Ashish Thapar, Managing Principal and Regional Head – APJ, Verizon in an interaction with Sanjiv Das, elaborates on the alarming rate of breaches in the healthcare sector, its impact and ways to prevent it
2019 Verizon Data Breach Investigations Report (DBIR) is built upon analysis of 41,686 security incidents, of which 2,013 were confirmed data breaches. Amidst this, how many incidents were reported from the health sector?
Unfortunately, there has been a surge in the number as well as the size of cyber-attacks in the healthcare sector. Out of 2,013 breaches, about 15 per cent are from the healthcare sector. The statistics below have been gathered from DBIR 2019 on the healthcare sector:
- Frequency 466 incidents, 304 with confirmed data disclosures
- Top 3 patterns Miscellaneous errors, crimeware and privilege misuse represent 81 per cent of incidents within healthcare
- Threat actors 42 per cent external, 59 per cent internal, four per cent partner and three per cent multiple parties (breaches)
- Actor motives 83 per cent financial, six per cent fun, three per cent convenience, three per cent grudge, two pre cent espionage (breaches)
- Data compromised Medical 72 per cent, personal four per cent, credentials 25 per cent
What was the methodology used to collect the data? How many countries/focus areas were taken into consideration while going in for collecting the data?
The collection method and conversion techniques differed among contributors. In general, three basic methods (expounded below) were used to accomplish this:
- Direct recording of paid external forensic investigations and related intelligence operations conducted by Verizon using the VERIS (Vocabulary for Enterprise Risk and Incident Sharing) Webapp.
- Direct recording by partners using VERIS.
- Converting partners existing schema into VERIS.
For a potential entry to be eligible for the incident/breach corpus, a couple of requirements must be met. The entry must be a confirmed security incident, defined as a loss of confidentiality, integrity or availability. In addition to meeting the baseline definition of ‘security incident,’ the entry is assessed for quality. We create a subset of incidents (more on subsets later) that pass our quality filter. The details of what is a “quality” incident are:
The incident must have at least seven enumerations (e.g., threat actor variety, threat action category, variety of integrity loss, et al.) across 34 fields or be a DDoS attack. Exceptions are given to confirmed data breaches with less than seven enumerations. The incident must have at least one known threat action category (hacking, malware, etc.)
For the second year in a row, the healthcare vertical is the only industry to show a greater number of insider attacks. What type of breaches are common in the health sector?
The healthcare vertical is rife with error and misuse. In fact, it is the only industry vertical that has more internal actors behind breaches than external. Ransomware accounts for 70 per cent of all malware in healthcare.
- Social attacks (mostly phishing and pretexting) appear in approximately 13 per cent of incidents in healthcare and are a definite matter for concern. Phishing (48 per cent of social attacks) occurs when an attacker sends a communication—usually an email—to an individual attempting to influence them to open an infected file or click on a malicious link.
- Pretexting is a similar social attack but is somewhat more involved on tricking someone and less dependent on a hyperlink or an attachment. In this scenario, the criminal emails, calls or even visits an employee in person and engages them in conversation to fool the victim into providing the attacker with credentials, or other sensitive data, with which they can launch an attack.
- The healthcare industry has a multi-faceted problem with mail, in both electronic and printed form. The industry is not immune to the same illnesses we see in other verticals such as the very common scenario of phishing emails sent to dupe users into clicking and entering their email credentials on a phony site. The freshly stolen login information is then used to access the user’s cloud-based mail account, and any patient data that is chilling in the Inbox, or Sent Items, or other folder for that matter is considered compromised – and its disclosure time
- Misdelivery, sending data to the wrong recipient, is another common threat action variety that plagues the healthcare industry. It is the most common error type that leads to data breaches, where documents are a commonly compromised asset. This could be due to errors in mailing paperwork to the patient’s home address or by issuance of discharge papers or other medical records to the wrong recipient.
What makes it more vulnerable and how can the vulnerabilities be fixed?
Healthcare is not only fast paced and stressful, it is also a heavily-regulated industry. Those who work in this vertical need to do things right, fast and remain in compliance with legislation such as HIPAA and HITECH (in the US) and other regional or global data privacy statues. Effectively monitoring and flagging unusual and inappropriate access to data that is not necessary for valid business use or required for patient care is a matter of real concern for this vertical. Across all industries, internal actor breaches have been more difficult to detect, more often taking years to detect than those breaches which involves external actors.
