A key component of any risk analysis and risk management program is understanding who the threats to your organization’s data are — both outside actors and insiders. Often, when we are working with administrators or practice managers who don’t have a security background, we hear one of two misunderstandings regarding the threats to their practice or organization. Either we hear “The Russians/North Koreans/NSA/Mafia are going to get us all” or “I’m too unimportant for the Russians/North Koreans/NSA/Mafia to bother with.” Both responses lead to resignation and inaction.
The truth is actually very different than those (admittedly caricatured) extremes. Yes, a variety of state actors and major criminal groups are doing lots of nasty things on the internet, many of which could affect any of us. But — spoiler alert — we are the biggest threat to our public health information. That’s right, despite all of the criminal actors out there, most of the data breaches in healthcare and related organizations are actually caused by employees.
Insider Threats
“Security is all about people, and people are often the weakest element.”
Martin Holste, FireEye Chief Technology Officer for Cloud[1]
Insiders are responsible for over a quarter of recent data breaches across all industries.[2] In healthcare, insiders cause over half of the data breaches – the only industry in which this is the case. Of these insider threats, the largest percentage come from non-malicious insider error, including misdelivery of both paper and electronic PHI, disposal errors, loss, publishing errors, and database misconfigurations.[3]
Malicious insider incidents, though less common than errors, should be an equally significant concern within organizations. Motives behind these incidents range from inappropriate curiosity to financial, grudge, or espionage-driven reasons. “Regardless of the motivation of the actor, over 80% of incidents are comprised of people simply utilizing established logical (privilege abuse 66%) or physical (possession abuse 17%) access to sensitive data in an unauthorized manner.”[4] These results emphasize the importance of core principles such as physical asset management controls, minimum-use access privileges, and regular internal auditing.
Cyber Criminals
Cyber Criminals outside of organizations account for almost three quarters of recent breaches. These criminals fall roughly into three broad categories, though the lines are blurring in recent years. Organized cyber-crime groups represent the largest category, responsible for around half of all recent breaches.[5] These groups carry out a wide variety of primarily financially-motivated attacks, including large-scale email malware/ransomware attacks and sophisticated financial heists.[6]
Nation States and State-sponsored hackers have also risen to prominence in recent years. Nation states, primarily Russia and North Korea, are responsible for a growing number of attacks and breaches – around 12% as of recent reports. Motivations include espionage, political disruption, and financial gain. Recent high-profile attacks include:
- The compromise of Hilary Clinton campaign manager John Podesta’s email during the 2016 U.S. Presidential Campaign. (Russia)
- The WannaCry ransomware that affected over 300,000 computers in 150 countries in May 2017. (North Korea)
- The June 2017 NotPetya data destroyer disguised as ransomware which primarily targeted Ukraine’s infrastructure but also spread globally and caused over $1.2 billion in damages.[7] (Russia)
- The cyberattack on the 2018 Winter Olympics opening ceremonies. (Russia)
The third category of criminal threats is opportunistic hackers. These individuals or smaller-scale groups execute attacks for a wide variety of reasons from malicious enjoyment to “hacktivism” to financial gain.
Identify your organization’s threats and steps to protect your information through a Security Risk Analysis.
References:
[1] FireEye, Looking Ahead: Cyber Security in 2018.
[2] Verizon, 2018 Data Breach Investigations Report.
[3] Verizon, 2018 Protected Health Information Data Breach Investigations Report.
[4] Verizon, 2018 Protected Health Information Data Breach Investigations Report.
[5] Verizon, 2018 Data Breach Investigations Report.
[6] Symantec, Internet Security Threat Report, Vol. 22, April 2017.
[7] The Washington Free Beacon, “White House: Russia’s Cyber Attack on Ukraine Most ‘Destructive and Costly’ in History,” 2/15/2018. https://freebeacon.com/national-security/white-house-russias-attack-ukraine-destructive-costly-cyber-attack-history/.