This type of incident covers situations where employees and business partners use their legitimate access rights to take
Industry Report
2015 Data Breach Investigations Report
HEALTHCARE Data breaches can be extremely costly. The Verizon DBIR has, for years, been the best source of insight about the threat landscape. This year’s report covers nearly 80,000 security incidents from 61 countries.
Almost two thirds of security incidents in the healthcare industry involved physical theft and loss, privilege misuse, or miscellaneous errors. And while compromises often take just minutes, in over a third of cases it took healthcare organizations months or years to discover an incident had occurred. This year’s Data Breach Investigations Report (DBIR) is again based around nine incident classification patterns identified in the 2014 report. Last year we found that just three patterns — physical theft and loss, privilege misuse, and miscellaneous errors — accounted for 73% of the security incidents reported by healthcare organizations. Looking at the data from the 2015 DBIR, the same three patterns continue to pose the highest risk in healthcare. The share of attacks covered by these three is down slightly from 2013, but still represents nearly two thirds (65%) of all incidents. We’ll look at these three types of attack in greater depth and at how you can improve your defenses against them.
Incidents by pattern: All industries versus healthcare.
Compared to the all-industry average, the healthcare sector reported more incidents involving physical theft and loss.
ALL INDUSTRIES
HEALTHCARE
4% 4% 24%
65%
of security incidents in the healthcare industry were attributable to just three patterns.
3% 6% 7% 9%
28%
19%
Misc. errors
Crimeware Cyber-espionage
20%
Denial of service attacks Insider and privilege misuse Miscellaneous errors Payment card skimmers
20%
Insider and privilege misuse
Physical theft and loss
26%
Point-of-sale intrusions
Physical theft and loss
Web application attacks Everything else
FIGURE 1 INCIDENTS BY PATTERN: ALL INDUSTRIES VERSUS HEALTHCARE
15%
Highlights of the 2015 DBIR The first step to tackling data security is to understand the nature of the threats that you face. The Verizon 2015 Data Breach Investigations Report (DBIR) helps you to do this by providing you with detailed analysis of almost 80,000 incidents, including 2,122 confirmed data breaches — our biggest ever dataset.
Physical theft and loss The biggest cause of data breaches in healthcare continues to be the physical theft and loss of “information assets”, including laptops, desktops, flash drives, and even paper documents. This doesn’t include cases where assets have been improperly disposed of — we classify these as miscellaneous errors.
26
%
New opportunities have emerged You’re probably looking at mobile and the Internet of Things (IoT) to provide more efficient ways of doing things and create new revenue opportunities. But does this leave you more open to attacks on your data and systems? We looked at the threats posed by mobile malware and the growth of the IoT.
Familiar techniques are still a threat There were around 170 million malware events across all organizations last year. 70−90% of those were unique to a single organization. Hackers now routinely introduce simple modifications to the code each time they use it. This changes the identifying signature that traditional antivirus products look for, enabling the malicious code to get through and compromise systems.
Old vulnerabilities remain open We found that ten vulnerabilities accounted for almost 97% of the exploits in 2014. The remaining 3% consists of 7,000,000 other vulnerabilities. Most attacks exploited known vulnerabilities where a patch has been available for months, often years. Of the vulnerabilities detected in 2014 we found more dating back to 2007 than from any year since.
Adding up the costs Organizations are constantly asking us to put a figure on the cost of breach to help them demonstrate the value that they are delivering and justify their data security budgets. This year, for the first time, the DBIR estimates what costs you can expect to incur if you fail to protect your data. We’ve spent time developing a new approach to estimating the costs of breach. Unlike other models, we believe our approach provides more reliable figures for breaches involving over 100,000 records.
of security incidents in the healthcare sector involved lost and stolen assets.
In this year’s report, 26% of all security incidents in healthcare involved lost and stolen assets. In the 2014 report, that figure was 46%. Despite this drop, the physical theft and loss of information assets continues to be a bigger problem in healthcare than in any other industry in our dataset. Of course, some of this is likely to be a consequence of the Health Insurance Portability and Accountability Act (HIPAA) forcing companies to disclose incidents that might have gone unreported in other industries.
Many thefts are motivated by the value of an asset rather than the data it contains, but the requirement to report a data breach remains. In many cases, thefts are opportunistic — hospitals and doctor’s surgeries are busy places and assets are often left vulnerable when employees are attending to emergencies. Many thefts are motivated by the value of an asset rather than the data it contains, but the requirement to report a data breach remains.
What can you do? • Encrypt data: Encryption won’t reduce the incidence of loss or theft, but it will protect the data held on devices. And you may not have to report the loss or theft of an encrypted device as a breach, as the data will be inaccessible to the culprit. • Automate backups: In the event a device is lost or stolen, you’ll need to know what was on it to scope the seriousness of the incident. By automating backups you can take human error out of the equation and ensure that your data is backed up regularly and consistently. • Lock assets down: The simplest way to stop someone from walking off with IT equipment is to secure it to an immovable fixture. Paper documents containing sensitive information should be stored in a secure area with restricted access.
Insider and privilege misuse
Miscellaneous errors
Insider and privilege misuse accounted for 20% of the security incidents suffered by healthcare organizations — an increase of five percentage points since last year.
