How CIO’s prepare for tomorrow’s healthcare data breaches

Data breaches increased 54 percent from 2012 to 2016. The struggle to protect medical and healthcare data will continue into the new year. Understanding your threat profile is the first step towards prevention.

A five-year review (2012 to 2016) of data breaches shows that the frequency of breach events and the volume records exposed had increased by fifty percent.

2016 security trends

In healthcare the frequency of breach events increased by 54 percent and the number of records affected increased by 85 percent.

When we evaluate the frequency of healthcare breaches across all industries breaches had increased only 4 percent. Yet, the percentage of records exposed increased by 69 percent. Attacks are becoming more targeted for more significant.

Overall, we can make a few observations from the frequency and volume of healthcare data breaches over the last 5-years:

  • 50 percent increase in frequency of data breaches across industries
  • 50 percent increase in severity per breach
  • 54 percent increase in frequency of medical and healthcare breaches
  • 69 percent increase in medical and healthcare records exposed

Observations tell us that the frequency of occurrences has increased and the impact per occurrence or severity has magnified. Additional, steps are required to protect data and informational assets.

What’s captured?

The Identity Theft Resource Center (ITRC) published their annual data breach report covering 2016. The report concentrates on breaches. How do we define a breach?

A breach is an exposure where either electronic or paper data is accessed by unauthorized actors. The ITRC publishes two-reports weekly: the ITRC Breach Stats Report, is a summary of information by category; and the ITRC Breach Report, an ongoing list of data exposure events with totals running throughout the year. Together these reports provide a complete profile of data breaches by sector for the year. The ITRC Breach Stats Report (summary) and the ITRC Breach Report (detail) present data breaches across five defined categories or sectors:

  1. Business: hospitality, transportation, utilities)
  2. Educational: public or private educational facilities pre-school to university level
  3. Medical/healthcare: medical covered entity (CE) of business associate (BA), as defined by HIPAA including healthcare facilities and healthcare organizations
  4. Government/Military: any city, county, state, national or military entity or a department within one of these entities
  5. Banking/Credit/Financial: banks, credit unions, credit card companies, mortgage and loan brokers and financial service companies

Additionally, seven data loss methods track the type of data breaches:

  1. Insider Theft: the theft of data with privileged access such as an employee or contractor
  2. Hacking/Skimming/Phishing: exploiting weaknesses in the computer system or network, coping information from identity devices such as credit and debit cards, and the activity of defrauding an account holder of information by posing as a legitimate company, product, or service offering.
  3. Data on the Move: unauthorized access information while data is in transit.
  4. Subcontractor/Third Party/BA: unauthorized access to information from vendors or through a contract arrangement
  5. Employee error/Negligence/Improper disposal/Lost: unintentional loss of data such as an employee that left a laptop in car, later stolen
  6. Accidental web/Internet Exposure: inadvertent internet or web posting of information such as internally posted information exposed on the Internet.
  7. Physical Theft: physical removal of the property from a location, for unauthorized means.

Changing in payloads and breach causes

The SANS Institute published a report that highlighted results from an incident response survey. The intent of the survey was to identify changes in the underlying causes of breaches between 2015 and 2016. The below summary provides insight into high the shifting threat profile over the last year.

  1. Unauthorized access (8.7 percent increase)
  2. Malware infections (7.3 percent increase)
  3. Data breach (4.9 percent increase)
  4. Advanced persistent threat or multistage attack (2.4 percent increase)
  5. Unauthorized access (8.7 percent increase)
  6. Other (3.7 percent increase)
  7. Insider breach (-3 percent decrease)
  8. DDoS diversion attack (-4.3 percent decrease)
  9. DDoS as the main attack (-5.9 percent decrease)
  10. Destructive attack (aimed at damaging systems (-.9 percent decrease)

To prevent attacks organizations should start with an understanding of attacker’s tactics, techniques, and procedures (TTPs). There are major changes in underlying causes of breaches for 2016. First, malware infections were associated with 70 percent of respondents. Second, 51 percent reported having been affected by unauthorized access. Third, 43 percent experienced a significant increase in data breach attempts. Fourth, 36 percent surveyed mentioned advanced persistent threats (APTs) or multistage attacks as a progressive threat. Fifth 25 percent found the root cause of all incidents to originate from inside the organization.

Understanding the types of threats is critical for prevention.  However, let’s explore which of these threats resulted in data being removed from the organizational walls – a primary CIO concern.

Common data exfiltration data types

Across industries, organizations reported an increased frequent of attacks with escalating severity. The changing threat profile also shifted the pattern of data exfiltration.

