Cybercrime continues to increase, with a sharp rise in the number of attacks involving ransomware, according to the Verizon 2022 Data Breach Investigation Report (DBIR).
The team that prepared the report analyzed 23,896 security incidents that occurred from November 1, 2020 to October 31, 2021, of which 5212 were confirmed data breaches. They found that 82% of these breaches involve the human element such as the use of stolen credentials, phishing, misuse, or simple errors.
“Our findings indicate that data compromises are considerably more likely to result from external attacks than from any other source,” the authors wrote, adding that nearly 3 out of 4 cases yielded evidence pointing outside the victim organization.
Business partners were involved in 39% of the data breaches. Internal sources accounted for the fewest number of incidents (18%), trailing those of external origin by a ratio of 4 to 1.
“External actors are taking advantage of poor credentials to target external services like email servers and web applications to access key information from their targets,” said Philippe Langlois, Senior Principal for Security Risk Management at Verizon. “While these types of attacks aren’t unique to the health care industry, it can certainly be impactful considering the type of data physicians regularly handle.”
He noted there is a significant difference in the breaches that occur in the health care industry compared with other segments of the economy. Internal actors have played a predominant role in breaches since Verizon first began collecting health care data for the DBIR. “These internal actors are employees that are causing breaches,” Langlois said. “However, it should be noted that they’re most often not causing breaches with malicious intent, [but] rather accidentally via sending emails with health information to the wrong recipient.”
“The majority of HIPAA violations are a result of accidental data breaches,” Langlois said. “While there has been a steady increase in HIPAA violations in recent years, this is not due to inside actors with malicious intent, rather the same players becoming more sophisticated in their hacking methods.”
Due to HIPAA and other similar regulations, health care may at times seem to have a disproportionate number of incidents or breaches, but Langlois noted this does not necessarily indicate a poor security posture. More stringent reporting requirements could be the reason.
Ransomware Attacks Rise
The report showed the continuation of ransomware actors targeting and encrypting the data of health care organizations, dramatically impacting on their abilities to provide key services to their customers, not to mention HIPAA violations. During the latest study period, ransomware attacks jumped nearly 13%, an increase as large as the previous 5 years combined. These attacks now account for 25% of data breaches, according to the report.
Some 40% of ransomware incidents examined in the most recent report have involved desktop-sharing software and 35% involved email. “There are a variety of different tools the threat actor can use once they are inside your network, but locking down the external-facing infrastructure, especially RDP (remote desktop protocol) and emails, can go a long way toward protecting your organization against ransomware,” the report’s authors wrote.
Ed Gaudet, CEO and Founder Censinet, a cyber risk management solution provider based in Boston, Massachusetts, said physician practices and ambulatory care centers must assess the risk of cyber threats on a regular basis using Health Industry Cybersecurity Practices (HICP) and deploy security controls appropriately. “The HIPAA breach trends are worse than ever,” Gaudet said. “It’s not a matter of if anymore, it’s a matter of when. The stakes are higher than ever before. Not only are the number of patient records breached increasing, but cyberattacks are more lethal, leading to patient safety and care disruption issues.”
To avoid becoming a target, medical practices should have in place 2-factor authorization and staff should not reuse or share passwords. Computer systems should include a password keeper or generator app. Experts recommend that practices install software updates promptly so that vulnerabilities can be patched. Practices should ensure that all computers have their built-in firewalls turned on and antivirus software is installed on all devices, including computers, smartphones, tablets, and credit care swipers. They also recommend maintaining a consistent schedule with regard to offline backups of information.
Many breaches occur because an employee clicks on an unsolicited email or text message. For this reason, it is suggesting all medical practices establish a way to verify unusual requests for data or payments. Additionally, practices should ensure that computers used for financial transactions are not used for other purposes such as social media or email. Further, clinicians should only use email services that incorporate phishing and pretexting defenses and use a web browser that warns if a website poses a threat.