Cyberattacks grow every year in sophistication and frequency, and the cost of data breaches continues to rise with them. A new report by IBM and the Ponemon Institute, the 2024 Cost of Data Breach Study, details the financial impacts of attacks across multiple industries.

The global average cost of a data breach reached an all-time high of $4.45 million in 2023, which is a 15% increase over the past three years. This increase was mainly driven by rising expenses associated with lost business and post-breach response actions, according to the report. The United States exceeded all other nations in the highest average cost per breach at $9.48 million.

As in past years, the healthcare industry suffered the highest average breach costs at $10.93 million, followed by the financial sector at $5.9 million. Healthcare data breaches typically last 213 days before discovery, more than the average of 194 days across other industries.

Recent years have also shown a troubling new trend: the rise of very large breaches involving millions of records.

Unique challenges, significantly higher costs

Over the past decade, healthcare has consistently been one of the most expensive industries for data breaches, with costs significantly higher than the global average. But the costs have grown across industries. In 2014, for example, the average total cost of breaches was $3.5 million.

Regulations governing data handling in healthcare, including HIPAA (Health Insurance Portability and Accountability Act), HITECH Act (Health Information Technology for Economic and Clinical Health Act) and even GDPR (General Data Protection Regulation), also contribute to the industry’s high average cost of data breaches.

The study also addressed the ongoing challenge of breaches involving stolen credentials, which took the longest to resolve at an average of 292 days. Only one-third of breaches were detected by internal security staff.

The report contained a particularly useful new finding: Organizations making serious use of automation and AI cybersecurity enjoyed an average cost reduction of $1.76 million compared to those without such technologies. AI security and automation reduced the breach lifecycle by an incredible 108 days on average, according to the report.

How healthcare can strengthen its cyber profile

The report suggests other ways to potentially reduce the cost of data breaches. Involving law enforcement in ransomware attacks, for example, reduced the average cost by nearly $1 million. Counterintuitively, perhaps, the report found that organizations that paid ransoms did not see significant cost savings compared to those that did not pay.

In addition, storage matters. Data storage environments affect breach costs and containment times. Breaches involving data stored across multiple environments incurred higher costs and took longer to contain, for example.

The report also advised incident response planning and testing, as well as the integration of AI threat detection and response systems and urged the development of security frameworks specifically for AI initiatives. This includes securing training data, monitoring for malicious inputs and using AI security solutions.

Embracing a multi-pronged approach

Remediation for breaches in the healthcare industry should involve a range of strategies, including:

• Incident response planning and testing
• Employee training; deployment of AI and automation in cybersecurity
• Risk mitigation strategy involving the location
• Use and encryption of data, identity and access management
• Embracing DevSecOps to build security into applications
• Tools and platforms across on-premises and cloud environments

Data breaches in the healthcare industry typically involve data stored across multiple environments, including public cloud, private cloud and on-site servers. This multi-environment storage approach reflects the complexity and diverse data storage needs of healthcare organizations but adds to the challenge of securing this data. In the face of these complex needs, investing in managed security services can help healthcare organizations get the most out of their cybersecurity.

Learn how to protect your most sensitive healthcare data with identity solutions from IBM.

The post Cost of a data breach: The healthcare industry appeared first on Security Intelligence.

Data breaches are becoming more costly across all industries, with healthcare in the lead.

The 2023 Cost of a Data Breach Report analyzes data collected from March 2022 to March 2023. Healthcare remains a top target for online criminal groups. These data breach costs are the highest of any industry and have increased for the 13th consecutive year.

Healthcare is a highly regulated industry that the U.S. government considers critical infrastructure. As such, recent federal privacy standards, security standards and regulations developed specifically for healthcare intend to improve the overall security of healthcare entities while protecting patient data. In the face of rising costs and persistent threats, the healthcare industry must continue to innovate.

Data breaches in the healthcare industry pay a high price

A healthcare data breach is among the costliest types of data breach. The average cost of a data breach across industries was $4.45 million, yet the average cost of a healthcare data breach was the highest among all industries at $10.93 million. Healthcare has seen a significant cost increase of 53.3% over the past three years.

Personal data remains a valuable target in a healthcare data breach. Customer and employee personally identifiable information were the top two stolen data types, followed by intellectual property, anonymized personal information and other corporate data such as earnings information and client lists.

Data stored across multiple environments consisted of the highest percentage of breaches, with the highest total cost compared to other singular storage methods (public cloud, private cloud, on-premises). The time required to detect and contain a data breach averaged 291 days when data was stored across multiple environments.

Phishing moved into the top spot as the most used initial attack vector, accounting for 16% of all data breaches. Compromised credentials dropped to the number two spot, followed by cloud misconfiguration. Malicious attacks were the most reported root cause of a healthcare data breach at 56%. IT and human failure were the root cause of fewer data breaches, accounting for 24% and 20%, respectively.

Healthcare data breaches tend to last 231 days before they’re discovered, compared to 204 days across other industries. The healthcare industry experienced longer containment periods, an average of 92 days compared with other industries at 73 days. Healthcare organizations took an average of 19 days longer to contain a data breach.

Strict regulations require strict data protections

Healthcare is a highly regulated industry where data is regulated by the Health Insurance Portability and Accountability Act (HIPAA). Recent updates to the HIPAA Privacy and Security Rules require entities to maintain reasonable and appropriate protection of electronic health data. These rules include provisions for administrative, technical and physical safeguards of data when it’s created and transmitted. Additional privacy protections include guidelines for protecting diagnostic data. Updates to the HIPAA guidelines also include detailed requirements for timely data breach notification depending on the stakeholder type.

