A cyberattack forced the shutdown of a major U.S. fuel pipeline last week, showing how vulnerable the nation’s critical infrastructure is. The oil company investigated, and later reported paying a $4.4 million ransom to the attackers to retrieve access to its IT operations and reopen. The healthcare industry is also vulnerable, as cybercrime continues to rise. In the past year, the pandemic fueled more attacks than ever.
How much do we know about cybercrime and data breaches? Are things getting better or worse? Security experts who monitor cybercrime say that incidents are increasing, but the problems are different among different industries.
Every year Verizon publishes a Data Breach Investigations Report (DBIR) which analyzes security incidents and data breaches across twenty industries worldwide. The 119-page report is surprisingly readable, both full of detail and easy-to-read summaries.
The report is also candid about its limitations, explaining that data is not uniformly reported across industries or regions. Even with limitations though, the DBIR is one of the most comprehensive reports of its kind and a valuable resource for experts and non-experts concerned about cybersecurity.
Key Takeaways from the Verizon DBIR
- Cybercriminals took advantage of the pandemic exploiting fear and remote work
- Phishing attacks increased by 11 percent
- Ransomware rose by 6 percent
- 85 percent of breaches involved a human element, while over 80 percent of breaches were discovered by external parties
- Organizations need to know their own vulnerabilities to secure their own systems – there is no “one size fits all”
What About Data Breaches in Healthcare?
- Ransomware is a favored tactic among financially motivated organized criminal groups targeting healthcare
- Basic human error continues to be a major problem
- The most common error continues to be misdelivery (36%), whether electronic or of paper documents
- Malicious internal actions have dropped from the top three for the second year in a row
Prevention is less expensive than loss, whether by accident or intentional theft. We have written recently about preventing data breaches and mentioned guidance on cybersecurity that’s available from law enforcement and security agencies, including the FBI and the Cybersecurity and Infrastructure Security Agency (CISA).
In healthcare, we know the best prevention is HIPAA Risk Analysis and Risk Management. Among other measures, a HIPAA Risk Analysis includes the three top protective controls the Verizon DBIR advises for healthcare:
- Security awareness training for staff
- Access management, and
- The secure configuration of enterprise assets and software
There is more to a full Risk Analysis, also called a security risk assessment, than the top three controls. At The HIPAA E-Tool®, we include a Security Rule Checklist to navigate every requirement of the HIPAA Security Rule. Also included are controls applicable to healthcare in the latest revision to the National Institute of Standards and Technology (NIST) document SP800-53.
Finally, to tie it all together, the step-by-step interactive Risk Analysis builds the Risk Management Plan and documents actions taken as required by HIPAA for all covered entities and business associates.