tostphoto - stock.adobe.com

External Threat Actors Outpace Insiders in Healthcare Data Breaches

For the second consecutive year, the Verizon Data Breach Investigations Report (DBIR) found external threat actors were behind more healthcare data breaches than insider errors.

For the second consecutive year, external threat actors caused the majority of healthcare data breaches in 2020, compared to just 39 percent caused by insiders, either inadvertently or intentionally, according to the latest Verizon Data Breach Investigations Report (DBIR).

In total, data show 61 percent of global security incidents in 2020 were caused by outside actors, such as hacking and other nefarious activities.

“When you read the contents of the report, it is tempting to think that a vast array of threats demands a sweeping and revolutionary solution,” Alex Pinto, the report’s lead author said in a statement. “However, the reality is far more straightforward.”

“The truth is that, whilst organizations should prepare to deal with exceptional circumstances, the foundation of their defences should be built on strong fundamentals - addressing and mitigating the threats most pertinent to them,” he continued.

The annual DBIR is based on datasets from a variety of sources, including the Verizon Threat Research Advisory Center investigators, reports from external collaborators, and publicly disclosed security incidents.

To compile the report, Verizon researchers analyzed a total of 29,0207 reported security incidents from 88 countries, of which 5,258 were confirmed data breaches -- three times more than for the 2020 report. The DBIR also included responses from 83 contributing organizations.

For the healthcare sector, the researchers analyzed data from a total of 655 incidents, 472 with confirmed data disclosures: 45 from small entities, 31 from larger organizations, and 579 incidents from unknown sizes.

The overwhelming majority (86 percent) of these breaches were caused by system intrusions, basic web application attacks, and miscellaneous employee errors. Financially motivated organized hacking groups are continuing to prey on the sector, with ransomware as the leading tactic.

Despite the continued threat of outside actors, the researchers stressed that insiders remain a massive challenge for healthcare providers.

Human error accounts for the majority of these breaches, with 36 percent caused by misdelivery errors, either via electronic or paper documents. Other causes include publishing errors and misconfiguration (over 20 percent each), as well as lost data (about 15 percent) and disposal error (around 10 percent).

However, the number of incidents caused by malicious insiders have dropped from the top three culprits for the second year in a row.

Interestingly, personal data was compromised more frequently than medical data, at 66 percent compared to 55 percent.

“We have seen personal data compromised more often than medical in this sector,” the report authors wrote. “That strikes us as strange, given the fact that this is the one sector where you would expect to see medical information held most commonly.” 

“However, with the increase of external actor breaches, it may simply be that the data taken is more opportunistic in nature,” they added. “If controls, for instance, are more stringent on medical data, an attacker may only be able to access personal data, which is still useful for financial fraud. Simply put, they may take what they can get and run.”

The report also sheds light on breaches faced by small- to medium-sized entities, about 263 breaches compared to 307 faced by larger organizations. Hacking and malware, or the system intrusions, were the largest causes.

In terms of overall threats, the researchers found several consistent risks across all sectors. Namely, phishing remains one of the most prevalent threats, as it has been for the last two years. Ransomware landed in the third-place position for breach-causes, at 10 percent.

Phishing accounted for 36 percent of overall breaches across all sectors, up from 25 percent in the last DBIR. Researchers estimate that COVID-19 and related phishing lures, as well as increases in work from home environments have contributed to the increase in phishing attacks.

The threat continues to be closely tied to the use of stolen credentials in these breaches, as it has in previous years. But while the researchers expected a spike in breaches caused by phishing due to the pandemic, the numbers have remained relatively flat.

Lastly, researchers stressed that threat actors are gaining footholds through older vulnerabilities, rather than newly disclosed flaws, such as Eternal Blue. Eternal blue targets a flaw in the SMB protocol through port 445. MIcrosoft released the patch for the flaw long before May 2017 -- and the WannaCry exploit.

Researchers noted that this highlights several key elements: exploits occur on flaws based on the capabilities an attacker can gain from the vulnerability exploit, as well as the payload. It also means organizations need to “patch smarter, not harder, by using vulnerability prioritization not necessarily to improve security, but to improve the organization’s productivity.”

“Every patch that has to be applied means you are that much farther from putting down the keyboard and picking up the d-pad,” researchers wrote. “Anything you can do to avoid patching vulnerabilities that do not improve your security keeps you just as secure but involves much less work (and less chance of burnout from your employees or service providers).”

Next Steps

Dig Deeper on Cybersecurity strategies