While the U.S. Department of Health and Human Services (HHS) does not mandate which electronic platforms healthcare organizations must use, they are encouraged to use NIST guidance documents when choosing secure platform providers.

Failure to comply with HIPAA regulations results in steep fines. The Department of Health and Human Services Office of Civil Rights (OCR) and state attorneys general are responsible for issuing HIPAA violation fines. The four-tiered HIPAA violation penalty structure takes into account the level of neglect and reasonable knowledge of potential violations a healthcare entity had before and after a data breach. Fines range based on the type and severity of a violation, but the maximum per affected record is $50,000 as of 2022. The annual penalty limit for violations that fall under each of the penalty tiers is $1,919,173 per tier. In some cases, healthcare entities may need to pay civil monetary penalties to individuals affected by a breach.

Lagging security approaches

Cybersecurity investment in healthcare tends to lag behind other industries. The healthcare industry reportedly spends 6% to 10% of its overall IT budget on cybersecurity, where the average spend is around 6%. A projected increase in cybersecurity spending after a data breach was considered by 51% of all industries surveyed, even though the cost of a data breach rises each year.

The 2023 Cost of a Data Breach report found the cost of a data breach is reduced when organizations have tools and teams dedicated to protecting and responding to data breaches. The healthcare industry experienced an average cost savings of $2 million with incident response (IR) and testing teams in place versus without IR or testing. Health organizations that deploy artificial intelligence (AI) and automation saw massive cost savings of $850,000 compared to the global average cost of a breach.

With the right tools and skilled workers, the healthcare industry can make strides toward better data protection. As healthcare data remains a valuable target and threats show no sign of slowing, the industry will need to adapt accordingly.

The post Cost of a data breach 2023: Healthcare industry impacts appeared first on Security Intelligence.

Cyberattacks on the healthcare sector are a growing threat in Latin America, and the large amount of confidential data these organizations handle makes these attacks a top concern.

The value of healthcare data in the illegal market, such as the personal, medical and financial information of patients and healthcare companies, creates an appealing target for threat actors. This can have serious consequences for the privacy and information security of these organizations. Cyberattacks could lead to reputational risks, interruption of operations, data theft and disclosure and even the loss of human lives when medical goods and services are unavailable.

So what do healthcare organizations and patients need to know about cyberattacks on the healthcare sector in Latin America?

According to the IBM Security X-Force Threat Intelligence Index 2023 report, the proportion of incidents to which X-Force Incident Response has responded in the healthcare sector has remained at approximately 5% to 6% of total incidents over the past three years. Ransomware outpaced other attacks in Latin America, accounting for 32% of the cases to which X-Force responded.

Additionally, the main access vectors for healthcare companies in Latin America are the exploitation of public-facing applications (T1190), the abuse of valid accounts (T1078) and the exploitation of external remote services (T1133).

3 critical risk factors

Exploitation of Public-Facing Applications

IBM X-Force Incident Response observed that attackers mainly exploit weaknesses and vulnerabilities in services and programs with internet access, especially websites. In other cases, they exploit vulnerabilities in web servers (Apache Tomcat, outdated versions of Apache and outdated security patches, for example).

Abuse of Valid Accounts

Attackers exploit remote system accounts and externally available services, such as virtual private networks (VPNs), network devices and remote desktops. In other cases, they exploit inactive accounts or accounts that do not expire passwords (exfiltrated on the Deep Web) with dictionary-based or credential-stuffing attacks.

Exploitation of External Remote Services

Exploiting remote access services such as Citrix desktops, access gateways and VPNs allows attackers to connect to internal healthcare enterprise resources from external locations.

IBM X-Force incident response recommendation

These are some examples of the main intrusion vectors that IBM X-Force Incident Response has identified in healthcare companies in the Latin American region. All healthcare organizations in the region must prepare to face these threats and have adequate security measures to protect patient information’s privacy and security.

The following are the IBM X-Force Incident Response team’s recommendations:

• Develop incident response plans tailored to their environment. These plans should be updated regularly to maintain or improve response and recovery times.
• Perform regular backups focused on critical medical services. Keep copies in secure, segmented and physically separated locations.
• Allow only authorized applications. Configure third-party operating systems and medical services to run only approved applications.
• Monitor your medical IT infrastructure, medical devices and domain controller at the system and application registry level.
• Ensure a technology governance and cybersecurity team is created to support medical services operations.
• Have the support and coverage of a specialized incident response and computer forensics team that can act promptly in future events and contribute to the containment, remediation and recovery of business operations.
• Implement security operations centers to detect and manage security breaches through early alerts, provide real-time infrastructure security monitoring, implement preventive measures and improve responsiveness to future attacks.
• Include additional endpoint protection layers on the technological infrastructure of healthcare companies.

Reduce vendor risk

To mitigate the main access vectors, keep in mind the following:

• Segregate external servers and services from the rest of the network with a DMZ or separate hosting infrastructure.
• Manage privileged accounts by implementing minimum privileges for service accounts.
• Maintain all computers, servers and medical devices with patching and vulnerability management processes.
• Scan external systems for vulnerabilities regularly.
• Audit user accounts for unusual activity and disable or delete those that are no longer needed.
• Ensure that applications do not store sensitive data or credentials insecurely (clear text).
• Improve the policies and administration of passwords for all technologies that are part of the health sector company to ensure security in system access. It is recommended that these passwords be longer than 12 characters, including special symbols and numbers, in addition to verifying the relevance of multifactor authentication in the case of critical services.
• Disable or block remotely available services that may be unnecessary.
• Conduct research on the Deep Web to identify possible information leaks, including credentials.