Another concern that is bothering the healthcare companies is the threat of medical devices being tampered with or made to malfunction by adversaries. These are very scary scenarios where let us say an insulin pump, drug infusion pump or a pacemaker; the devices that keep people alive, can be hacked to malfunction leading to a critical medical emergency for a patient. Things to beconsidered to avoid vulnerabilities:
- Easy access: Know where your major data stores are, limit necessary access, and track all access attempts. Start with monitoring the users who have a lot of access that might not be necessary to perform their jobs and make a goal of finding any unnecessary lookups.
- Snitches don’t get stitches: Work on improving phishing reporting to more quickly respond to early clickers and prevent late clickers.
- Perfectly imperfect: Know which processes deliver, publish or dispose of personal or medical information and ensure they include checks so that one mistake doesn’t equate to one breach.
Can you elaborate on how huge can be the adverse impact of breaches of medical data?
The impacts of medical data breaches could be humongous. Healthcare sector has seen a great amount of digital automation and it continues to advance in how medical care is being provided to patients which often results in more data being gathered and processed. The sensitive patient data or protected health information (PHI) is processed and transmitted across several systems that may not be adequately protected against cyber-attacks. In the hands of criminals, PHI can be abused in all types of crimes including identity theft, prescription fraud, and the provision of medical care to a fraudulent third party in the victim’s name. Another very important perspective is that the healthcare data has a very long/permanent life as it cannot be changed unlike a credit card information which can always be changed to limit the exposure.
How has India fared in measures to prevent data breach as compared to other countries?
The healthcare industry in India is growing at an exceptional rate of 15.92 per cent per annum, according to the Indian Pharmaceutical Congress, which will help the industry grow to the $55 billion mark by 2020, positioning India in the sixth place globally. Apart from the growth of the industry, digitalisation has also led to a rise in collection and analysis of data making it susceptible to the cyber criminals and being infected with malware. With the right to privacy now being made a fundamental right in India and increase in the number of data breaches, the Ministry of Health and Family Welfare (MoH&FW) has decided to roll out the draft legislation titled Digital Information Security in Healthcare Act (DISHA). The act seeks to regulate the generation, collection, storage, transmission, access and use of all digital health data. Further, the personal data protection act (yet to be passed in the parliament) should pave the way for stronger data protection framework in the country A regime to mandate disclosure of data breaches to regulators and affected entities would also be very helpful in creating effective deterrence and transparency in the industry.
What type of steps are required in terms of building policies, creating strategies and investment at micro and macro level?
A critical step in defending your reputation and the security of your customers is managing the risks involved in collecting and storing personally identifiable health information. The question to be asked is ‘Are you protecting against today’s threats or tomorrow’s?’ Below are a few points to consider protecting the healthcare industry from an attack:
- Know your data and the risk thereof: This is the most fundamental step that many organisations tend to miss or handle insufficiently. Companies should look at measures to devalue data by using controls such as encryption, tokenisation and truncation. An application/ system designed while keeping security in mind right from the start is the best approach to drive better protect, detect and respond controls.
- Instituting a policy: Ensure that policies and procedures are in place which mandate monitoring of internal Protected Health Information (PHI) accesses. Make all employees aware via security training and warning banners that if they view any patient data without a legitimate business need there is potential for corrective actions.
- Don’t spread the virus: Preventive controls regarding defending against malware installation are of utmost importance. Take steps to minimise the impact that ransomware can have on your network. Data shows that the most common vectors of malware are via email and malicious websites, so focus your efforts around those factors.
- Reduce risk footprint: The theft or misplacement of unencrypted devices continues to feed our breach dataset. Full Disk Encryption (FDE) is both an effective and low-cost method of keeping sensitive data out of the hands of criminals. FDE mitigates the consequences of physical theft of assets by limiting exposure to fines and reporting requirements.
Risk management in combination with robust cyber response strategy is the key to both mitigation of cyber threats and recovery from a breach. A healthcare entity that knows the risks and controls the data flowing both within and outside its walls is better equipped to protect sensitive data, mitigate and respond to possible security incidents and, most importantly, assure the safety and security of its patients.