- Healthcare data breaches were the most common type of data security incident reported in 2015, according to a recent study by Symantec Corporation.
Researchers found that approximately 39 percent of breaches during the year occurred in the health services sub-sector.
“This comes as no surprise, given the strict rules within the healthcare industry regarding reporting of data breaches,” explained the authors of the study. “However, the number of identities exposed is relatively small in this industry. Such a high number of breaches with low numbers of identities tends to show that the data itself is quite valuable to warrant so many small breaches.”
There were 120 healthcare data breaches reported in 2015, which was the largest number of data breaches across all industries studied. The next leading industries for data breaches (business and education) only reported 20 incidents each.
Despite the prevalence of healthcare data security events, the study reported only 1 percent of incidents led to exposure of identities. That still accounted for nearly four million individuals who had their identities exposed as a result of a healthcare data breach.
The study attributes the growing volume of data breaches across all industries to a shift in how cybercriminals operate.
Researchers found that more cybercriminals used more zero-day attacks, including phishing scams and ransomware, in 2015.
The number of zero-day vulnerabilities in 2015 increased by 125 percent from a year ago. Meanwhile, 430 million new malware variants were found in 2015.
“Advanced criminal attack groups now echo the skill sets of nation-state attackers. They have extensive resources and a highly-skilled technical staff that operate with such efficiency that they maintain normal business hours and even take the weekends and holidays off,” said Symantec Security Response Director Kevin Haley. “We are even seeing low-level criminal attackers create call center operations to increase the impact of their scams."
Even though cyberattacks are becoming more sophisticated and business-like, the healthcare sub-sector is not being targeted as frequently as other industries.
The study reveals that, in the healthcare field, about 54.1 percent of emails are spam. Cybercriminals typically use spam to execute more advanced cyberattacks.
However, the phishing ratio in the healthcare field was only 1 out of 2,711 emails, which was the second lowest ratio across all industries.
The healthcare industry was also one of the least likely sectors to be targeted for spear-phishing attacks, the study confirmed.
Additionally, the healthcare sector was the least likely to encounter an email containing a virus. The virus ratio was 1 out of every 396 emails.
Although healthcare organizations may not interact with email attacks as much as other industries, the entire industry was still affected by advanced cybersecurity attacks, like ransomware.
“This year, ransomware spread beyond PCs to smartphones, Mac and Linux systems, with attackers increasingly seeking any network-connected device that could be held hostage for profit, indicating that the enterprise is the next target,” stated the study.
Healthcare providers may have to shut down EHR and email systems, reduce patient volumes, and pay a ransom to access EHR information.
To prevent future data breaches, the study suggested that companies use intelligence solutions to identify vulnerabilities, develop a multi-layered security framework, prepare for potential data breaches, and continue to educate employees.
Education may be a key part of a healthcare organization’s data security strategy.
“Education and greater awareness of cybersecurity issues will help everyone to become more digitally healthy. By being aware of just how many risks you face, you can reduce them, and learn how to recognize symptoms, and diagnose ‘digital diseases’ before they put your data, and your customers’ data at risk,” said the authors of the study. “We should reject the misconception that privacy no longer exists. Privacy is precious, and should be protected carefully.”
Another recent study of security events in 2015 found that most healthcare data breaches were caused by employee action or error, while the second leading cause was phishing, hacking, and malware.
By providing ongoing education and training, healthcare organizations can teach staff about how to identify spam, phishing, and hacking emails and prevent cyberattacks.
Image Credit: Symantec