A review of the Identity Theft Resource Center’s annual reports about data breaches for the years 2012 to 2016 shows that the frequency of breach events and the volume of records exposed increased by 50 percent in that five-year span.
In healthcare, the frequency of breach events increased by 54 percent and the number of records affected increased by 85 percent.
When we evaluate the frequency of healthcare breaches across all industries, breaches had increased only 4 percent. Yet, the percentage of records exposed increased by 69 percent. Attacks are becoming more targeted and more significant.
Overall, we can make a few observations from the frequency and volume of healthcare data breaches over the past five years:
- 50 percent increase in frequency of data breaches across industries.
- 50 percent increase in severity per breach.
- 54 percent increase in frequency of medical and healthcare breaches.
- 69 percent increase in medical and healthcare records exposed.
Observations tell us that the frequency of occurrences has increased and the impact, or severity, of each occurrence has magnified. Additional steps are required to protect data and informational assets.
The Identity Theft Resource Center (ITRC) recently published its annual data breach report covering 2016. The report concentrates on breaches. How do we define a breach?
A breach is an exposure where either electronic or paper data is accessed by unauthorized actors. The ITRC publishes two reports weekly: the ITRC Breach Stats Report, which is a summary of information by category, and the ITRC Breach Report, an ongoing list of data exposure events with totals running throughout the year. Together these reports provide a complete profile of data breaches by sector for the year. The “ITRC Breach Stats Report” (summary) and the “ITRC Breach Report” (detail) present data breaches across the following five business categories or economic sectors:
- Business: Hospitality, transportation, utilities.
- Educational: Public or private educational institutions, from preschool to the university level.
- Medical/healthcare: Medical covered entities (CE) or business associates (BA), as defined by HIPAA, including healthcare facilities and healthcare organizations.
- Government/military: Any city, county, state, national or military entity, or any department within one of those entities.
- Banking/credit/financial: Banks, credit unions, credit card companies, mortgage and loan brokers and financial services companies.
Additionally, the ITRC tracks the following seven types of data breaches:
- Insider theft: The theft of data by someone with privileged access to an organization’s systems, such as an employee or a contractor.
- Hacking/skimming/phishing: The theft of data by someone who exploits weaknesses in a computer system or network, copies information from identity devices such as credit and debit cards, or defrauds an account holder by posing as a legitimate company or provider of a product or service.
- Data on the move: Theft via unauthorized access to information while data is in transit.
- Subcontractor/third party/BA: Theft by a vendor or other third party who gains unauthorized access to information through a contract arrangement.
- Employee error/negligence/improper disposal/loss: Unintentional loss of data via the loss or theft of an employee’s laptop, for example.
- Accidental web or internet exposure: Loss of data via an inadvertent internet or web posting, such as an internal report that is somehow exposed publicly on the internet.
- Physical theft: Data theft via unauthorized removal of property from a location.
Changes in payloads and breach causes
The SANS Institute published a report that highlights results from an incident response survey. The intent of the survey was to identify changes in the underlying causes of breaches between 2015 and 2016. This summary of the findings, showing year-over-year increases and decreases in various types of breaches, provides insight into the shifting threat profile:
- Unauthorized access: 8.7 percent increase
- Malware infections: 7.3 percent increase
- Data breaches: 4.9 percent increase
- Advanced persistent threat or multistage attack: 2.4 percent increase
- Unauthorized access: 8.7 percent increase
- Other: 3.7 percent increase
- Insider breach: 3.0 percent decrease
- DDoS diversion attack: 4.3 percent decrease
- DDoS as the main attack: 5.9 percent decrease
- Destructive attack (aimed at damaging systems): 0.9 percent decrease
To prevent attacks, organizations should start with an understanding of attacker’s tactics, techniques and procedures (TTP). There were major changes in underlying causes of breaches in 2016. First, 70 percent of the respondents to the SANS survey said breaches they experienced involved malware infections. Second, 51 percent reported having been affected by unauthorized access. Third, 43 percent of those polled said they experienced a significant increase in data breach attempts. Fourth, 36 percent mentioned advanced persistent threats (APT) or multistage attacks as a progressive threat. Fifth, 25 percent said they had found the root cause of incidents came from from inside the organization.
Understanding the types of threats is critical for prevention. However, let’s explore which of these threats resulted in data being removed from the organizational walls — a primary CIO concern.
Common targets of data exfiltration
Across industries, organizations reported an increased frequency of attacks with escalating severity. The changing threat profile also shifted the pattern of data exfiltration. Here’s a look at changes in the type of data lost from 2015 to 2016, according to the SANS survey:
- Employee information: 7.1 percent increase
- PCI data (payment card numbers, CVV2 codes, track data): 6.6 percent increase
- Intellectual property (source code, manufacturing plans, etc.): 4.9 percent increase
- Other: 1.7 percent increase
- Proprietary customer information: 0.7 percent increase
- Other regulated data (SOC, non-PHI personally identifiable information, etc.): 0.5 percent increase
- PHI data (health information): 0.6 percent decrease
- Legal data: 2.5 percent decrease
- Individual consumer customer information: 3.7 percent decrease
Employee information accounted for the most common type of data stolen, according to 48.3 percent of respondents to the SANS survey. The next most targeted data was individual consumer customer information, followed by intellectual property and proprietary customer information. Attackers are going after employee data.
Verizon’s 2016 Data Breach Investigations Report (DBIR) indicates that time is not on your side as a CIO. The DBIR uses Veris as a common language to describe security incidents in a structured and repeatable manner. The results on how much time CIOs have to respond were disheartening.
Incident response teams do not have weeks or months to respond: less than 1 percent of breaches compromised and exfiltrated data in months or weeks. Shockingly, 68 percent compromised data in days, 3 percent in hours, 21 percent in minutes, and 8 percent in seconds. The time-to-compromise is almost always, days if not minutes.
It’s not possible to address every vulnerability. Accept that you can’t solve everything, and focus on mitigation, which is often just as useful as remediation. What will 2017 have in store? If history is an indicator, threats will increase and the severity per attack will double. Prepare by taking these steps.
- Have a plan B: If your organization is unable to patch or remediate a threat, apply other risk mitigations in the form of configuration changes or isolation.
- Filter well: Defend against threats before humans are involved. Email filtering, for example, can be a great ally in the fight against cybercriminals. Segment the network by implementing strong authentication, which makes it possible to isolate compromised devices quickly.
- Limit privileged access: In healthcare, 32 percent of data breaches involved privilege misuse. Use expiring credentials for checkout procedures as an administrative control.
- Screen your partners: 97 percent of breaches involving stolen credentials took advantage of legitimate partner access. Isolate and segment your partners’ access to internal networks.
- Know your data: if you don’t know where your data resides, you can’t protect it. Identify the most sensitive data set and place additional controls in those regions.
- Educate your employees: In the DBIR report, loss of assets was more than 100 times more common than theft of assets. Common sense goes a long way toward prevention.
Security prevention and detection are complex. It’s difficult to determine where to focus your limited business and technology resources. CIOs must focus incident response teams on these two key metrics:
- Mean time from compromise or infection to incident detection (also known as dwell time).
- Mean time from detection to remediation, or the mean time to repair within a specific security target.
Evaluate the time your team takes between incident detection and remediation. This is the gold standard. Forewarned is forearmed.