How to Prevent Healthcare Breaches: DBIR 2020

Tom McDonald
By Tom McDonald

May 25, 2020

New Insights from Verizon’s 2020 Data Breach Investigation Report

Healthcare may just be the world’s most vulnerable highly-targeted vertical.

We have discussed this hard truth for quite some time, and it has recently been confirmed-once again-by Verizon’s just-released 2020 Data Breach Investigation Report.

In their report, Verizon compiles recent breach data from over 80 different contributing organizations. At Paladion, we are proud to be one of those contributing organizations for yet another year. Further, we have found that Verizon’s analysis of the current breach landscape aligns with our own— in particular, when it comes to healthcare.

Read on, and learn about what has changed in the healthcare breach landscape over the last year, what specific threats are currently targeting healthcare organizations, and what you can do to defend yourself over the coming year, and prevent your organization from becoming another data point in Verizon’s survey.

New call-to-action

Healthcare Saw a Dramatic Increase in Breaches 

In the past year, the healthcare industry saw 798 security incidents, with 521 of those incidents being confirmed data breaches. In their 2019 report, Verizon only discovered 304 data breaches, representing a 58% year-over-year growth in material disclosed incidents.

It is difficult to determine the size of each breach. While 31 of these breaches were small, and 32 of these breaches were large, 458 of these breaches were of unknown size. This is, in and of itself, troubling for a couple of reasons.

  1. A breach of any size could cause substantial damage to a healthcare organization, due to the strict data privacy regulations they operate under.

  2. The high percentage of unknown breach sizes suggests that most healthcare organizations lack the visibility required to quickly determine the impact of incidents- if they are able to determine this impact at all.

This second point is worth considering further, as additional analysis of the data suggests that healthcare is the least-prepared vertical to handle incidents.

marketing 

New call-to-action

The Threat Landscape for Healthcare Organizations

Verizon’s data indicate that healthcare organizations must protect themselves from a wide range of threats. These include, in order of likelihood:

  • Crimeware: Including ransomware, which accounts for a large percentage of these threats.

  • Miscellaneous Errors: Including, most often, misdelivery-either someone sending an email or paper documents (that both may contain sensitive data) to the wrong addresses.

  • Web Applications: Including web application attacks on patient portals, and attacks on other digitized interactions with patients.

  • Privilege Misuse: Though interestingly, this has dropped from 23% of all threats to just 8.7% of all threats, year-over-year.

  • Lost or Stolen Assets: Including missing laptops, desktops, or other assets that belong to the healthcare organization and may contain sensitive data.

 

In terms of who is delivering these attacks, healthcare saw a near-even split between external malicious actors (51% of threats) and internal malicious actors (49% of threats). In general, organizations in most verticals see a much bigger split between these two sources of threats, and healthcare remains the vertical with the highest volume of bad internal actors.

Why Healthcare is Such a Targeted Vertical

The vast majority (88%) of malicious actors have financial motives in mind when they target healthcare organizations. When they do so, they are typically seeking to access and steal both personal data (77% of incidents) and medical data (67% of incidents).

Interestingly, only 18% of attacks seek credentials. It is possible that threat actors do not require credentials to breach healthcare organizations due to the overall poor security posture of these organizations, or they already have access to their target’s network, either because they are internal malicious actors, or because they are working with internal actors, or simply because they received this information through missing assets or misdelivery.
No matter the exact line of reasoning, malicious seem to have caught on to the fact that healthcare organizations are both valuable targets, and targets with a relatively high chance of causing material harm.

Given this, it is critical that healthcare organizations leverage effective security to improve their posture, to defend themselves from attacks, and they ensure a much smaller percentage of incidents actually turn into breaches.

How Healthcare Organizations Can Protect Themselves

Verizon’s report offers a few suggestions that healthcare organizations can follow to improve their defenses, namely - they can implement security awareness and training programs, better protect their boundaries, and implement data protection.

While we agree with these suggestions, we would go further in our recommendation. Healthcare organizations require more comprehensive defenses. Given the volume of simple errors like misdelivery in the vertical, it is clear that their workers are (understandably) not focusing on the details of security during their hectic, life-or-death daily work. In addition, their boundaries are becoming increasingly porous through the adoption of additional endpoints and IoT devices, making traditional boundary protection insufficient.

Instead, we recommend a complete layer of Managed Detection and Response over their entire environment, with a special focus on user behavior analytics to identify and respond to threats from their internal actors.

If you are interested in learning how to bring these defenses to your healthcare organization, reach out to Paladion today.

New call-to-action


About

Tom McDonald