Rising to meet the threat

Protecting medical data and ensuring the availability of healthcare services should be one of the main objectives of companies associated with the medical sector. That is why IBM X-Force Incident Response is always available to help you create and manage an integrated security program to protect your company from global threats, reduce attacks’ impact and prevent or respond quickly to future attacks through X-Force Incident Response retainer services.

The post Cyberattackers target the Latin American health care sector appeared first on Security Intelligence.

It’s rare to see 100% agreement on a survey. But Porter Research found consensus from business leaders across the provider, payer and pharmaceutical/life sciences industries. Every single person agreed that “growing hacker sophistication” is the primary driver behind the increase in ransomware attacks.

In response to the findings, the American Hospital Association told Porter Research, “Not only are cyber criminals more organized than they were in the past, but they are often more skilled and sophisticated.”

Although not unanimous, the majority of leaders also agree on their reaction to the attacks. 60% were “less than fully confident” in the technologies they currently use to prevent and mitigate ransomware attacks. Not surprisingly, the vast majority (85%) of leaders place mitigating cyberattacks as a “high” or “very high priority” in 2023. In response, most (82%) are increasing their investments this year to prevent and mitigate ransomware attacks.

Number of healthcare attacks remains steady

Initially, the steady number of attacks may appear to be good news. However, the rise in sophistication means they are typically harder to prevent and are more damaging. The IBM X-Force Threat Intelligence Index 2023 found that the proportion of healthcare cases to which X-Force has responded has remained at approximately 5% to 6% for the past three years. However, the majority of 2022 healthcare attacks occurred in Europe (58%), with 42% in North America.

By understanding the types of attacks, healthcare systems can prioritize their cybersecurity efforts to combat the increased sophistication. The report found that 27% of the cases examined were backdoor attacks, with web shells comprising 18%. Adware, BEC, crypto miners, loaders, reconnaissance and scanning tools, and remote access tools each made up 9% of the attacks.

Iran-based threats pose new risks

In addition to ongoing risks, cyber criminals in Iran are increasingly launching specific attacks on many industries, including the healthcare sector, which contributes to the increase in sophisticated attacks. According to CrowdStrike, the Iran attacks tend to be more disruptive due to the “lock and leak” approach, whereby criminals cause reputational damage by using ransomware to leak data to the general public. Attacks initiated in China tend to focus on intellectual property theft for medical devices, pharmaceuticals and other innovations, which are less disruptive.

Many of the attacks are challenging to prevent because they use sophisticated social engineering schemes. For example, a cyber criminal may impersonate someone from a government agency. Because attackers go to significant lengths to make the messaging and formatting of emails match those of the real entity, even trained employees may fall victim to the scheme.

Third parties increase healthcare incident risk

Healthcare systems partner with many other businesses and organizations to care for patients and operate the facilities. However, each new vendor adds risk to the healthcare system. Organizations inherit the risk of each vendor, meaning that a healthcare system’s risk includes all of its own vulnerabilities plus those of each supplier and vendor. With the increasing sophistication, healthcare systems must now be confident that their partners and vendors can also mitigate the high level of attacks.

Third-party healthcare attacks use many different forms and tactics. In late 2021, an authorized user of Eye Care Leaders (ECL), an ophthalmology-specific electronic medical record (EMR) solution, accessed more than two dozen organizations. More than 1.3 million patients at Texas Tech University Health Sciences Center (TTUHSC) potentially had personally sensitive information stolen, including insurance information, appointment information and Social Security numbers.

However, not all incidents involve patient records or technology providers. A breach at OneTouchPoint (OTP), a third-party mailing and printing vendor, impacted more than 35 healthcare brands, including Geisinger and Kaiser Permanente. The unauthorized access and exfiltrated files from healthcare systems and insurance companies included patient names, member IDs and information provided during a health assessment.

Reducing cybersecurity risk in healthcare

To combat the increase in sophistication, healthcare organizations must proactively prevent incidents. Here are steps to take to reduce your risk.

• Create a culture of cybersecurity. While specific training is important, healthcare organizations must also keep the importance of cybersecurity top of mind. When every employee truly feels personally responsible for preventing and stopping cyberattacks, healthcare systems achieve a culture of cybersecurity. Tools and technologies are key in preventing attacks. But without the foundation of a cybersecurity culture, healthcare systems remain at high risk as criminals improve their techniques.
• Focus on social engineering. With the increase in social engineering schemes, healthcare organizations must specifically address this threat. By teaching employees how to spot fake emails, healthcare systems can reduce their risk significantly. Show employees how to carefully look at the sender’s email address to notice slight variations that distinguish it from that of the legitimate company. To test knowledge and response, send test emails to employees and use the results as a training tool. This can help prevent them from falling for actual schemes when they inevitably arise.
• Create an incident response plan. Your healthcare organization will be a target of an attack — it’s simply a matter of time. By creating a plan, your team will know exactly what to do when an attack happens, which can significantly reduce downtime and disruption. Make sure that all satellite offices and hospitals are included in the plan because system integrations mean shared risk. However, you cannot create the plan and put it in a drawer. Your organization must regularly update the plan as well as practice responses. The more test runs you have, the more your employees are likely to make the right decisions when under stress. Every minute you save after an attack means less impact on patient care.
• Adopt zero trust. In the past, healthcare organizations focused on protecting the endpoints. However, with many different locations as well as remote workers, your healthcare system attack area is significantly larger. With a zero trust approach, healthcare systems use the framework to adopt strategies that reduce risk by assuming all apps, devices and users are unauthorized until proven otherwise.

