How Long Does It Take to Breach a Healthcare Network?

A recent survey of hackers, incident responders, and penetration testers has revealed the majority can gain access to a targeted system within 15 hours, but more than half of hackers (54%) take less than five hours to gain access to a system, and identify and exfiltrate sensitive data.

61% of Surveyed Hackers Took Less than 15 Hours to Obtain Healthcare Data

The data comes from the second annual Nuix Black Report and its survey of 112 hackers and penetration testers, 79% of which were based in the United States.

Respondents were asked about the time it takes to conduct attacks and steal data, the motivations for attacks, the techniques used, and the industries that offered the least resistance.

While the least protected industries were hospitality, retail, and the food and beverage industry, healthcare organizations were viewed as particularly soft targets. Healthcare, along with law firms, manufacturers, and sports and entertainment companies had below average results and were relatively easy to attack. As Nuix points out, many of the industries that were rated as soft targets are required to comply with industry standards for cybersecurity.

The retail and food and beverage industries are required to comply with Payment Card Industry Data Security Standard (PCI DSS) and healthcare organizations must comply with HITECH Act requirements and the HIPAA Security Rule, with the latter requiring safeguards to be implemented to ensure the confidentiality, integrity, and availability of healthcare data. As far as hackers are concerned, the data is certainly available. When asked how long it takes to breach the perimeter of a hospital or healthcare provider and exfiltrate useful data, 18% said less than 5 hours, 23% said 5-10 hours, and 20% said 10 to 15 hours. ‘Large numbers’ of hackers said they were able to identify and exfiltrate sensitive data within an hour of breaching the network perimeter.

Even though organizations are required to comply with certain standards for cybersecurity, that does not mean that appropriate safeguards are implemented, or that they are implemented correctly and are providing the required level of protection.

“Most organizations invest heavily in perimeter defenses such as firewalls and antivirus, and these are mandatory in many compliance regimes, but most of the hackers we surveyed found these countermeasures trivially easy to bypass,” said Chris Pogue, Head of Services, Security and Partner Integration at Nuix and lead author of the report.

How Are Hackers Gaining Access to Networks and Data?

The most popular types of attacks are social engineering (27%) and phishing attacks (22%), preferred by 49% of hackers. 28% preferred network attacks.  The popularity of ransomware has soared in recent years, yet it was not a preferred attack method, favored by only 3% of respondents to the survey.

Social engineering is used sometimes or always by 50% of attackers, with phishing emails by far the most popular social engineering method. 62% of hackers who use social engineering use phishing emails, physical social engineering on employees is used by 22%, and 16% obtain the information they need over the telephone.

The most commonly used tools for attacks were open source hacking tools and exploit packs, which combined are used by 80% of surveyed hackers.

Interestingly, while the threat landscape is constantly changing, hackers do not appear to change their tactics that often. Almost a quarter of hackers only change their attack methods once a year and 20% said they update their methods twice a year.

As for the motivation for the attacks, it is not always financial. 86% hack for the challenge, 35% for entertainment/mischief, and only 21% attack organizations for financial gain.

One take home message from the survey is just how important it is to implement security awareness programs and train staff cybersecurity best practices and to be alert to the threat from social engineering and phishing attacks. With almost half of hackers preferring these tactics, ensuring the workforce can identify phishing and social engineering attacks will greatly improve organizations’ security posture.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.