  1. Employee information (7.1 percent increase)
  2. PCI data (payment card numbers, CVV2 codes, track data) (6.6 percent increase)
  3. Intellectual property (source code, manufacturing plans, etc.) (4.9 percent increase)
  4. Other (1.7 percent increase)
  5. Proprietary customer information (.7 percent increase)
  6. Other regulated data (SOC, non-PHI personally identifiable information, etc.) (.5 percent increase)
  7. PHI data (health information) (-.6 percent decrease)
  8. Legal data (-2.5 percent decrease)
  9. Individual consumer customer information (-3.7 percent decrease)

Employee information accounted for the most comment type of data stolen from environments according to 48.3 percent surveyed. The next most targeted data was individual consumer customer information, followed by intellectual property, and proprietary customer information. Attackers are going after employee data.

The Data Breach Investigations Report (DBIR) indicates that time is not on your side as a CIO. DBIR used Veris as a common language to describe security incidents in a structured and repeatable manner. The results on how much time CIO’s have to respond was disheartening.

Incident response teams do not have weeks or months to response: less than one-percent of breaches compromised and exfiltrated data in months or weeks. Shockingly 68 percent were compromised in days, 3 percent in hours, 21 percent in minutes, and 8 percent in seconds. The time-to-compromise is almost always, days if not minutes.

Recommendations

It’s not possible to address every vulnerability. Accept you can’t solve everything and focus on mitigation that is often just as useful as remediation. What will 2017 have in store? If history is an indicator, threats will increase and the severity per attack will double. Prepare by taking these steps.

  1. Have a plan B: if your organization is unable to patch or remediate a threat, apply other risk mitigations in the form of configuration changes or isolation.
  2. Filter well: defend against threats before humans are involved. Email filtering, for example, can be a great ally in the fight against cyber criminals. Segment the network by implementing strong authentication, enabling the ability to isolate compromised devices quickly.
  3. Limit privileged access: in healthcare, 32 percent of data breaches involved privilege misuse. Used expiratory credential checkout procedures for administrative controls.
  4. Screen partners: 97 percent of breaches featuring stolen credentials leveraged legitimate partner access. Isolate and segment your partner’s access to internal networks.
  5. Know your data: if you don’t know where your data resides you can’t protect it. Identify, the most sensitive data set and place additional controls in those regions.
  6. Educate employees: in the DBIR report, an asset was lost over 100 times more frequently that it was stolen. Common sense goes a long way towards prevention.

Security prevention and detection are complex. It’s difficult to determine where to focus your limited business and technology resources. CIOs must focus incident response teams towards two key metrics:

  1. Mean time from compromise or infection to incident detection (also known as dwell time)
  2. Meant time from detection to remediation or the mean time to repair within a specific security target.

Evaluate the time your team takes between incident detection and remediation. This is the gold standard. “Forewarned is forearmed.”

 

Previous articleThe innovation duel: game theory and product launch timing
Next articleDarwinian insights on innovation and competition
Peter is a technology executive with over 20 years of experience, dedicated to driving innovation, digital transformation, leadership, and data in business. He helps organizations connect strategy to execution to maximize company performance. He has been recognized for Digital Innovation by CIO 100, MIT Sloan, Computerworld, and the Project Management Institute. As Managing Director at OROCA Innovations, Peter leads the CXO advisory services practice, driving digital strategies. Peter was honored as an MIT Sloan CIO Leadership Award Finalist in 2015 and is a regular contributor to CIO.com on innovation. Peter has led businesses through complex changes, including the adoption of data-first approaches for portfolio management, lean six sigma for operational excellence, departmental transformations, process improvements, maximizing team performance, designing new IT operating models, digitizing platforms, leading large-scale mission-critical technology deployments, product management, agile methodologies, and building high-performance teams. As Chief Information Officer, Peter was responsible for Connecticut’s Health Insurance Exchange’s (HIX) industry-leading digital platform transforming consumerism and retail-oriented services for the health insurance industry. Peter championed the Connecticut marketplace digital implementation with a transformational cloud-based SaaS platform and mobile application recognized as a 2014 PMI Project of the Year Award finalist, CIO 100, and awards for best digital services, API, and platform. He also received a lifetime achievement award for leadership and digital transformation, honored as a 2016 Computerworld Premier 100 IT Leader. Peter is the author of Learning Intelligence: Expand Thinking. Absorb Alternative. Unlock Possibilities (2017), which Marshall Goldsmith, author of the New York Times No. 1 bestseller Triggers, calls "a must-read for any leader wanting to compete in the innovation-powered landscape of today." Peter also authored The Power of Blockchain for Healthcare: How Blockchain Will Ignite The Future of Healthcare (2017), the first book to explore the vast opportunities for blockchain to transform the patient experience. Peter has a B.S. in C.I.S from Bentley University and an MBA from Quinnipiac University, where he graduated Summa Cum Laude. He earned his PMP® in 2001 and is a certified Six Sigma Master Black Belt, Masters in Business Relationship Management (MBRM) and Certified Scrum Master. As a Commercial Rated Aviation Pilot and Master Scuba Diver, Peter understands first hand, how to anticipate change and lead boldly.