Protecting sensitive healthcare data is paramount

In healthcare, the stakes of cybersecurity are even higher than in many other industries. Healthcare records contain highly sensitive data, including personal, financial and health diagnoses, which can be problematic for patients if breached. Additionally, disruptions from cybersecurity attacks don’t simply mean business disruptions but can cause delays in patient care. By taking proactive actions, healthcare systems can reduce their risk and ensure their ability to care for patients.

The post Increasingly sophisticated cyberattacks target healthcare appeared first on Security Intelligence.

Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.

While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes, you are not alone. Here is what you need to know about how to comply with CIRCIA’s new requirements.

Who does the law affect?

For the purposes of the law, critical infrastructure refers to any agency, organization or business whose service disruption would impact economic security or public health and safety. Examples include financial services, energy companies and transportation organizations.

Because healthcare organizations directly impact public health and safety, they also fall into this category. This law also defines single-provider offices for large healthcare systems as critical infrastructure.

If your organization has questions about whether you are required to report, then you should contact CISA.

What does the law require?

While some specific details are in flux, the legislation lays out the framework for future incident reporting for healthcare industries. CIRCIA will require:

• Organizations falling under critical infrastructure report substantial cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA)
• Covered cybersecurity incidents must be reported within 72 hours
• Paying a ransom must be reported within 24 hours.

The law will require that the organization report information in the following even areas:

1. Description of the incident
2. Description of the vulnerability
3. Security defenses maintained
4. Tactics, techniques and procedures used by a threat actor
5. Identifying information for a threat actor
6. Information compromised during an incident
7. Contact information for a covered entity.

What counts as significant cybersecurity events?

Many chief information security officers (CISOs) at critical infrastructure organizations are asking the same questions. While a ransomware attack that shuts down the entire hospital is obviously a significant event, many leaders wonder about lesser events, such as phishing emails or a short denial of service attack. However, CISA defines a significant event as one that causes any of the following three results:

• Substantial loss of confidentiality, integrity or availability
• Disruption of business or industrial operations
• Unauthorized access or disruption of business or industrial operations.

Because these guidelines are a bit vague and open to interpretation, CISA provided specific events considered “substantial.” If your healthcare organization experiences one of the following, you must report the event once the Final Rule is published:

• Unauthorized access to your system
• Denial of Service (DOS) attacks that last more than 12 hours
• Malicious code on your systems, including variants if known
• Targeted and repeated scans against services on your systems
• Repeated attempts to gain unauthorized access to your system
• Email or mobile messages associated with phishing attempts or successes
• Ransomware against critical infrastructure, including variant and ransom details, if known.

What are my current requirements for reporting?

Reporting is not currently mandatory for the CIRCIA requirements. However, CISA asks for voluntary reporting. CISA says that when they know about events, they can help your organization and provide warnings to other at-risk entities. It also uses the reports to help with proactive prevention to protect the country’s critical infrastructure. While CISA will share information, all details will be anonymized at this time.

Enacting new legislation is time-consuming and a multi-year process. Currently, CISA is working to publish a Notice of Proposed Rulemaking (NPRM), which must be completed by March 2024. The next step will be issuing the Final Rule, which will set the regulatory requirements within 18 months of NPRM publication.

However, as a CISO, you have many ways to participate in the process. You or a team member can attend one of the many listening sessions held around the country to gather information from stakeholders like yourself. The moderators at the sessions take all feedback back to CISA to incorporate into the Final Rule. By participating in the process, you not only get your organization’s needs considered in the law but can gain a full understanding of the bill so you can easily stay compliant when it becomes final.

When dealing with an event, your first task should be to contain the threat and reduce the damage. You should also work with local authorities as needed. If you are going to report the incident voluntarily, you should email report@cisa.gov or call 888-282-0870. Reporting is available 24 hours a day, seven days a week. If you email, be sure to include as much detail as possible as well as contact information so CISA can follow up for more information.

Why CIRCIA matters to CISOs

As a CISO, you need to understand your responsibility under the new law. However, because the details are still being finalized, it’s important to know where the law currently stands. You should stay on top of changes as the processes are ironed out and implemented. Once mandatory reporting begins, your organization could face penalties for not staying compliant.

The patients at your healthcare organization have a choice about where they get care, and trust plays a large part in their decision. Additionally, your healthcare organization has a large amount of personal and sensitive data about each patient, which they trust you to keep secure. Every cybersecurity event can cause patients to lose trust in your organization, in addition to costly financial setbacks which further impact patient care.

While reporting the incident may seem likely to reduce patient trust, the impact will be greater if you are fined for not reporting. When patients feel that you have not been transparent about the event, then you lose even more trust than from the original incident. By proactively reporting and working with authorities, you can help regain trust and also help other organizations.

The post Reporting healthcare cyber incidents under new CIRCIA rules appeared first on Security Intelligence.

Threat actors continue to target the health care industry. IBM’s Threat Intelligence Index for 2022 rates the industry as the sixth most targeted. That puts it close behind the energy and retail and wholesale sectors. Certain regions seem to be more prone to attack as well. The Asia-Pacific region accounted for 39% of all health care-related attacks, while North America trailed next at 33%. Coming as no surprise, ransomware is the leading known method of attack, representing 38% of cases.

Some other noteworthy attack methods are:

• Business email compromise
• Vulnerability exploitation
• Server access
• Credential harvesting
• Misconfigurations
• Phishing
• Stolen credentials.

These methods should not shock readers; many of them are responsible for most cybersecurity incidents. But what makes the health care industry different? Specifically, what are the unique challenges the industry faces?

