Cybersecurity News

External Threats Outpace Insider-Related Breaches in Healthcare

Verizon’s Data Breach Investigations Report finds external threats caused more healthcare data breaches than insiders last year, as the confirmed number of breaches substantially increased.

Verizon healthcare data breaches risk management insider threats misuse threat actors ransomware

By Jessica Davis

- The number of confirmed data breaches in the healthcare sector substantially increased last year, as external threats exceeded the number of insider-related incidents for one of the first times, according to the latest Verizon Data Breach Investigations Report (DBIR).

For its 2020 DBIR, Verizon researchers analyzed a total of 3,950 data breaches across 16 sectors and four global regions, along with 157,525 security incidents (of which 32,002 met its quality standards). Researchers noted they focused on confirmed data breaches, rather than other incident reports.

For healthcare, there were 798 security incidents and 521 confirmed data breaches in 2019, compared to 304 incidents in the previous year. While miscellaneous insider errors, privilege misuse, and web applications were the leading causes 2018 healthcare data breaches, external threats outpaced insiders in this year’s report.

In fact, 51 percent of healthcare data breaches were caused by external actors, and insider-related breaches fell to 48 percent. Despite the slight increase in external-related breaches, healthcare does remain the leading industry for internal bad actors.

Leading Data Breach Patterns

Miscellaneous errors, web applications, and everything else were the top three patterns behind healthcare data breaches in 2019. These patterns accounted for 72 percent of the sector's breaches.

READ MORE: Insider Breach Remediation Costs Health, Pharma $10.81M Annually

Misdelivery was the leading mistake for miscellaneous errors, which the report authors explained fall into two categories: someone sending an email to the wrong recipient or wider distribution than intended, or an organization sending a mass email or mailing to recipients and the contents become out of sync with the addresses. As a result, if sampling is not performed periodically, a breach occurred.

Web application attacks were the second most common pattern, which have increased as more organizations create patient portals and other innovative ways to interact with patients. These new platforms “create additional lucrative attack surfaces,” increasing the need for organizations to ensure they securely configure these platforms and routinely monitor for potentially access mistakes.

Verizon calls its “everything else” pattern “not unlike a lost and found for attacks that do not fit the criteria of any other attack pattern,” which includes business email compromise. These attacks, while used less frequently, are vastly more successful than traditional phishing models.

Healthcare has remained a prime target for these attacks, which are not necessarily focused on healthcare data but are designed for financial gain. Researchers stressed the increase in business email compromise attacks should serve as a reminder than hackers are targeting more than medical data.

Healthcare’s Ransomware Problem

Ransomware also continues to cause a large portion of healthcare security incidents attributed to crimeware. But researchers noted lost or stolen assets are also problematic as, “the asset is not available, proving whether the data was accessed or not is no simple matter.”

READ MORE: Ransomware Causes 15 Days of EHR Downtime, as Payments Avg $111K

“Therefore, we code these as incidents with data being “at-risk” rather than as a confirmed compromise. Our caution to the reader is not to assume that because the attacks aren’t showing up as confirmed breaches in our dataset, you won’t have to declare a breach according to the rules that govern your industry,” researchers explained.

According to Suzanne Widup, Verizon RISK Team’s principal consultant for network and information security, the rise in ransomware on the healthcare sector has attributed to the increase in external threat-related breaches. As the COVID-19 pandemic has increased, responding quickly to these attacks will become crucial for healthcare entities.

Ransomware typically begins as a social engineering attack that will later provide the hacker with a foot in the door, Widup explained. Hackers are increasingly moving laterally across the network to determine what data they want to control before launching the ransomware payload.

As a result, organizations should ensure they have the right controls in place to prevent these attacks, which should include a combination of phishing tools and making sure backups segmented from the main network. Most frequently, these attacks aren’t overly sophisticated but data has shown an increase in double extortion attempts, especially on the healthcare sector.

“[Healthcare organizations] are targeted because it’s been successful to these threat actors in the past,” Widup said. “And if it works to target healthcare, they’re not going to stop until they don’t see a payoff. Companies that pay the ransom are just encouraging these actors to keep doing it because these attacks are so lucrative.”

“[Threat actors] are getting louder to get more attention,” she added.

Notably, a recent report suggests paying the ransom can actually double the amount an organization will pay in recovery costs. Widup stressed backups are critical to restoring data after a successful ransomware attack, which can ensure the organization is not on the hook for the ransom demand.

Insider Threats and Proactive Measures

Interestingly, 88 percent of attacks on the healthcare sector in 2019 were designed for financial gain.

And for the first time, privilege misuse was not in the top three causes behind healthcare data breaches. Across all sectors, this pattern has significantly dropped. Privilege misuse was behind 23 percent of cyberattacks in the 2019 report, which dropped 8.7 percent in the latest insights.

“Does that indicate that insiders are no longer committing malicious actions with the access granted to them to accomplish their jobs? Well, we wouldn’t go quite that far,” the report authors wrote. “However, it will be interesting to see if this continues as a trend when next year’s data comes in.”

The reduction in misuse-related breaches corresponded to a decrease in multiple actor breaches. In the past, the healthcare sector has led in this breach type, which “usually occurs when external and internal actors combine forces to abscond with data that is then used for financial fraud.”

Last year, multiple actors were behind 4 percent of breaches, which has now dropped to 1 percent.

Notably, while medical data breaches are the most common, personal data breaches are also problematic. These incidents involve a range of data, including demographic information or other data elements. Personal data was compromised in 77 percent of these incidents, compared with 67 percent of medical data.

On a positive note, the time between compromise and data exfiltration has been getting smaller. On the other hand, the time it takes an organization to detect a breach is not keeping pace, such as an insider abusing the amount of data they can access. These abuses can take much longer to be detected.

Healthcare organizations must invest resources in this area, such as detection controls, Widup explained. The faster an organization detects a breach, it can actually reduce the breach impact – especially compared to waiting for someone from outside the organization to inform the enterprise.

Process controls are also critical, give healthcare’s problems with miscellaneous errors. She stressed that security leaders need to be monitoring these process from the beginning, middle, and end. Email security can be much harder, but there are tools that can provide alerts to common errors, such as warning that a recipient is found outside the organization.

User education around phishing is also helpful, as well as limiting where the users can go when they click on a phishing email or a known bad domain, Widup explained.

“And don’t put all of your eggs in one basket, relying on a user not to click as the only control,” she added. “A certain percentage will always click, and some jobs require them to do so, such as HR… And just because insider misuse dropped, it doesn’t mean organizations should relax their vigilance.”

“[Entities] should also make sure any alerts they’re getting from the system are actionable, otherwise you can have alert fatigue,” she added. “There are many alerts that don’t mean anything to the people monitoring the system, and they chase tails. It’s important to make sure alerts coming in are actionable.”