The HIPAA Journal is reporting that in March of 2021, we saw a 38.8% increase in reported healthcare data breaches from the previous month. Hacking incidents are the dominant breach method. And apparently the higher number of breaches is due to an increase in data breaches at business associates. Here’s the breach breakdown of hacking/IT incidents:
- 76% involved compromised network servers
- 24% involved breaches of email accounts
- 60% of breaches involved business associates
The number of breached records also rose 135.89% with 2,913,084 healthcare records exposed across 62 incidents. That’s a lot of breached healthcare records. Do you think your healthcare data is safe?
The Verizon 2021 Data Breach Investigations Report
The Verizon 2021 Data Breach Investigations Report just came out. Most everyone in the cybersecurity industry knows about this report since it’s an annual event. How did the healthcare industry fare this year? Well, not great. In the healthcare industry, Verizon analyzed 472 data breaches. Here are the key takeaways:
- 221 incidents involved malware, 178 hacking, 137 human error, and 106 social attacks
- 61% of incidents were the work of external threat actors while 39% were internal data breaches
- Medical data was breached in 55% of data breaches, whereas personal data was breached in 66% of incidents
- 32% of breached involved the theft of credentials
So now do you think your healthcare data is safe?
Compromised Accounts are Behind these Statistics
The story line for these cyberattacks are similar. An external threat actor uses extremely sophisticated technical means to break these seemingly impenetrable systems. Yes, there could have been purpose-written malware that was used in the reconnaissance phase of the kill chain that evaded technical controls at the perimeter. But far more likely is the fact that criminals used a compromised identity to gain access past perimeter defenses. First, to discover the valuable data. Second, to install malware. Then to external servers, and finally, to send the data out encrypted to the thieves.
Not Necessarily a Cybersecurity Breach Activity
The problem is that stealing a logon credential is not necessarily a cybersecurity breach activity. It can be a phone call, or a borrowed password from a new “friend” who can be a contractor. It can also be an insider who has plans to gain access and exfiltrate data. That is what makes these breaches of compromised accounts so difficult – human factors.
To deal with human factors as a risk variable, cybersecurity practitioners are wrapping User and Entity Behavior Analytics (UEBA) around identities. Meta data from these identities can be cross-correlated to other defense-in-depth security data sets to provide a 360° context of who was doing what, when, and where. So, even if you do have users that hit a drive-by download or a watering hole attack via email using a spear phishing campaign, their identity will be tracked. This is to see anomalous or unusual behavior that is exhibited and unknown even to them. You can start to predict bad behavior (even if unintentional) to prevent data loss. This is better than a call from your friendly FBI agent, or former third party supplier of business, about their data being lost from your IP address ranges.
No matter how sophisticated an attack is from an outsider, a compromised identity is likely invoked to do the real damage. UEBA can provide the insight and predictive analysis to get ahead of these breaches before the real damage is done. Then healthcare organizations can be confident that your healthcare data is truly safe.
How UEBA Detects and Prevents Account Compromise
External attacks can be identified and stopped without significant loss of sensitive data. Gurucul UEBA would have triggered on the following events which are typical stages of a cyberattack:
- An outbound connection to an IP infrastructure not previously seen before, and which most likely was connected without using a DNS query
- Large amounts of software uploaded from an asset when compared with its prior history or peer groups
- Lateral movement of account credentials to other assets on the network which most likely wouldn’t have seen before
- Access to databases and executing queries aggressively across schema to find where the sensitive data is in storage
It is never too late to deploy the right technology to safeguard your future assets and prevent account compromise. But it is always better to do it before your identity is compromised. Hear directly from our customer, Allina Health, to understand how Gurucul UEBA helps them protect their healthcare data!