HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Data Security Report Shows Main Points of Cyberattack by Industry Sector

SurfWatch, a leading provider of cyber risk intelligence analytics and applications, recently released a mid-year cyber risk intelligence report detailing the most common methods used by hackers to gain access to confidential patient and business data, including the main points of cyberattack by industry sector.

The company discovered that despite a number of highly sophisticated attacks on healthcare providers in recent months, the majority of hackers are still using the same tried and tested methods to break through security defenses as they have for years.

The most common points of attack are poorly secured websites and applications, patient and customer accounts, and endpoints, which account for 77% of all cyberattacks evaluated by SurfWatch analysts.

The main aim of the SurfWatch Labs 2015 Mid-Year Report was to identify the most effective ways organizations can reduce the risk of suffering cyberattacks. Big money is being diverted to improve cybersecurity defenses and to protect against hackers; however it is important that organizations look closely at all potential attack points, and take action to address the most serious risks first.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Adam Meyer, Chief Security Strategist, SurfWatch Labs, recently said, “Our data clearly shows most attackers go after soft targets – exploiting end-users and their numerous decision-points they face while interacting with technology,”

One of the main problems with current cybersecurity efforts are they are primarily concerned with the detection of improper access to computers, networks and EHRs; however, if preventative steps are not taken to deal with the risk of attack, healthcare providers and other HIPAA covered entities are likely to spend all of their time fighting fires.

As Meyer points out, “The problem is traditional cybersecurity approaches focus on detection rather than prevention. If you want to ensure your house doesn’t burn down, would you buy more smoke detectors or would you try to identify the risk factors for a fire starting? Organizations need to start putting more emphasis on gaining situational awareness of their cyber risks – so they can take more preventative actions.”

To produce the report, SurfWatch collected and analyzed data collected during the first 6 months of the year (Jan 1 – June 30, 2015) and compiled information on the ‘Actor’ – the individual who conducted the cyberattack, the target that was attacked, and the effect the attack had on the organization. The methods used to gain access to data were also assessed along with key industry metadata.

The data for the cyber risk study was collected from companies from the finance, energy, utility, retail and healthcare industries. The data show the main points of cyberattack by industry sector. Workers in the financial services industry were targeted by hackers using spear phishing campaigns; fooling them into downloading malware or visiting an infected website, with vulnerabilities in Internet Explorer commonly exploited. Hackers also concentrated on attacking card payment processors.

Spear phishing campaigns were also used to target workers in the energy and utility industries. Cybercriminals favored using infected Adobe PDF files, the opening of which allowed hackers to gain access to consumer data.

Malvertising campaigns, which allowed hackers to exploit vulnerabilities in Adobe Flash and Internet Explorer, was the most common method of attacking the retail and hospitality industries. According to the report, “A common practice was for cyber criminals to send legitimate ads to ad merchants representing news sites and once approved, the criminal then re-sends a malware-laden advertisement labeled ‘minor modification’ in the hopes of passing through the merchant.”

Interestingly, while cybercriminals used vulnerabilities in web browsers to attack other industry sectors, they were not so commonly used against HIPAA-covered entities. Instead, criminals exploited vulnerabilities that resulted from employee and company negligence, while malicious insiders were also responsible for a high percentage of attacks.

The full report can be downloaded here.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.