Web app attacks on rise in healthcare as insider challenges remain

Basic web application attacks, miscellaneous errors and system intrusions were behind 76% of healthcare data breaches in 2021, according to the annual Verizon Data Breach Investigations report. These leading threats were the same in last year’s report, but web apps now dominate the breach trends.

It’s the third year in a row where external threat actors outpaced insiders as the leading cause of healthcare security incidents and breaches following multiple, consecutive years where insiders were the leading breach cause, particularly misbehaving employees.

Although external threats now dominate, it doesn’t mean that healthcare has conquered its insider challenges. The researchers stressed that “errors are a significant problem” for healthcare.

“Make no mistake,” researchers wrote, “your employees are still causing breaches, but they are more than two and a half times more likely to make an error than to maliciously misuse their access.”

The DBIR team analyzed 23,896 security incidents, including 5,212 confirmed data breaches across all sectors. Among the analyzed incidents, healthcare accounted for 849 reported security incidents, 571 of which had confirmed data disclosures.

Of these incidents, 36 were tied to small entities and 14 to large organizations. The entity size for the remaining 799 incident was unknown. For breaches, 14 were tied to smaller providers, 10 to large entities, and the size of the remaining entities is unknown.

For healthcare, the rise in web app attacks is driving the rate of external threats. It’s a notable stat, as the rise in these attacks did not begin until 2019 and it has “clearly become a serious problem for everyone, not just this industry.”

“Healthcare has increasingly become a target of run-of-the-mill hacking attacks and the more impactful ransomware campaigns (both from the System Intrusion pattern, which came in third),” according to the report. “With the increase in ransomware, comes the associated increase of the discovery method of actor disclosure.”

Further, the report showed 61% of data breaches were caused by external threat actors, compared with 39% of internal actors. The majority of data breaches were driven by financial motives (95%), with espionage trailing far behind with 4% of breach incidents.

Attacks driven by convenience or grudges each accounted for 1% of the total breaches across the sector. The report showed 58% of these incidents led to the compromise of personal data, with medical data compromised in 46% of breaches and 29% led to credential theft. It’s the second year in a row that personal data was compromised more than health information.

The report also examined privilege misuse across all sectors, which found healthcare is the most common industry represented in this pattern. These incidents are overwhelmingly caused by insiders, where the primary goal is to use legitimate access to steal data. The report confirms most privilege misuse incidents lead to successful data breaches.

In these situations, the actor “looks to capitalize on their access” by finding customer, employee, and partner data. Given the prevalence of privilege misuse in healthcare, the researchers note that it’s no surprise medical data is taken in 22% of privilege misuse incidents.

“Healthcare has had an ongoing problem with internal actors accessing their data without a valid reason for a long time. … While it is no longer in the top tier of the patterns in healthcare, it should not be discounted as a solved problem,” according to the report.

Data mishandling is also tied to privilege misuse and is driven by “convenience,” or when an employee performs an unsafe action to get around a security control meant to prevent the exposure of data. These controls make it harder to complete their work. As such, “it’s important to pair these controls with education to at least let people know the ‘why’ behind the process.”

Organizations that repeatedly suffer these types of events should consider “offering a less laborious process that remains secure,” the researchers noted. The report also revealed that medical data is compromised in 43% of lost or stolen assets and 18% of all misconfiguration incidents.

The report confirms the recent Senate testimony from I am the Cavalry Founder Josh Corman that stressed the sector’s “dependence on connected technology was growing faster than our ability to secure it, in areas affecting public safety, human life and national security,” particularly as there are a host of free resources and entities focused on healthcare security challenges.