Unique needs for the health care industry

Health care attacks are particularly expensive for the victim. However, the consequences go far beyond cost. Health care organizations are particularly at risk because of:

• The need for a fast response
• Types of data handled
• Types of devices used and service delivery methods
• Investment, awareness and business drivers.

As with everyday operations, knowing your risk tolerance is vital to successful decision-making and execution. With lives at stake, risk tolerance could be expected to be low, but attacks keep happening and they are successful. Many of the health care industry’s unique challenges are, in fact, non-technical. Let’s take a look.

Need for speed

A perfect example related to preparedness comes out of an Immersive Labs study, the Cyber Workforce Benchmark 2022. The study found health care lags far behind in cyber crisis exercises versus other industries. Tech companies might hold up to nine exercises a year. In health care, there are often only two. The gap is wide and the results reinforce that: the health care industry had some of the poorest tabletop scores.

Simply having an incident response plan is not enough. Testing and training are essential, too. When you stress test the plan, stakeholders know what is expected of them during a crisis. Finding gaps and building mental muscle memory is crucial.

Why? Loss of service may directly result in loss of life. A health care provider cut off from offering acute or ambulatory care has lives on the line. Recovery point and time objectives – critical outcomes and data points of business continuity and disaster recovery planning – need to align with operational expectations. In this case, that means the time it takes to save a life.

Therefore, not only do incident responses in health care have less time to respond, they may need different types of process requirements, such as shutting down primary systems as a precautionary measure. They also might require other contingencies, such as operating a backup system as a temporary production environment until the threat has been contained and eradicated. A Ponemon study found that 71% of 597 health delivery organizations said a successful cyberattack resulted in a longer patient stay. The costs are real.

Data handling

Health care data carries a different level of data sensitivity. It’s full of personally identifiable information (PII) and personal health information (PHI), which is becoming all the more detailed and personal with biometric technologies on the rise.

Depending on where in the world you operate, you may have different legal or regulatory requirements for data handling and incident reporting or disclosures. It’s also important to define whether you’re simply handling an incident or whether you have been breached, as the latter has legal implications. Do not underestimate the importance of strong and clear definitions as part of your program governance. A strong privacy program can also bolster your security program, as they work well together.

Ensuring that incident responders are well aware of these requirements is essential. Your security planners need to know where your data is and how it is tagged. If your organization does suffer an incident, you do not want to be running around trying to figure out what types of data have been impacted. As incident responders put out the fire, rest assured that the lawyers are thinking about disclosure requirements and the possible lawsuit.

Devices used and service delivery methods

Medical internet of things devices come with perils. After all, it’s not only the device but the medium of delivery that matters. Think of how much PHI is floating over telehealth platforms now. Not only do incident responders have to contain and eradicate an event or incident, but each issue will also need a definitive tie-off because of the PII or PHI implications (regardless of severity). And when they are not doing that, they are probably trying to patch up and upgrade systems across disparate devices, operation systems and applications!

Investment, awareness and business drivers

While health care organizations aren’t always entirely profit-driven, they still need to be concerned about money. According to the Threat Intelligence Index, three industries account for nearly 60% of cyberattacks: manufacturing, finance and insurance, and professional and business services. The important connection here between these industries and the health care industry is business drivers.

The first three are very much profit-driven, making them attractive targets for malicious actors. Being profit-driven also shifts priorities. If successful, it allows for more resources to be invested in information, infrastructure, security and privacy measures.

Some sectors of the health care industry are very profit-driven, too. However, their situation is not nearly as clear-cut, or across the board, as the others. For example, companies focused on research and development (such as the pharmaceutical industry) are very profit-driven, and more specifically, product-driven. They want to protect their intellectual property.

Other health care organizations have an element of profit but are in general more service-driven. (Think of those administering care). These industries face staff burnout and limited resources. Incident response handling and preparedness can make a world of a difference in someone’s life.

Keeping manageability and emotions in check

Perhaps the most unique challenge for incident responders in health care is the small margin of error. Next-generation technologies, such as artificial intelligence and improved monitoring capabilities should definitely be examined and integrated where possible. They could lighten the load of incident response staff through automated response and orchestration.

Because of the small margin of error, health care providers need to look closely at their overall resilience posture. It’s about more than just an incident response plan. It is crisis communications, input and collaboration from legal, and practice to build up the response muscles. Attacking health care services gives threat actors a chance to use one of their favorite tactics: preying on emotions. If you are calm and cool in your response, well-resourced and prepared, an attacker may just find you are not worth their time.

The post Incident response for health care IT: Differences and drivers appeared first on Security Intelligence.

Major ransomware attacks are scary, but against hospitals, they are even worse. One notable attack in August 2021 forced Ohio’s Memorial Health System emergency room to shut down (patients were diverted to other hospitals). In all hospital attacks, the health, safety, privacy and lives of patients face risk. But this incident also shows that whether targets are hospitals or any other kind of organization, the time and money spent preventing attacks is almost always worth it.

But what do you do if protective measures fail? What can be done once an attack is already happening?

One health care IT director set a fantastic example of what to do when an active ransomware attack was detected.

His name is Jamie Hussey, and he works for Jackson Hospital in Florida, one of the dozens of hospitals to have been targeted for ransomware attacks in the U.S. recently. It all started near midnight on a Sunday night in early January. Staff in the emergency room called IT to say doctors couldn’t access patient charting records. Hussey found that ransomware had infected the charting software, which an outside vendor maintained.

All IT departments should study what happened next as an example of what to do right.

