According to the 2018 Verizon Data Breach Investigations Report, healthcare “is the only industry vertical that has more internal actors behind breaches than external”.
Healthcare service providers have come under a lot of scrutiny in recent times due to repeatedly failing to protect the data they hold. While such scrutiny is both understandable and ultimately necessary, healthcare providers have a wide attack surface which makes them particularly vulnerable to cyber-crime. After all, they handle vast amounts of sensitive patient data which must be accurate and up-to-date. Additionally, the records they hold must be immediately accessible to those who need them, as any delays could have serious repercussions.
The biggest cause of both security incidents and data breaches is due to miscellaneous errors. Such errors including things like; sending information to the wrong person, misplacing assets, publishing errors, misconfigured systems, and errors relating to the disposal of sensitive data. Healthcare is almost seven times more likely to be affected by miscellaneous errors than any other industry. Privilege misuse was the second biggest cause of data leakage. In terms of motives, 75% of breaches were financially motivated, while “fun or curiosity” was the motive behind 13% of incidents. Other motives include convenience (5%) and espionage (5%).
Ransomware: The Virus Hospitals Cannot Treat
The dreaded ransomware continues to plague the healthcare industry. Ransomware makes up 85% of all identified malware attacks in the industry. While it is true that healthcare is disproportionately targeted compared to other industries, it should also be noted that healthcare has more stringent reporting requirements, which may skew the statistics slightly. Whichever way you look at it, ransomware is still a big headache for service providers, and since it is a relatively low-risk, high-reward method of attack, the threat of ransomware will likely stick around for some time.
In addition to ransomware, social engineering attacks, such as phishing, continue to show up unannounced, and account for 14% of incidents in healthcare. Social engineering attacks typically arrive in the form of an email which is designed to trick an unsuspecting victim into opening an infected file or clicking on a malicious link. Doing so will download and execute the malware program. Such malware is often used to enable prolonged access to the system and are typically referred to as Advanced Persistent Threats (APTs). In addition to using emails, criminals may also make telephone calls to employees, and even speak to them in person in order to trick them into handing over any information that can be used to launch an attack.
Public sector breaches are second only to healthcare when it comes to insider security threats. One third (34%) of public sector breaches are caused by privilege misuse and miscellaneous errors.
In just 12 months, public sector agencies across the globe experienced 22,788 security incidents, where 304 of these incidents lead to a confirmed disclosure of sensitive data. These figures are hardly surprising since Governments store vast amounts of information, not only about the citizens they serve, but also about the staff they employ. After all, in most developed countries, Government is the biggest employer. What is perhaps more alarming is that “almost half of breaches were discovered months or years after the initial compromise”.
The number one cause of data leakage in the public sector was cyber-espionage. However, as with healthcare, the public sector is typically bound by more stringent reporting requirements than other industry verticals, which may distort the comparisons. The type of data that is typically compromised includes personal data (41%), Government secrets (24%) and medical information (14%).
Espionage related breaches are typically carried out by other state-affiliated groups and organized crime syndicates, who utilize a variety of attack vectors including;
- Phishing attacks: as mentioned above.
- Command-and-control servers (C&C/C2): used by hackers to maintain communications with compromised systems, enabling them to carry out malicious actions.
- Backdoors: often used by malware programs to download other malware modules that can help to execute an even greater attack.
- Other forms of malware: used to grab user credentials via keyloggers and password dumpers.
What Can Healthcare & Public-Sector Entities Do To Protect Themselves From Insider Threats?
Since “misplaced assets” are one of the biggest threats to the security of healthcare data, it is very important that service providers encrypt everything they can. Full Disk Encryption (FDE) is a low-cost and effective way of ensuring that sensitive data does not get exposed to criminals. Service providers must ensure that they have policies and procedures in place that are designed to secure PHI (Protected Health Information).
With regards to protection against ransomware, service providers will need to ensure that all staff members are well informed about ransomware and know how to spot suspicious emails. They will need to keep regular and reliable backups, use anti-virus software, use email filters/scanners, and ensure that all software is patched and updated. Should the above measures fail, “threshold alerting” can be used to help prevent the ransomware from spreading. For example, if X number of files are encrypted within a given time-frame, this may indicate that a ransomware attack has been initiated. The threshold alerting software can then automate a response, which may include shutting down the servers, changing the firewall settings, stopping a specific process, or disabling a user account.
Since employees are statistically the biggest threat to healthcare data security, the best ways you can address insider threats in the healthcare sector revolve around education and password policies. Regular training on the intrinsic value of data and the evolving cyber-security landscape will help employees understand the need for strict security policies. If your employees knew the potential damage of clicking on that malicious link or not resetting their strong password regularly, they will be far less likely to be the sole cause of a data breach.
Given that cyber-espionage and privilege misuse are currently the leading causes of data disclosure, public sector entities will need to focus a lot more on auditing their sensitive data. Access privileges must be granted on a “need to know” basis, and will need to be revoked in a timely manner if they are no longer required. Below is a basic checklist of measures that public-sector agencies should employ in order to protect their critical data.
Public sector agencies must ensure that they are able to:
- Maintain least privilege access. They will need to be able to review current permissions, show how permissions are granted, and when they change.
- Detect suspicious file and folder activity. They will need to be able to detect, alert, report and respond to changes made to their critical data either based on single event alert or threshold condition.
- Detect user account modification/deletion. They will need to be able to detect, in real-time, when a user account has been created, deleted or modified.
- Detect and manage inactive user accounts. They must be able to detect, alert and automate the removal of user accounts that are no longer active.
- Track privileged mailbox access. They will need to be able to detect, alert and respond to unauthorised mailbox access.
- Help ensure passwords are regularly rotated. It is also good practice to automate the process of reminding users to reset their passwords after a given period of time.
While it is theoretically possible to manually scrutinise the native server logs, setup alerts and automate tasks using Perl/Shell scripts, it’s not for the faint-hearted. Given the number of specialised, affordable and sophisticated auditing solutions on the market today, the manual approach would not be an efficient use of resources. Nor would it be particularly effective when compared to solutions such as LepideAuditor, which provides an intuitive dashboard, is capable of threshold alerting, generating over 300 pre-set reports, and is designed to work on iPhone, iPad or any Android enabled device. It is very important for both healthcare service providers and public-sector entities to ensure that they are able to answer questions pertaining to ‘who, what, where, and when’ sensitive data is being created, accessed, modified or deleted. For more information, as well as access to the free trial, click here.