Miscellaneous errors — security incidents that were the result of accidental actions rather than malicious intent — accounted for almost a fifth (19%) of data breaches last year.
20
%
of incidents in the healthcare sector were attributed to insider and privilege misuse.
19
%
of security incidents in the healthcare sector were due to human error.
This type of incident covers situations where employees and business partners use their legitimate access rights to take confidential information for personal gain.
The three most common causes of incidents covered by this pattern were:
Healthcare companies are a prime target for insider and privilege misuse due to the amount of highly sensitive — and hence valuable — information held and the number of employees that require access to systems.
• Disposal Errors (27%) — failure to dispose of assets securely by shredding documents or wiping hard drives.
The richly detailed patient records maintained by healthcare organizations are very attractive to criminals — particularly organized crime groups bent on using the data for identity theft and tax refund fraud. And there is also a threat to intellectual property, such as clinical trial results. Almost three quarters (74%) of incidents of insider misuse involved employees taking advantage of their legitimate access to harvest data. After all, it’s far easier to copy large quantities of data to a USB drive than to sneak out bags full of paper files.
What can you do? • Know your data: Before you can protect your data, you need to understand exactly what data you have, where and how it’s stored, and who has access to what. • Review user behavior: Implement processes to monitor use of systems and data so that you can identify any suspicious behavior. Establish a process for reviewing or revoking access when employees change role or leave. • Watch data transfers: Set up controls to watch for data transfers out of the organization — in our experience these controls have caught many incidents of insider data theft that would otherwise have been missed.
• Misdelivery (37%) — data delivered to the wrong recipients, whether by post or email.
• Publishing Errors (9%) — private data posted erroneously onto public sites. While it’s impossible to prevent all human error, you can put in place processes and controls to reduce the potential for a leak of sensitive healthcare data that could lead to a PR crisis.
A full 7% of all incidents in healthcare are due to simply sending data to the wrong person. What can you do? • Implement quality assurance: Tighten controls around posting documents to websites and regularly scan public-facing sites for sensitive data. Put in place simple sampling processes to ensure envelope addresses and contents match when sending out large mailings. • Consider Data Loss Prevention (DLP): DLP products can catch broken internal processes, and detect or block sensitive information being sent by email. • Train your staff: Training staff on how to dispose of sensitive data and assets can have a real impact on reducing security incidents. Documents and computers can’t just be thrown away.
‘15
SECONDS
MINUTES
HOURS
DAYS
WEEKS
MONTHS +
The time it took attackers to compromise the system
60%
20%
7%
0%
7%
7%
How long it took to exfiltrate data from the system
20%
40%
20%
20%
0%
0%
How long it was before the victim became aware of the breach
4%
4%
21%
29%
7%
36%
The time it took the victim to contain the incident
0%
0%
29%
57%
0%
14%
FIGURE 2 TIME TO DISCOVER AN INCIDENT IN HEALTHCARE
Time to discover an incident
How can we help?
In 80% of cases it took attackers just minutes or less to compromise healthcare data. It then took them hours or less to exfiltrate data in 80% of cases — and they were always able to remove data within a matter of days.
We put our unique security insight to work every day in the solutions we provide. Our products and services can help you guard against the threats you face.
But it was months or longer before healthcare organizations became aware of well over a third (36%) of breaches. The danger in taking so long to identify an incident has occurred is that attackers have unhindered access to systems and can spend more time searching for information and data of value.
• Our Data Loss Prevention (DLP) and Data Discovery, Identification and Security Classification (DDISC) services can help you stop sensitive data leaving your organization — whether accidentally thanks to user error, or deliberately due to misuse. • Our Identity and Access Management services give you better control over user credentials, reducing the risk of insider misuse. You can enforce two-factor authentication and quickly revoke privileges when an employee leaves. • Our Monitoring and Analytics services give you up-to-date insight into what’s happening on your network, including what data is leaving the company. This can help detect the early warning signs and stop insider misuse.
2015 D INVES ATA BREA CH TIGAT IONS REPO RT
To better understand the threats to your organization and improve your defenses against them, download the full Verizon 2015 Data Breach Investigations Report from verizonenterprise.com/DBIR/2015.
$400 MIL
LION The esti 700 mill mated fina shows ion compro ncial loss from the managin real imp mised reco ortance rds g dat a bre of ach
risks. Cond ucted by Veriz 70 orga nizat on ions from with contr around ibutions the world from .
HEA LTH
CAR E
EDU CAT PUB LIC
NCIA
L SER
ION
SEC TOR
HOS PITA FINA
LITY
VICE
S
RETAIL ENT ERT AINM PRO FES MAN
TEC HNO ADM
verizonenterprise.com
SION
UFACTU
ENT
AL
RING
LOG Y
INIS TRA TIVE
TRA NSP
ORTATIO
N
© 2015 Verizon. All Rights Reserved. The Verizon name and logo and all other names, logos, and slogans identifying Verizon’s products and services are trademarks and service marks or registered trademarks and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other countries. All other trademarks and service marks are the property of their respective owners. WP16372 4/15
