Data Breach Report Urges ‘Know Your Adversary’

The findings of a comprehensive data breach report released by Verizon this week suggests that no industry is immune to cybercrime, and that the experiences of other affected industries can provide lessons for healthcare providers to safeguard their data.

The “2013 Data Breach Investigation Report,” which is in its sixth year, analyzes data from 19 organizations worldwide, covers 47,000 reported security incidents and 621 confirmed security breaches from the past year. One main takeaway is that no organization, regardless of its size or industry, is immune from attack stemming from a variety of motives, and that any one-dimensional attempt to describe them fails to describe their complexity.

Among the report’s findings, 92 percent of attacks overall were perpetrated by outside actors and 14 percent were committed by insiders. In terms of attack methods, hacking was the No. 1 way breaches occurred, accounting for 52 percent of breaches. Seventy-six percent of network intrusions exploited weak or stolen credentials, 40 percent incorporated malware, 35 percent involved physical attacks, and 29 percent leveraged social tactics such as phishing.

The top spot in all breaches is financially motivated cybercrime, which accounted for 75 percent of incidents. Overall in 2012, victims represented a wide range of industries: 37 percent of breaches affected financial services organizations, and 24 percent affected retail environments and restaurants. Twenty percent of network intrusions involved manufacturing, transportation and utilities industries and 20 percent affected information and professional services firms.

In a telephone interview, Susan Widup, a senior analyst with Verizon who specializes in the healthcare industry, said that healthcare provider organizations are at risk of adversaries going after the payment chain. Criminals are not so much interested in going after medical records per se, unless their focus is on social security records for identity theft, she says. Most, she says, are looking for credit-card information.

Widup says healthcare providers are susceptible to hacking as a means of penetrate payment systems, which has been a leading cause of many data breaches in the financial and retail industries. As attackers are successful in exploiting certain vulnerabilities in any type of organization, they will exploit their successful tactics elsewhere, she suggests. “That is something that healthcare organizations should be concerned about, and if they are vulnerable in that area, they need to shore up their defenses,” she says, adding that in the case of financial data, the perpetrators are often organized crime. Attackers “will take a particular type of attack; it’s a hammer looking for nails,” she says.

How well are healthcare organizations prepared for attempted breaches? Widup notes that one critical measure of how well organizations are prepared is the amount of time it takes organizations to detect they have experienced a breach. “If it takes you two months to see what happened, and you can’t scope it accurately,” that’s a problem, she says, noting that that’s one reason attackers may come back to a vulnerable organization repeatedly.

She also notes that with the Final Omnibus Rule from the Department of Health and Human Services that went into effect in January, healthcare organizations should review third-party arrangements. “Where the data is being hosted by someone else, they need to look at the contracts and how they are putting in requirements for securing the data,” she says. “If you are not requiring anyone who is handling you data to be held to the same standards that you are, that’s a risk.”

Widup’s advice for hospitals is two-fold: Know where the data resides, and pay attention to mean time to detection, so that if there is a data breach, they can respond to it effectively and in a timely manner.

The report emphasizes that there is no “silver bullet” to preventing data breaches, and spotting and preventing data security incidents should not be the sole responsibility of the IT department or the chief information security officer. It should be a company-wide effort. It offers eight recommendations for securing data:

1. Eliminate unnecessary data and keep tabs on what is left.
2. Perform regular checks to ensure that essential controls are met.
3. Collect, analyze and share incident data to create a rich information source that can drive security program effectiveness.
4. Collect, analyze and share tactical threat intelligence.
5. Without de-emphasizing prevention, focus on better and faster detection through a blend on people, processes and technology.
6. Regularly measure things like “number of compromised systems” and “mean time to detection,” and use these numbers to drive better practices.
7. Evaluate the threat landscape to prioritize a treatment strategy. Don’t buy into a “one size fits all” approach to security.
8. Don’t underestimate the tenacity of your adversaries.