25% off all training courses Offer ends May 8, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 8, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Data Security Report Shows Main Points of Cyberattack by Industry Sector

Posted By on Sep 3, 2015

SurfWatch, a leading provider of cyber risk intelligence analytics and applications, recently released a mid-year cyber risk intelligence report detailing the most common methods used by hackers to gain access to confidential patient and business data, including the main points of cyberattack by industry sector.

The company discovered that despite a number of highly sophisticated attacks on healthcare providers in recent months, the majority of hackers are still using the same tried and tested methods to break through security defenses as they have for years.

The most common points of attack are poorly secured websites and applications, patient and customer accounts, and endpoints, which account for 77% of all cyberattacks evaluated by SurfWatch analysts.

The main aim of the SurfWatch Labs 2015 Mid-Year Report was to identify the most effective ways organizations can reduce the risk of suffering cyberattacks. Big money is being diverted to improve cybersecurity defenses and to protect against hackers; however it is important that organizations look closely at all potential attack points, and take action to address the most serious risks first.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Adam Meyer, Chief Security Strategist, SurfWatch Labs, recently said, “Our data clearly shows most attackers go after soft targets – exploiting end-users and their numerous decision-points they face while interacting with technology,”

One of the main problems with current cybersecurity efforts are they are primarily concerned with the detection of improper access to computers, networks and EHRs; however, if preventative steps are not taken to deal with the risk of attack, healthcare providers and other HIPAA covered entities are likely to spend all of their time fighting fires.

As Meyer points out, “The problem is traditional cybersecurity approaches focus on detection rather than prevention. If you want to ensure your house doesn’t burn down, would you buy more smoke detectors or would you try to identify the risk factors for a fire starting? Organizations need to start putting more emphasis on gaining situational awareness of their cyber risks – so they can take more preventative actions.”

To produce the report, SurfWatch collected and analyzed data collected during the first 6 months of the year (Jan 1 – June 30, 2015) and compiled information on the ‘Actor’ – the individual who conducted the cyberattack, the target that was attacked, and the effect the attack had on the organization. The methods used to gain access to data were also assessed along with key industry metadata.

The data for the cyber risk study was collected from companies from the finance, energy, utility, retail and healthcare industries. The data show the main points of cyberattack by industry sector. Workers in the financial services industry were targeted by hackers using spear phishing campaigns; fooling them into downloading malware or visiting an infected website, with vulnerabilities in Internet Explorer commonly exploited. Hackers also concentrated on attacking card payment processors.

Spear phishing campaigns were also used to target workers in the energy and utility industries. Cybercriminals favored using infected Adobe PDF files, the opening of which allowed hackers to gain access to consumer data.

Malvertising campaigns, which allowed hackers to exploit vulnerabilities in Adobe Flash and Internet Explorer, was the most common method of attacking the retail and hospitality industries. According to the report, “A common practice was for cyber criminals to send legitimate ads to ad merchants representing news sites and once approved, the criminal then re-sends a malware-laden advertisement labeled ‘minor modification’ in the hopes of passing through the merchant.”

Interestingly, while cybercriminals used vulnerabilities in web browsers to attack other industry sectors, they were not so commonly used against HIPAA-covered entities. Instead, criminals exploited vulnerabilities that resulted from employee and company negligence, while malicious insiders were also responsible for a high percentage of attacks.

The full report can be downloaded here.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist