Verizon released the findings of its “2014 Data Breach Investigations Report,” which reviewed and analyzed 10 years of data breach information and identified specific threat patterns.
Verizon used that data over the 10-year period to identify nine cross-industry patterns: miscellaneous errors such as sending an email to the wrong person; crimeware (various malware aimed at gaining control of systems); insider/privilege misuse; physical theft/loss; Web app attacks; denial of service attacks; cyber espionage; point-of-sale intrusions; and payment card skimmers. Specific to healthcare, there were 26 security incidents (6 small organizations, 1 large, and 19 were unknown).
Tony Maupin, Director of Verizon Security Sales Engineering and Cloud Services, said there’s been a shift in what hackers are going after.
Year after year, they’ve been going after the dollar sign, such as the credit card or the bank. But we’ve seen that dramatically change in that the focus is now more on information. The healthcare industry has a lot of information and we’ve seen a lot more attacks against the industry.
The report broke down the frequency of incident classification patterns per victim industry. In healthcare, the three most common patterns were physical theft and loss, insider misuse, and miscellaneous error.
Theft/Loss (46 percent)
These incidents, according to the report, “are among the most common causes of data loss/exposure reported by organizations. This is especially apparent in industries like Healthcare, where the disclosure of all incidents that potentially expose sensitive data is mandatory. And if there’s anything we know to be true about human nature, it’s that losing things and stealing things seem to be inherent predispositions.”
Interestingly, Verizon discovered that assets are stolen from corporate offices more often than personal vehicles or residences. Further, though personal and medical information is commonly exposed, most losses/thefts are reported due to mandatory disclosure regulations instead of fraud. Maupin said Verizon has added security incidents to the report, along with data breaches that organizations have experienced, because “it’s a part of the holistic picture.”
Insider Misuse (15 percent)
This is a common them in healthcare, as HealthITSecurity.com just recently reported on how internal actors are affected in healthcare, with results from the Insider Threat Manifesto.
Miscellaneous Error (12 percent)
Verizon defined these incidents as “unintentional actions directly compromised a security attribute of an information asset.” And, according to Verizon, the data seems to suggest that highly repetitive and mundane business processes involving sensitive info are particularly error prone.
These were the remaining incident classification patterns:
- Point of Sale (POS) Intrusion (9 percent)
- Web App Attack (3 percent)
- Crimeware (3 percent)
- Denial of Service (2 percent)
The highest-priority critical security controls in healthcare, derived from frequency of incident patterns within each industry, included backups, skilled staff and data loss prevention.
