- The healthcare industry is the worst when it comes to stopping insider data breaches, according to Verizon’s 2018 Data Breach Investigations Report (DBIR) released April 10.
The report found that the healthcare industry was the only sector that had more internal actors (56 percent) behind data breaches than external actors (43 percent).
This isn’t always malicious. Errors made up the most common type of cyber incident in healthcare, followed by malware, hacking, and privilege misuse.
In addition, medical information is the target of two-thirds of data breaches in the healthcare industry, while personal information made up 37 percent and payment information 4 percent of breaches, the report found.
The healthcare industry had 750 cyber incidents last year, with 536 involving data disclosure. Miscellaneous errors, crimeware, and privilege misuse presented 63 percent of cyber incidents in the sector.
DBIR found ransomware in 39 percent of malware-related cases examined this year, moving up from fourth place in the 2017 DBIR. Ransomware has started to impact business critical systems rather than just desktops, with bigger ransom demands.
“Ransomware remains a significant threat for companies of all sizes,” said Verizon Executive Director of Security Professional Services Bryan Sartin. “It is now the most prevalent form of malware, and its use has increased significantly over recent years.”
“What is interesting to us is that businesses are still not investing in appropriate security strategies to combat ransomware, meaning they end up with no option but to pay the ransom—the cybercriminal is the only winner here,” he continued.
Ransomware has been particularly devastating in the healthcare industry. In fact, it accounts for 85 percent of the malware in healthcare.
“Due to the ease of the attack, the low risk for the criminal, and the potential for high monetary yields, [ransomware] is likely here for a lengthy stay in spite of the quality of the hospital food,” the report observed.
The report recommended that the healthcare industry institute full disk encryption to protect sensitive healthcare information on devices and put in place policies and procedures to monitor access to protected health information (PHI).
“Preventive controls regarding defending against malware installation are of utmost importance. Take steps to minimize the impact that ransomware can have on your network. Our data shows that the most common vectors of malware are via email and malicious websites, so focus your efforts around those factors,” the report advised.
The DBIR analysis found a shift in how social attacks, such as financial pretexting and phishing, are used. These attacks continue to succeed in infiltrating organizations via employees. Human resource departments are now being targeted in a bid to extract employee wage and tax data, so criminals can commit tax fraud and divert tax rebates.
Financial pretexting—obtaining financial information under false pretenses—and phishing represent 93 percent of all breaches investigated by Verizon, with email being the main entry point (96 percent of cases). Companies are nearly three times more likely to get breached by social attacks than via actual vulnerabilities, emphasizing the need for ongoing employee cybersecurity education.
Pretexting incidents have increased over five times since the 2017 DBIR, with 170 incidents analyzed this year (compared to just 61 incidents in the 2017 DBIR). Eighty-eight of these incidents specifically targeted HR staff to obtain personal data for the filing of file fraudulent tax returns.
“Businesses find it difficult to keep abreast of the threat landscape and continue to put themselves at risk by not adopting dynamic and proactive security strategies,” said Verizon Enterprise Solutions President George Fischer.
In addition, distributed denial of service (DDoS) attacks are on the rise and can impact anyone. They are often used as camouflage, often being started, stopped, and restarted to hide other breaches in progress. They are powerful, but also manageable if the correct DDoS mitigation strategy is in place.
“Companies also need to continue to invest in employee education about cybercrime and the detrimental effect a breach can have on brand, reputation and the bottom line,” said Sartin. “Employees should be a business’s first line of defense, rather than the weakest link in the security chain.”
“Ongoing training and education programs are essential. It only takes one person to click on a phishing email to expose an entire organization,” he concluded.