- In the second quarter of 2018, the most frequent cause of healthcare data breaches was accidental disclosures, according to incidents reported to the Beazley Breach Response Services team.
Accidental disclosures made up 38 percent of the data breaches in the healthcare sector, hacking/malware were 26 percent of breaches, followed by insiders at 14 percent, physical loss of a nonelectronic record at 7 percent, loss or theft of a portable device at 6 percent, social engineering at 4 percent, and unknown/other at 5 percent.
Across industries, the top two causes of data breaches in the second quarter were hacking/malware attacks (39%) and accidental disclosure (22%). Hack or malware was down 3 percentage points from the first quarter, despite an increase in the number of email compromises. This was due to a decrease in the number of reported ransomware incidents in second quarter.
Business email attacks more than doubled in the second quarter of 2018 compared with the same quarter in 2017, according to a report prepared by Beazley based on reported incidents.
Source: Source: Beazley
The compromise of a single email account provides the hacker with a platform from which to spear phish within and outside the organization, the report noted.
Hackers can also use compromised accounts to make fraudulent wire transfers, redirect an employee’s paycheck, and steal sensitive information form the inbox.
“Phishing emails coming out of the compromised accounts are becoming more targeted and impressively crafted than ever before. They’re not just sending thousands of spam emails. They’re doing reconnaissance within the compromised inbox and then tailoring the next phishing email to the recipient,” the report quoted Mandiant Senior Incident Response and Malware Analysis Consultant Dasha Tarassenko as saying.
Tarassenko noted that attackers can exploit Microsoft’s PowerShell to log into Office 365 and carry out network reconnaissance. If the attackers could hack into an account with right administrative privileges, they could get access to the entire organization.
She recommended that organizations disable the ability of third-party applications to access Office 365, which reduced the likelihood that an attacker could use PowerShell to reconnaissance.
Beazley estimated that the total cost for a large-scale email compromise could exceed $2 million for an organization. These costs include legal advice, forensics investigation, data mining, manual review, victim notification, and setting up a call center and offering free credit monitoring for victims. For smaller-scale email compromises, the costs can exceed $100,000.
“These attacks are expensive because, in order for the target company to understand the full impact and whether personally identifiable information (PII) or protected health information (PHI) is at risk, they often require programmatic and manual searches of years’ worth of emails for sensitive information,” Beazley related.
“Unfortunately for organizations hit with this attack, most often many inboxes are compromised. BBR Services often discovers that organizations are aware of only half the number of compromised inboxes. In some cases, there may actually be hundreds of inboxes compromised,” the report added.
The report cited a case study involving an undisclosed health system that was hit by a widespread phishing campaign. The phishing email had a link that took victims to a website that instructed them to enter their credentials.
BBR Services advised the health system to work with privacy counsel and a forensic firm with experience handling phishing attacks involving Office 365. The investigation found that 20 employee inboxes were compromised. Because of the attack type, the firm could not say whether the attackers downloaded the contents of the inboxes. The inboxes were programmatically searched for PHI and PHI, which revealed around 350,000 unsearchable documents that required manual review.
All told, the attack costs the health system $800,000 for legal fees, forensic costs, programmatic review, and manual review of documents and another $150,000 in notification, call center, and credit monitoring fees.
Beazley said that phishing attacks can be prevented using two-factor authentication and employee training.