Healthcare stands out due to the majority of breaches being associated with
internal actors. Denial of Service attacks are infrequent, but availability
issues arise in the form of ransomware.
466 incidents, 304 with confirmed data disclosure
Top 3 patterns
Miscellaneous Errors, Privilege Misuse and Web Applications represent
81% of incidents within Healthcare
Internal (59%), External (42%), Partner (4%) and Multiple parties (3%) (breaches)
Financial (83%), Fun (6%), Convenience (3%), Grudge (3%), and
Espionage (2%) (breaches)
Medical (72%), Personal (34%), Credentials (25%) (breaches)
The doctor can’t see you now (that you work for them)
Most people do not enjoy going to the hospital, but once it becomes unavoidable we all need to believe fervently that the good women and men who are providing us care are just this side of perfect. Spoiler alert: they are not. Healthcare is not only fast paced and stressful, it is also a heavily-regulated industry. Those who work in this vertical need to do things right, do things fast, and remain in compliance with legislation such as HIPAA and HITECH (in the US). That in itself is a pretty tall order, but when one combines that with the fact that the most common threat actors in this industry are internal to the organization, it can paint a rather challenging picture. With internal actors, the main problem is that they have already been granted access to your systems in order to do their jobs. One of the top pairings in Table 5 between actions and assets for Healthcare was privilege abuse (by internal actors) against databases. Effectively monitoring and flagging unusual and/or inappropriate access to data that is not necessary for valid business use or required for patient care is a matter of real concern for this vertical. Across all industries, internal actor breaches have been more difficult to detect, more often taking years to detect than do those breaches involving external actors.
- 2019 DBIR
- A couple of tidbits
- Summary of findings
- Results and analysis
- Unbroken Chains
- Incident Classification Patterns and Subsets
- Data breaches: extended version
- Victim demographics and industry analysis
- Accommodation and Food Services
- Educational Services
- Financial and Insurance
- Professional, Technical and Scientific Services
- Public Administration
- Wrap up
- Appendices (PDF)
Mailing it in
The Healthcare industry has a multifaceted problem with mail, in both electronic and printed form. The industry is not immune to the same illnesses we see in other verticals such as the very common scenario of phishing emails sent to dupe users into clicking and entering their email credentials on a phony site. The freshly stolen login information is then used to access the user’s cloud-based mail account, and any patient data that is chilling in the Inbox, or Sent Items, or other folder for that matter is considered compromised – and its disclosure time.
Misdelivery, sending data to the wrong recipient, is another common threat action variety that plagues the Healthcare industry. It is the most common error type that leads to data breaches as shown in Figure 51. As seen in Table 5 above, documents are a commonly compromised asset. This could be due to errors in mailing paperwork to the patient’s home address or by issuance of discharge papers or other medical records to the wrong recipient.
Most ransomware incidents are not defined as breaches in this study due to their lack of the required confirmation of data loss. Unfortunately for them, Healthcare organizations are required to disclose ransomware attacks as though they were confirmed breaches due to U.S. regulatory requirements. This compulsory action will influence the number of ransomware incidents associated with the Healthcare sector. Acknowledging the bias, this is the second straight year that ransomware incidents were over 70 percent of all malware outbreaks in this vertical.
Things to consider
Know where your major data stores are, limit necessary access, and track all access attempts. Start with monitoring the users who have a lot of access that might not be necessary to perform their jobs, and make a goal of finding any unnecessary lookups.
Snitches don’t get stitches
Work on improving phishing reporting to more quickly respond to early clickers and prevent late clickers. Think about reward-based motivation if you can—you catch more flies with honey. And you can catch phish with flies. Coincidence?
Know which processes deliver, publish or dispose of personal or medical information and ensure they include checks so that one mistake doesn’t equate to one breach.