Dive Brief:
- Healthcare again led all industries in cybersecurity breaches in 2018, claiming a quarter of the more than 750 incidents reported, BakerHostetler's latest Data Security Incident Response Report shows.
- Health information was the second most at-risk type of data in cyber incidents, making up fully a third of potentially compromised records. Social Security numbers were the most at risk at 37%. More than half (55%) of all incidents involved insider error or activity, according to the report.
- Separately, Springfield, Massachusetts-based Baystate Health notified some 12,000 patients that a Feb. 7 phishing attack may have exposed their health information and the Veterans Health Administration alerted 4,882 veterans treated at its Martinsburg, West Virginia, medical center that personal information may have been inadvertently mailed to other patients.
Dive Insight:
Healthcare organizations continue to be popular targets for cyber criminals with their wealth of personal health information, and employee mistakes are a big part of the problem. In an analysis of 1,138 breach cases that occurred between 2009 and 2017, 53% originated inside the organization.
In this new report, phishing attacks were the leading cause of breaches, accounting for 37% across all industries. Network intrusions were close behind at 30%, with unpatched servers and remote desktop connections providing easy points of entry.
Once cybercriminals penetrate a system, their next steps most often involve accessing an Office 365 account (34%), roaming the network for available data (30%), installing ransomware (12%) or securing a wire transfer to the attacker's account (8%), according to the report.
For ransomware victims, the report offers some sobering news: Nearly one in 10 times (9%) that a ransom was paid, no decryption key was received. The average ransom paid last year was $28,920.
Among healthcare organizations, on average 36 days elapsed between the time of the initial access and detection, plus another 10 days to contain the breach.
Across all industries, 27% of breach notifications triggered investigations last year, down from 54% in 2017. Breach reports resulted in 135 inquiries by state attorneys general and 34 investigations by the HHS Office for Civil Rights, up from 22 the prior year.
Healthcare organizations are required to notify OCR of breaches affecting 500 or more people and to classify them as one of six types: hacking, improper disposal, loss, theft, unauthorized access or disclosure, or unknown.
Data breaches pose the risk of hefty fines if HIPAA privacy rules are violated. In June, a federal judge upheld a $4.3 million fine against the University of Texas MD Anderson Cancer Clinic stemming from three data breaches that compromised the health information of more than 33,500 people. OCR faulted the hospital for not adopting encryption policies for patient data until 2011.
In the largest-ever HIPAA fine, health insurer Anthem agreed in October to pay $16 million to settle breaches related to a series of targeted cyberattacks in 2015 that exposed electronic protected health information for nearly 79 million members. A separate $115 million settlement will finance four years of credit monitoring and all other claims, costs and fees for those affected.
Anthem, which admitted no wrongdoing in the events, must also undertake a corrective action plan to restore compliance with HIPAA rules.
To protect against breaches, BakerHostetler recommends organizations use "compromise threat intelligence" to identify emerging risks and address them before they become a direct threat, use security risk assessments to prioritize a security plan and increase employee awareness and training on how to handle email phishing expeditions. Organizations involved in mergers or acquisitions should do due diligence on both entities' security posture and potential vulnerabilities that could be exploited.
The law firm also suggests using security risk assessments to create a solid plan to maximize security. "If you stop at just getting an industry benchmark score, invest in enhancements without considering practical threat assessments, or take on too much just to improve your overall score, you may do more harm than good," the report says.
Organizations should also take precautions before moving data to the cloud, such as implementing multifactor authentication and putting cloud resources employees are using behind that or enterprise SSO (single sign-on), the report says.