The Verizon 2023 Data Breach Investigations Report (DBIR or Report) is a great read. The Report summarizes recent data breach trends across sixteen industries with specific advice about mitigation strategies for each. It contains rigorous analysis and technical know-how but is concise and well-written with clear graphics so that non-experts and experts alike can understand and use it.
The DBIR discusses top breach patterns, where the threat actors come from (external vs. internal), actor motives, and types of data compromised.
Key Takeaways for Healthcare
- Ransomware gangs continue to plague healthcare.
- Miscellaneous errors remain prevalent.
- While external threat actors are more common, don’t discount internal threats.
The DBIR describes seven different “incident classification patterns”, but 68% of healthcare data breaches fall in three of those patterns.
The following pattern descriptions are direct quotes from the DBIR:
“System Intrusion – These are complex attacks that leverage malware and/or hacking to achieve their objectives, including deploying Ransomware.
Basic Web Application Attacks – These attacks are against a Web application, and after the initial compromise, they do not have a large number of additional Actions. It is the “get in, get the data and get out” pattern.
Miscellaneous Errors – Incidents where unintentional actions directly compromised a security attribute of an information asset fall into this pattern. This does not include lost devices, which are grouped with theft instead.”
External actors account for 66% of the threats and 35% come from internal actors, with 2% comprising “multiple”.
Preventing Breaches in Healthcare
Because ransomware remains a top threat, learning how to prevent, detect and recover from it should be a top priority. According to the DBIR, ransomware attackers commonly use Email, Desktop sharing software (e.g., remote desktop protocols) and Web applications to get inside.
Be generous with workforce cybersecurity awareness training. Alert employees are the first line of defense against hackers using phishing.
Follow HIPAA and Conduct Risk Analysis – Risk Management
HIPAA requires policies and procedures that meet the requirements of the Privacy, Security and Breach Notification Rules. Taken together, all the rules create a blueprint for breach prevention. Conduct an annual HIPAA Risk Analysis and practice Risk Management year-round. Use the Security Rule Checklist to drill down into your cybersecurity defenses and make sure you stay up to date.
Key Mitigation Steps Drive HIPAA Security
- Daily data backup to a remote unconnected server
- Workforce cybersecurity awareness training can reduce errors and help stop ransomware through email
- Keep anti-virus and anti-malware software protection up to date
- Update and patch all application software
- Password management; multi-factor authentication (MFA) should be a top priority
An additional recent resource includes the StopRansomware Guide published in May by CISA and the FBI.
A Recent Growing Threat from CLOP Ransomware
An even more recent Alert published June 7, 2023 lists the four following steps to take immediately to fight the rising threat to healthcare from CLOP ransomware.
- Take an inventory of assets and data, identifying authorized and unauthorized devices and software.
- Grant admin privileges and access only when necessary, establishing a software allow list that only executes legitimate applications.
- Monitor network ports, protocols, and services, activating security configurations on network infrastructure devices such as firewalls and routers
- Regularly patch and update software and applications to their latest versions, and conduct regular vulnerability assessments.
On June 15 another Security Advisory was published regarding CLOP’s exploitation of MOVEit transfer vulnerability from Progress Software. According to SecurityWeek CLOP victims “are in the financial, healthcare, manufacturing, IT, pharmaceutical, and education sectors.” The list of victims is long and includes state and federal agencies, universities and airlines. Johns Hopkins University and Johns Hopkins Health System are on the list.
Let The HIPAA E-Tool® help you strengthen your compliance and learn the latest techniques to fight against ransomware threats. Step-by-step, HIPAA compliance is easy. We can show you the steps.