How to contain a ransomware attack

Hussey quickly urged radical action. Shut the entire hospital’s computer systems down right away, he urged. They complied. Under a planned contingency called downtime procedures, hospital staff started using pen and paper to record data and communicate. Health care workers wrote prescriptions out by hand.

IT staff then looked into the nature of the attack. They found that attackers encrypted files using the Mespinosa ransomware on a computer Jackson Hospital used to store documents not related to patient records. (Attackers have used Mespinoza against hundreds of targets, including health care and health-related organizations.)

The team then thoroughly checked their complete list of hospital computer systems for infection. Once found clean, they re-connected them to the network one by one. Lastly, the team brought the infected ER charting system back online.

The diagnosis

The main takeaway is not that organizations can thwart a ransomware attack after it has begun, but that preparation enabled containment. Everything that occurred at Jackson Hospital was part of a plan.

For example, the moment a ransomware attack is discovered is not the time to gather stakeholders or leaders together to begin arguing and negotiating over whether or not to shut down computer systems organization-wide.

In hospitals, doctors and surgeons are in the positions of highest authority over life-and-death issues. It’s easy to imagine that in the heat of the moment, doctors could overrule security staff over shutting down computer systems in an emergency room, causing needless risk to patients and patient records.  The decision to shut down in the event of the discovery of a ransomware attack in progress must be made in advance and agreed to by all involved.

In press interviews, Hussey acknowledged extreme organizational pushback against taking all systems offline. But as he pointed out, that’s often the difference between a major and minor disruption.

Ransomware preparedness

As part of the policy and cybersecurity training, a set of practices and policies for functioning while systems are down is a big part of surviving a ransomware attack. Systems may be down for hours, days or weeks.

The bottom line is that ransomware prevention is the best medicine. But, prevention is only one part of preparation. The other part is acting fast and doing the right things if a ransomware attack actually occurs. Quick action by the hospital’s IT director saved the organization from a widespread and catastrophic ransomware attack.

The post Hospital ransomware attack: Here’s what a cybersecurity success story sounds like appeared first on Security Intelligence.

The health care industry is one of the most popular and lucrative targets for cyberattacks and malicious activity. Health care organizations always present as an attractive proposition to hackers as they possess high volumes of sensitive information about patients and rely on highly vulnerable medical devices.

Advancements in medical procedures and the growth in digital innovation have led to an increase in the complexity of networks and security. Medical firms need to ensure they protect their data, employees and patients with appropriate data integrity and security solutions that don’t break the bank while controlling costs.

The danger is real. IBM’s Cost of a Data Breach Report found that health care organizations suffered the highest costs of data breaches for the 11th consecutive year in 2021. This year saw the average cost of a health care data breach surge to $9.23 million, a 29.5% increase from the previous year. That’s more than any other industry, with the financial sector being a distant second, at $5.72 million. Furthermore, medical organizations have seen a 185% increase in the number of health care data breaches this year compared with last year. 

Significant Challenges to Health Care Cybersecurity

Health care organizations face significant vulnerabilities from outdated or legacy technologies that are attractive targets for today’s cyber attackers. To make matters worse, a majority of the newer medical devices are still not being developed with cybersecurity controls in mind. Traditional vulnerability management approaches present several challenges within modern health care IT environments. New devices and technical limitations can make traditional methods largely ineffective.

Health care cybersecurity is threatened on a number of fronts, including:

Phishing Attacks

Cybercriminals target victims through email, social media and text messages. The attacker poses as a legitimate sender and attempts to dupe victims into opening malicious attachments or spoofed hyperlinks. This enables the attacker to steal personally identifiable information (PII), such as login credentials, credit card information and account details, and use this information as part of broader identity theft activity.

Insider Threats

Insider threats occur when disgruntled employees leak or sell data, or through employee negligence. Both can result in health care data being leaked and made available for purchase on hacker websites. Insider threats can also lead to hospital cyberattacks by external actors.

Internet of Medical Things (IoMT) Attacks

The health care industry continues to see a massive increase in the use of internet-connected medical devices, collectively known as Internet of Medical Things (IoMT) devices. These connected devices, like heart rate monitors, infusion pumps, smart imaging systems, inhalers and thermometers, are increasingly vital to caring for patients. However, many connected devices don’t have adequate built-in security and can’t be controlled or monitored by traditional IT security products. This makes IoMT devices extremely vulnerable to cyberattacks, so they must be secured to prevent cybercriminals from accessing and exploiting the data they generate.

Gary Arnold, director of strategic partnerships at Armis, provides an example of the danger: “In May 2021, Armis researchers discovered PwnedPiper, which is a series of nine critical vulnerabilities in the Nexus Control Panel that controls Swisslog Healthcare’s Translogic pneumatic tube system (PTS) stations. The infrastructure delivers medication, blood products and lab samples to more than 3,000 hospitals worldwide. However, the vulnerabilities allowed attackers to seize control of PTS stations and deploy ransomware that could enable them to launch denial of service (DoS) or man-in-the-middle attacks.”

Ransomware Attacks 

Ransomware poses a significant threat to medical organizations. It involves attackers gaining unauthorized access to a network and injecting malware to lock users out of machines, steal data or paralyze a system to prevent access. The attacker then demands a ransom with the promise of providing a decryption key and return of the stolen data when the ransom is paid.

Remote Connectivity and Telemedicine Risks 

Many health care organizations have seen a sharp rise in online consultations over the last 18 months. Remote connectivity and telemedicine offer ease of use for both medical staff and patients. However, they also increase the risk of cyberattacks and health care data breaches if they aren’t adequately protected or if users don’t have secure access.

