Share this article on:
The 2015 Verizon Data Breach Investigations Report puts the healthcare industry under the spotlight and reveals some of the major issues faced by the industry and the large gap that exists between where HIPAA-covered entities (CEs) are now with their data security protections and where they need to be to meet the minimum standards required by HIPAA.
This is the eighth year that Verizon has released its security report and this year the data sample is bigger than ever, allowing greater faith to be placed in the report’s findings than in previous years. A total of 70 organizations contributed data for the report, an increase of 50% year on year. The company’s analysts looked at some 80,000 reported security incidents – up 26% from the previous year – and 2,100 reported data breaches, which is an increase of 55 percent from the previous year.
The report goes into intricate detail about the data breaches that have reported over the course of the past 12 months and offers advice on some measures that can be employed to improve security and protect confidential data.
Verizon Adds a Breach Cost Calculation
The report delves into the costs of data breaches, including an estimator for the first time in the eight year history of the report.
The cost of a data breach is a big worry for healthcare providers whose budgets are already stretched to breaking point. The report indicates that smaller breaches – involving just 100 records – could cost in the region of $18,120 to $35,730; however conceivably this could be as high as $555,660.
The report suggests that the cost of a breach involving 100 million records would likely fall between $5 million and $15.6 million, but could rise to $200 million. However this appears to be a very conservative estimate and does not include class action lawsuits. Should they be ruled in the plaintiffs’ favor there could be multibillion dollar costs.
Verizon was well aware of the limitations of their methods of calculating costs, and commented that this year is a significant improvement on the models they have tried before. The difficulty in accurately assessing the data is why the company has refrained from including the estimates in previous reports. Their calculations put the cost at just $0.58 per record.
According to Bob Rudis, security data scientist for Verizon’s Enterprise Solutions division, “We did the classifications that we would do for any incident and tried to refine the model many ways,” he went on to say “but we’re as disappointed as anyone to say that there are a lot of things contributing to the cost of breaches that we can’t account for yet.”
Class-action lawsuits and fines from the OCR and state Attorney Generals’ Offices cannot be factored in easily as they have not been issued yet and no settlements have been reached. A breach today may not result in a settlement being reached before at least 2018, if at all, and class action lawsuits may run on for years before they are resolved.
Patches Are Not Being Installed is a Major Problem
One of the biggest problems identified in the report is the failure to install patches promptly. The data set under analysis included over 200 million successful exploitations, across 500 vulnerabilities, with the sample coming largely from Chicago-based Risk I/O Inc. The data was collected from over 150 countries from the end of 2013 and involved 20,000 threat feed partners.
Back in 2008 when the first report was compiled, Verizon found that 71% of vulnerabilities that were exploited could have been prevented by the installation of a patch that had been available for more than a year.
The problem is clearly getting worse. Verizon said that last year, 99.9% of vulnerabilities that were exploited had a patch available that could have prevented the successful breach, and that it was available for over a year.
The report states that healthcare Web App attacks on the increase as are Denial of Service attacks. There was a hike in cases of reported web app attacks which accounted for 7% of breaches, up from 3% in 2013. Denial of Service attacks reached nine percent; an increase of 2% year on year. These jumps indicate a shift in how cybercriminals are choosing to exploit healthcare providers’ security vulnerabilities.