of massive, cloud-based file storage breaches, accounting for 21% of breaches caused by errors.
3. Ransomware attacks are still going strong: They account for nearly 24 percent of incidents where malware was used. Ransomware has become so commonplace that it is less frequently mentioned in the specialized media unless there is a high-profile target.
“Even though we see specific targets and attack locations change, ultimately the tactics used by the criminals remain the same. There is an urgent need for businesses—large and small—to put the security of their business and protection of customer data first. Often even basic security practices and common sense deter cybercrime,” Bryan Sartin, executive director of security professional services at Verizon, said in a statement.
The report also offers three recommendations for healthcare security leaders to address the biggest threats seen in the healthcare industry:
• Monitor access
Know where your major data stores are, limit necessary access, and track all access attempts. Start with monitoring the users who have a lot of access that might not be necessary to perform their jobs and make a goal of finding any unnecessary lookups.
• Encourage reporting
Work on improving phishing reporting to more quickly respond to early clickers and prevent late clickers. Think about reward-based motivation if you can.
• Improve processes
Know which processes deliver, publish or dispose of personal or medical information and ensure they include checks so that one mistake doesn’t equate to one breach.
Julia Sowells960 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.