How to Secure Health Care Data and Organizations

The impact of cyber crimes targeting the health care industry can be mitigated by implementing the right security solutions. The combination of the right security solutions and sufficient training for staff helps businesses prevent data loss, leakage and theft. It also provides visibility into device and system vulnerabilities. Furthermore, employees are better positioned to spot the potential signs of a cyberattack, which means organizations can identify and mitigate the impact of attacks by responding as quickly as possible.

Armis and IBM provide security services and solutions for health care and life sciences companies, securing them against the rising tide of cybercrime. These include:

• Working with the client to implement security solutions that bring visibility to devices and networks to check for vulnerabilities that could be exploited by attackers
• Implementing security controls that address known security vulnerabilities
• Integrating the Armis security solution with the security operations center to monitor medical and supporting systems for new vulnerabilities, malware, cyberattacks and system changes that could impact the business negatively.

Armis and IBM help health care organizations secure their systems by monitoring for risks and assessing device behavior. The solutions also provide clear visibility into who or what is attempting to access their corporate networks. These solutions are able to monitor devices on Wi-Fi networks (and other protocols like Zigbee and Z-Wave) for potential network intrusion and data exfiltration. They also monitor devices that aren’t directly connected to networks, such as defibrillators or devices like smart lights, smart locks and wearables.

Gain the Advantage Over Cybercriminals

Health care organizations face an ever-increasing risk of cyberattacks. As they deploy more sophisticated devices and networks and continue to expand remote care, their security threat level increases. Medical companies need to ensure all of their users and devices are protected by deploying solutions that increase the visibility of their attack surface, help them fight emerging threats, and keep their network secure.

Discover the critical considerations that will help your organization gain the upper hand in the fight against cybercriminals by downloading this Armis whitepaper.

The post Understanding the Cyber Risk Exposures Within the Health Care Industry appeared first on Security Intelligence.

The health care industry has been on the front lines a lot lately. Along with helping control the effects of COVID-19, it has been a prime target for ransomware. In a 2021 survey conducted of 597 health delivery organizations (HDOs), 42% had faced two ransomware attacks in the past couple of years. Over a third (36%) attributed those ransomware incidents to a third party, such as what happened earlier this year with Kaseya. The effects go beyond stolen health care data, although that is important, too. What does it mean when a health care organization faces an attack? And what can they do to protect themselves?

Health Care Data Directly Affects Patients

Those attacks diminished many HDOs’ confidence in their ability to address the risks of ransomware. More than half (61%) said they weren’t confident in their ransomware defenses following the events of 2020, for instance. That’s up from 55% a year earlier.

After all, ransomware attacks undermine health care organizations’ mission of providing their patients with timely care. Consider the following findings from the Ponemon study:

• Nearly three-quarters (71%) of respondents reported that a successful cyber attack had resulted in longer stay lengths for patients
• About the same proportion said that ransomware attacks had created delays in medical procedures and tests that resulted in poor outcomes for patients who needed them
• Slightly fewer (65%) said that the attacks had yielded an increase in the number of patients diverted to or transferred to other facilities
• More than a quarter (36%) of respondents had witnessed an increase in complications from medical procedures following a ransomware attack
• About a fifth said cyberattacks had increased their patients’ mortality rate.

Hospital Cyber Attacks in the News

Today’s most high-profile cyber attacks go beyond health care data, too. In September 2020, for instance, German authorities looked into the death of a woman following a ransomware attack against a hospital. The patient died after being diverted to another hospital located more than 30 km (18 miles) away from her intended destination, University Hospital Duesseldorf. The facility was dealing with a DoppelPaymer ransomware attack that prevented it from receiving her.

Following an investigation into what happened, German law enforcement determined that the victim’s medical diagnosis was of such a severity that she would have died regardless of whichever hospital might have admitted her.

In October, a woman in Alabama filed a lawsuit alleging a hospital had not informed her that a ransomware attack had disabled its computers. The lawsuit asserted that hospital personnel had given reduced care to her baby. The baby was born with a severe brain injury and later died. Attackers after money or health care data ended up with something far worse.

The Wall Street Journal noted that many of those attackers deployed their payloads more quickly in the networks of health care organizations than in other cases because they thought their victims would be more inclined to pay. The logic was that these needed to retrieve sensitive health data as quickly as possible to treat their patients. In response, those organizations might not have had time to negotiate with ransomware actors. So, they might have been in a position to meet those attackers’ demands without question.

How Health Care Organizations Can Defend Themselves

Many HDOs surveyed were preparing for a ransomware attack that targets their health care data or critical systems. For instance, 54% created a business continuity plan that included planned system outages in the event of a ransomware incident. Others invested in cyber insurance, audited and increased backups of business-critical systems and allocated funds for a ransomware attack at 51%, 34% and 23%, each.

These and other measures can certainly help health care organizations respond to a ransomware attack. But it’s just as important that they take steps to prevent a ransomware infection in the first place.

First, invest in security awareness training for employees. Craft modules that speak to ransomware along with other relevant dangers such as insider threats, the privacy of medical imaging and supply chain risks. Doing so will help empower people to spot and report potential threats to their patients and health care data. That, in turn, improves their employer’s overall security posture.

Keep Up to Date 

Security awareness training is an ongoing process, of course. This means that infosec personnel needs to revise their employee training in an ongoing manner. Make sure you keep track of new and emerging threats. That’s extra relevant for ransomware. In this threat landscape, attack operations are constantly rebranding themselves and adopting more layers of extortion. Towards that end, security teams can consider using threat intelligence to keep up to date. They might consider blending third-party streams that are relevant to their industry with in-house sources. This way, they can obtain as broad of visibility as possible into their unique threat profile.

