What to learn from the Verizon Protected Health Information data breach report 2018
Verizon has released its latest data breach report specifically for protected health information (PHI) breaches
. This post would be useful for healthcare services organisations that handle PHI data. They can learn from past mistakes.
The data is a result of analysis of over 1300 incidents. The report is a subset of the larger Verizon Data Breach Report released every year. I had once analyse the report for 2013 in this post.
The PHI data breach report (PHIDBR) looks at the healthcare industry and only considers incidents that are a breach of medical records. Here is a summary of the findings of the PHIDBR:
Insider threats finally make it out of hiding
Insider threats - something that all security professionals worry about - has the highest number of number of incidents. More than half the incidents (57.5% to be precise)
were due to insiders. In fact there is another category ‘collusion’ where insiders might be involved too. If you take that into consideration, insider threats accounted for 62.6 % of all PHI breaches. This is a staggering revelation. In the last Verizon Data Breach report that I analysed, insider threats did not even figure. This report gives insider threats its due!
Don't attribute to malice, what you can attribute to stupidity.
It's not all malicious acts by insiders. The largest chunk of data breach is due to errors. Errors and misuse of information together account for 63% of the incidents. This is like Hanlon's razor
- never attribute to malice what you can attribute merely to stupidity. In my consulting experience, I have seen misuse of data where well meaning professionals mailed copies of data to themselves to work on it from home. To avoid this kind of incident - train your people. The more aware people are, the less breaches of PHI occur due to errors and misuse.
Hacking and malware contribute to only 25.6% of the threat actors. You might want to reconsider those advanced threat hunting tools that you need to buy for an arm and a leg. Train your people first, then take care of the hacking and malware! This is the clear message from the report.
Who will watch the watchers?
Where there were incidents of data breach due to deliberate misuse, two in three incidents were due to privilege abuse, meaning most people who deliberately misused the data had authorised access to the data for valid reasons. Try finding a control for that! Trainings and strong punitive actions are the best solutions.
No laptops in cars please. Again.
Physical theft of data stemmed largely from laptop theft. One in two laptop thefts occurred from the victim’s car. A sad reminder to train people regularly. In incidents related to malware attacks, the largest malware - more than 70% is attributed to ransomware. Not a surprise considering the popularity of ransomware.
There are a few more interesting observations from the report. The Verizon report is a free download