Another change that goes along with decreased insider misuse breaches is the corresponding drop in multiple actor breaches. The Healthcare sector has typically been the leader in this type of breach—which usually occurs when External and Internal actors combine forces to abscond with data that is then used for financial fraud. The multiple actor breaches last year were at 4% and this year we see a drop to 1%. The 2019 DBIR reported a first in that the Healthcare vertical had internal actor breaches (59%) exceeding those perpetrated by External actors (42%). This year, External actor breaches are slightly more common at 51%, while breaches perpetrated by Internal actors fall to 48%. However, this is a small percentage and Healthcare remains the industry with the highest amount of internal bad actors.
As with many things in life, as one attack grows more prevalent, others begin to decrease. So the story goes with the Miscellaneous Errors pattern. While it has frequently graced the top three patterns in this sector, it took the gold this year. In case you are curious, the top mistake within Healthcare is our old friend, Misdelivery.
This Error tends to fall into two major categories:
- Someone is sending an email and addresses it to the wrong (and frequently wider) distribution—it’s an added bonus if a file containing sensitive data was attached
- An organization is sending out a mass mailing (paper documents), and the envelopes with the addresses becomes out of sync with the contents of the envelope. If sampling is not done periodically throughout the mailing process to ensure that they remain *NSYNC, then it’s bye, bye, bye to your patients’ sensitive information
When thinking of the Healthcare vertical, one naturally thinks of Medical data. And, unsurprisingly, this is the industry in which that type of data is the most commonly breached. However, we also see quite a lot of both Personal data (which can be anything from basic demographic information to other covered data elements) and Credentials stolen in these attacks. The second most common pattern for Healthcare is the Web Applications attack. As more and more organizations open patient portals and create new and innovative ways of interacting with their patients, they create additional lucrative attack surfaces.
Finally, we see a good deal of the Everything Else pattern, which is not unlike a lost and found for attacks that do not fit the criteria of any other attack pattern. It is within this pattern that the business email compromise resides. If you’re not familiar with this attack, it is typically a phishing attack with the aim of leveraging a pretext (an invented scenario to give a reason for the victim to do what the attacker wants) to successfully transfer money (by wire transfer, gift cards or any other means). Although these are common attack types across the dataset, it is a good reminder to Healthcare organizations that it isn’t only patient medical data that is being targeted.
When did you first notice these symptoms?
The time required to compromise and exfiltrate data has been getting smaller in our overall dataset. Unfortunately, the time required for an organization to notice that they have been breached is not keeping pace. There is a discrepancy there somewhat akin to how long it takes you to earn your wages vs how long it takes for it to be taxed. Some attacks, by their very nature, will both happen quickly and be detected quickly. A good example is a stolen laptop—how long does it take someone to smash a car window and make off with the loot? (That is a rhetorical question, so don’t mail in answers, there is no prize for getting it right.) Likewise, it also doesn’t take much time for the owner to come back to their car and see the break-in.
Both of these will have a short duration due to the nature of the crime. In contrast, an insider who has decided to abuse their access to copy a small amount of data each week and sell it to their buddy, who in turn utilizes it for financial fraud, may not be caught for a very long time.