Finally, teams can implement technical controls that help to prevent ransomware gangs from using common attack vectors. These measures include email filters that block messages containing embedded links for disallowed domains, disabling Remote Desktop Protocol (RDP) on Windows machines that don’t require remote access and using vulnerability management to prioritize remediation of known vulnerabilities affecting authorized software and hardware assets.

Sooner, Not Later

Health care is one of those sectors where a ransomware attack could affect someone’s physical safety and well-being. No one wants the reputation damage and other costs that such an incident might bring. That’s in addition to the possible breach of health care data. Hence why health care organizations need to be proactive and make sure they have the right ransomware protection solutions in place sooner rather than later.

The post Hospital Ransomware Attacks Go Beyond Health Care Data appeared first on Security Intelligence.

The health care industry has remained the top data breach target for eleven years in a row. Highly sensitive and personally identifiable information (PII) held by health care systems is an attractive target. After all, it contains all the information used for identity theft. In addition, that data may be stored on less secure networks than systems in other highly regulated industries. Data protection becomes more complex in a health care environment where a large number of computers, devices and medical equipment must be secured. In addition, attackers can take advantage of health care data created throughout the course of patient care. Health care data breaches are even more insidious because they have the potential to cause great harm to victims.

What Is a Health Care Data Breach?

A health care data breach is an event where names, medical records, financial records or payment methods are at risk through access to electronic or paper files. Data may be stolen, damaged (corruption) or deleted due to either an internal threat actor’s negligent or intentional actions or through a cyber attack. Health care data breaches commonly begin from compromised login credentials or through phishing attacks.

Well-Known Health Care Data Breaches

Cyber criminals targeted a large insurance company in 2015, gaining access to Anthem Inc. computer systems and stealing the PII of more than 78 million people. Stolen data included names, home addresses, dates of birth, Social Security numbers, health care system ID numbers, email addresses, employment information and income. The insurer failed to encrypt highly sensitive information, which made it easier to steal once cyber criminals entered the systems. They used compromised credentials from at least five high-ranking IT staff members. The attack is said to have started from a persistent phishing campaign. The attackers had uploaded at least a portion of the stolen data to an external data-sharing site. No health care data (e.g. medical records, images, etc.) or banking information was known to be compromised.

Also in 2015, another insurance company fell victim to a data breach that exposed 11 million customers’ medical and financial information. Premera Blue Cross reported attackers likely gained access to insurance claims data, dates of birth, Social Security numbers, email addresses, telephone numbers and bank account information. Millions of records were exposed, but research did not reveal what the insurer calls ‘inappropriate use’. Attackers hit a large number of other hospitals and clinics around the same time period in 2015.

Attackers struck UK hospitals with WannaCry ransomware in a 2017 cyberattack that spanned the globe. The attack halted patient care when it brought down digital patient records, telephone lines, email systems, computers and medical equipment. NHS staff responded by switching to pen and paper and personal mobile devices. Reportedly, NHS systems were still using outdated computer operating systems like Windows XP or Windows 8. Microsoft issued a rare, critical patch to help protect outdated systems from WannaCry style ransomware, but the NHS had not yet installed the patch on affected computers.

In 2020, several US hospitals suffered a Ryuk ransomware attack that shut down phone and patient care systems at all 400 of its hospitals and clinics. UHS hospitals had to postpone surgeries and reroute emergency patients to other hospitals while online systems were locked down. Hospitals in the UHS system could no longer access online patient records and had to pivot to pen and paper. The criminal group demanded a ransom and threatened to leak the contents of stolen records. Universal Health Service did not pay. They finally restored IT systems after a month offline. This proved to be one of the largest hospital cyber attacks in the health care industry.

How Much Does a Health Care Data Breach Cost?

Health care data breach costs are consistently the highest of any industry. In 2021, the Cost of a Data Breach report found the cost of a health care data breach reached $9.23 million (a 29% increase over 2020).

Digital health care records pose a privacy risk when networks and software systems lack the right security. Electronic health records promise interoperability between providers, portable records, a higher degree of accuracy and improved transparency in an effort to deliver better patient care. However, digital health care records are at risk of theft due to their high value. Application security is an essential aspect of holding them safely.

Technology advances at a faster pace than health care systems can respond. Funding and medical equipment replacement is still a challenge, especially for smaller providers (e.g. rural hospital systems). For example, digital imaging equipment tends to be in use for at least 10 years. Many facilities use models that do not meet modern PII security needs meant to protect the software and patient care data flowing through them.

Meanwhile, health care providers are falling prey to more high-tech cyber attacks. Hospital cyber attacks can have serious effects on patient care, especially when entire systems are inaccessible. The convenience of digital health care software quickly diminishes when it’s no longer available. Health care workers need to assess risk in a different way. Ongoing and engaging cybersecurity awareness training tailored for health care can help organizations better understand and address some of the unique risks associated with the industry.

Risks and Challenges of Data Security in the Health Care Industry

The increased complexity of IT and cloud-based systems creates big challenges for any data protection program. Meeting PII compliance and security needs across multiple systems can be a challenge for a hospital system. Missed compliance objectives can mean higher risks and costs. Database security for immense patient databases is key to help prevent risk where possible.

Health care data breaches will continue to increase so long as they continue to turn a profit for attackers. The health care industry must strike a delicate balance between high-quality patient care and robust cyber defenses. Meeting both objectives requires dedicated attention to both, which can seem like a luxury — especially for smaller health care providers. If history is any sign, the cost of a health care data breach will increase year over year going forward.

The post What Is the True Cost of a Health Care Data Breach? appeared first on Security Intelligence.