HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Data Security Incident Response Analysis Published by BakerHostetler

BakerHostetler has released its fifth annual Data Security Incident Response Report, which contains an analysis of the 750+ data breaches the company helped manage in 2018.

BakerHostetler suggests there has been a collision of data security, privacy, and compliance, and companies have been forced to change the way they respond to security breaches.

In addition to federal and state regulations covering data breaches and notifications, companies in the United States must also comply with global privacy laws such as the EU’s General Data Protection Regulation (GDPR).  All of these different regulations make the breach response a complex process. The definitions of personal information and breach response and reporting requirements differ for GDPR, HIPAA, and across the 50 states. The failure to comply with any of the above-mentioned regulations can lead to severe financial penalties. It is therefore of major importance to be prepared for breaches and be able to respond as soon as a breach is discovered.

This has led many companies to create committees to help manage data breaches, which include stakeholders with expertise in each of the above areas.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Most Common Causes of Data Breaches

An analysis of 2018 incidents shows phishing remains the most common cause of data breaches, accounting for 37% of all incidents managed by the law firm in 2018. The most common type of phishing attack seeks Office 365 credentials. 34% of phishing attacks in 2018 resulted in an Office 365 account being accessed by the attacker.

  1. Phishing Attacks – 37%
  2. Network Intrusions – 30%
  3. Accidental Disclosures – 12%
  4. Lost/stolen devices and records – 10%
  5. System Misconfiguration – 4%

30% of successful phishing attacks saw the attackers peruse the network to find accessible data. 12% of intrusions resulted in the deployment of ransomware, and 8% resulted in a fraudulent wire transfer. In 1% of cases, a successful phishing attack resulted in the deployment of malware other than ransomware.

55% of successful attacks occurred as a result of a mistake by employees, 27% were due to a non-vendor unrelated third party, 11% were due to a vendor, 5% of attacks involved a malicious insider, 3% were due to a non-vendor related third party, and 2% were due to an unrelated third party.

Incident Response, Investigation and Recovery

In 2018, 74% of breaches were discovered internally and 26% were identified by a third-party.

The average time to detect a breach across all industry sectors was 66 days. It took an average of 8 days to contain the breach and 28 days for a forensic investigation to be completed. The average time to issue notifications was 56 days.

Healthcare data breaches took an average of 36 days to discover, 10 days to contain, 32 days to complete a forensic investigation, and 49 days to issue notifications. Healthcare data breaches required an average of 5,751 notification letters to be sent.

There was an increase in investigations by OCR and state Attorneys General in 2018. 34% of breaches resulted in an investigation by an Attorney General and 34% were investigated by OCR. Out of 397 breach notifications issued, 4 lawsuits were filed.

There has been an increase in the use of forensic investigators following a breach. 65% of breaches involved some kind of forensic investigation compared to 41% of incidents in 2017. The average cost of a forensic investigation was $63,001 and $120,732 for network intrusion incidents.

The average ransom payment that was paid was $28,920 and the maximum was $250,000. In 91% of cases, payment of the ransom resulted in the attacker supplying valid keys to decrypt files.

70% of breaches required credit monitoring services to be offered, in most cases due to the exposure of Social Security numbers.

BakerHostetler also notes that following a data breach there is often an increase in access right requests. It is therefore important for companies to have established and scalable access right request processes in place to ensure they can cope with the increase following a security breach.

Interactive Data Breach Notification Map

Healthcare organizations are required to comply with the HIPAA Breach Notification Rule which requires breach notification letters to be issued to affected individuals within 60 days of the discovery of a breach of PHI.

States have also introduced their own breach notification laws, which differ from HIPAA and may, in some cases, require notifications to be issued more rapidly. To help companies find out about the breach notification requirements in each state, BakerHostetler has compiled an interactive data breach notification map.

Using this interactive tool, organizations can find out about the breach reporting requirements in each state. The interactive data breach notification map can be viewed on this link.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.