Healthcare is The Only Industry Where Insiders Pose the Biggest Threat

Verizon has published its 2017 Data Breach Investigations Report proving an insight into the world of cybersecurity, data breaches, and the current threat landscape.

This is the tenth installment of the report, which this year includes data collected 65 organizations, 42,068 separate cybersecurity incidents and 1,935 data breaches experienced by organizations in 84 countries.

Majority of Attackers are Opportunistic Hunters Looking for Vulnerabilities

While large organizations are big targets and face a higher than average risk of experiencing a data breach, the Verizon report shows that all organizations are at risk of cyberattacks. 61% of data breaches occurred at organizations with less than 1,000 employees.

Targeted attacks on organizations do occur, but the majority of cybercriminals are opportunistic. Hackers gain access to systems and data as a result of unplugged vulnerabilities, errors made by employees and poor choices of cybersecurity solutions that fail to protect against the latest threats.

One of the most important messages from the report is organizations need to choose their cybersecurity solutions carefully and not rely on solutions that have served them well in the past. The threat landscape is constantly changing so it is essential that security solutions are regularly evaluated to make sure they continue to protect against the latest threats. Just because cybersecurity solutions have worked well in the past does not mean they will continue to be effective in the future.

Even the most advanced cybersecurity defenses can be undone by simple errors and poor security practices. Take passwords for example. The report shows that 81% of hacking related breaches leveraged stolen and/or weak passwords.

Controls should be put in place forcing users to choose strong passwords. Users should also be forced to change their passwords regularly. IT departments often criticize employees for being careless and having a lack of basic security awareness, yet many breaches result from IT staff failing to change default passwords. These basic errors must be corrected across the board.

In 66% of cases, malware infections occurred as a result of employees opening infected email attachments and one in 14 employees either opened an infected email attachment or clicked on a malicious link in an email. Training should cover the high risk of attack via email and end users should be trained how to spot phishing emails and instructed not to open attachments or click on links sent from unknown individuals. However single training sessions are insufficient. Regular refresher training sessions should conducted to reinforce the importance of being more security aware.

Healthcare is the Only Industry Where the Biggest Threat is Insiders

Healthcare data breaches have increased in the past year, although the industry is not the most attacked sector. Healthcare data breaches accounted for 15% of the total with financial institutions the worst hit, registering 24% of breaches.

Hacking continues to be a major cause of data breaches, accounting for 62% of the total. Malware was involved in 51% of incidents, and 43% of attacks involved social media. The report shows that ransomware attacks are an ever present threat, with incidents increasing by 50% in the past year.

Insiders are a major risk. Across all industries, 75% of breaches involved outsiders and 25% of attacks involved internal actors. However, that was not the case for the healthcare industry where 68% of breaches were internal – The only industry where the biggest threat to data security comes from within.

81% of healthcare data breaches involved either the loss or theft of equipment/documents, insider and privilege misuse or unintentional errors by employees. As recent OCR breach reports have shown, the loss and theft of electronic devices continues to be a major cause of healthcare data breaches.

The Protenus Breach Barometer report for March 2017 shows that theft and loss incidents accounted for 21% of reported data breaches – the third highest cause – yet those incidents resulted in the exposure of the most records.

The use of data encryption can prevent the loss or theft of electronic equipment resulting in the exposure or disclosure of data. However, as Verizon points out, many incidents involve the loss of documents, for which encryption is no use. It is important not to forget in this electronic age that many breaches involve paper records.

Training on privacy and security along with updates to policies and procedures can help to tackle the loss and theft of physical PHI. As far as is possible, employees should be discouraged from printing documents containing sensitive information.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.