Human element the weakest link in healthcare security, says Verizon report
Stolen credentials, privilege misuse and miscellaneous errors were the three biggest causes for health data breaches in 2015, according to the 9th annual Verizon Data Breach Investigations Report released Tuesday.
The majority of threats come from outside of organizations rather than with internal actors.
Furthermore, there's an increasing trend of external culprits taking advantage of employees' missteps online.
"There's a pronounced trend of a combination of social engineering, like phishing that is followed by hacking actions," said Suzanne Widup, senior analyst on the Verizon RISK team. "Hackers are beginning to impersonate executives to get the data they want, for financial fraud and other kinds of information."
"We find the human element is really the weakest link," she added. "You can train people, but there are still employees that will click on the suspicious link.It's concerning to see that it's now become so mainstream."
According to the report, 30 percent of phishing messages were opened by the target and 12 percent of those targets actually clicked on the malicious link.
And while encryption can help protect against these types of attacks, Widup said. There's a strong hesitation to do so, as it slows down workflow.
Verizon studied more than 100,000 security incidents that occurred in 2015 across all industries to confirm data had been breached. However, lost data is prevalent in healthcare, which means it can't be verified as breached. Those incidents were not included on the report, said Widup, but it remains a serious problem in healthcare.
About 89 percent of breaches in 2015 had a financial or espionage motive, and out of the 166 healthcare breaches, 115 had confirmed data loss, the report said. Nearly one-third (32 percent) of these breaches were caused by stolen assets, while 23 percent were initiated by privilege misuse.
Another issue plaguing healthcare security is the reuse of credentials, which speaks to the need for authentication on the machine, according to Widup.
The impact is huge: With credit card theft, there is only one affected account. But with healthcare, there is a full-length write-up, and criminals can do more with the data, she said. Criminals get paid more for healthcare data, which leads to more of them targeting the healthcare industry.
"We see the prices on the payment for credit card data going down," Widup said. "And it looks as if payment for healthcare data is increasing over time."
"As for the motive – it's of course financial," she added. "Last year, the motive looked more like espionage. But this year, we're seeing a downturn in espionage and an upturn in financial motivations."