What went wrong? An exploration in trends and data.
Within the 53,000+ incidents and 2,200-odd breaches you’ll find real takeaways on what not to do, or at the very least, what to watch for.
At first glance, identifying 53K+ incidents in only 12 months suggests an information security dystopia, an uneven playing field where the bad guys consistently win out. And, the 2018 Data Breach Investigations Report (DBIR) is full of nefarious events by offenders both known and unknown.
However, that same catalog of unscrupulous activities offers security pros a first-hand view into current cybercrime trends, and a map towards developing a prosperous and mature security program.
Healthcare is the only industry where the threat from inside is greater than that from outside. Human error is a major contributor to those stats. Employees are also abusing their access to systems or data, although in 13% of cases, it’s driven by fun or curiosity—for example, where a celebrity has recently been a patient.
The Healthcare vertical is rife with Error and Misuse. In fact, it is the only industry vertical that has more internal actors behind breaches than external. In addition to these problem areas, ransomware is endemic in the industry.
Not easy like Sunday morning
If we were to assess the overall wellness of the Healthcare vertical with regard to security, the prognosis would not be terrifying, but neither would it be encouraging. Something along the lines of “greatly improve your diet, stop smoking and increase your workout routine or else” would cover it. Before we judge them too harshly, however, we must keep in mind a few important facts about the Healthcare vertical:
- They deal with a vast amount of highly sensitive data that they must retain and protect;
- That data must be kept current and accurate and must be accessible in a very timely manner for the healthcare professionals who need it (as life or death decisions might be based on it);
- It is subject to a much higher standard of scrutiny with regard to privacy and disclosure requirements than are most other verticals, due to regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Et tu, Brute?
As Caesar found out the hard way, often those who do you the most harm can be those closest to you. The Healthcare industry has the dubious distinction of being the only vertical that has a greater insider threat (when looking at breaches) than it does an external threat. This somewhat bleak finding is linked closely to the fact that there is a large amount of both errors and employee misuse in this vertical. With regard to incidents Healthcare is almost seven times more likely to feature a causal error than other verticals in our dataset, but you might not want to ponder that when you go in to get that appendix removed.
Errors most often appear in the form of misdelivery (62%)—which is the sending of something intended for one person to a different recipient—and is followed by a grouping of misplacing assets, misconfigurations, publishing errors and disposal errors.
Misuse, on the other hand, takes the form of privilege abuse (using logical access to assets, often databases, without having a legitimate medical or business need to do so) in 74% of cases. Interestingly, the motive (when known) is most often (47%) that of “fun or curiosity.” Examples of this are when an employee sees that their date from last weekend just came in for a checkup, or a celebrity visits the hospital and curiosity
gets the better of common sense. Not to be forgotten, our faithful friend avarice is still alive and well, with financial gain being the motivation in 40% of internal misuse breaches.
Ransomware is everywhere
No doubt over Thanksgiving dinner you and your family fell in to conversation about the possible reasons for the rise of the Crimeware pattern to the number two position in the Healthcare vertical. Of course, you did. It’s only natural. It is due to the ransomware epidemic that continues to plague the Healthcare industry. Ransomware accounts for 85% of all malware in Healthcare. Due to Department of Health and Human Services regulations, ransomware outbreaks are treated as breaches (rather than data at risk) for reporting purposes. Consequently, it is difficult to know if Healthcare is more susceptible to ransomware than are organizations in other industries, or if the high percentages of it being recorded are simply a product of more stringent reporting requirements. Regardless of the reason, the wise security practitioner will take immediate steps to combat this ubiquitous attack type. Due to the ease of the attack, the low risk for the criminal, and the potential for high monetary yields, it is likely here for a lengthy stay in spite of the quality of the hospital food.
Please do not feed the phish
Social attacks (mostly phishing and pretexting) appear in approximately 14% of incidents in Healthcare and are a definite matter for concern. Phishing (70% of social attacks) occurs when an attacker sends a communication—usually an email—to an individual attempting to influence them to open an infected file or click on a malicious link. Once the victim clicks, the criminal can upload malware and engage in other insidious acts that will enable prolonged access to the system. Pretexting (20%) is a similar social attack but is somewhat more involved. In this scenario, the criminal emails, calls or even visits an employee in person and engages them in conversation to fool the victim into providing the attacker with credentials, or other sensitive data, with which they can launch an attack. Like a sort of Norman Vincent Peale gone wrong. Healthcare has a wide attack surface for social tactics due to the very nature of what they do. Relatives and friends calling in to check on patients, third-party providers of equipment and services and so on can provide a social engineering criminal with a great deal of both opportunities and cover.
Please report to lost and stolen
The theft of assets accounts for 90% of the physical action types in Healthcare. The number of stolen assets also went up this year, but that is likely caseload bias. Regardless, laptops and other portable devices, and paper documents consistently go missing from healthcare organizations each year. Victim work areas (offices) account for 36% of theft locations, and employees’ personal vehicles account for 32% of theft. The latter is particularly worrisome because in many instances, the asset in question residing in an employee’s personal vehicle was likely to be a policy violation. However, it must be admitted that we do not have the hard data to definitively prove that statement, but it is offered in the same spirit as “Do you know what the penalty for cruelty to laptops is in this state? No, sir, I don’t. Well, it’s probably pretty stiff.”
Things to consider
Dr., I can’t read this Rx
The theft or misplacement of unencrypted devices continues to feed our breach dataset. Full Disk Encryption (FDE) is both an effective and low-cost method of keeping sensitive data out of the hands of criminals. FDE mitigates the consequences of physical theft of assets by limiting exposure to fines and reporting requirements. Reduce your risk footprint where you can. Seriously, please do this as we are tired of repeating this same recommendation!
Institute a smackdown policy
Ensure that policies and procedures are in place which mandate monitoring of internal Protected Health Information (PHI) accesses. Make all employees aware via security training and warning banners that if they view any patient data without a legitimate business need there is potential for corrective actions.
Don’t spread the virus
Preventive controls regarding defending against malware installation are of utmost importance. Take steps to minimize the impact that ransomware can have on your network. Our data shows that the most common vectors of malware are via email and malicious websites, so focus your efforts around those factors.