Australia’s reported data breaches increased by 19% as reported by the Office of Australian Information Commissioner (OAIC). Over the last reporting period, there were 537 organisations notifying cyber breaches. Reasons for the breaches were 32% human error, 64% malicious or criminal attacks and 4% system faults.
Of note, the health sector is once again the highest reporting sector, notifying 22 per cent of all breaches. That is 118 organisations. Further, most data breaches affected organisations with less than 100 individuals.
Of the ‘Malicious or criminal attack’ category, 74% of breaches involved compromised credentials. These are known as identity attacks because they use a compromised identity to gain unauthorised access. By implementing Multi-Factor Authentication across all users, an organisation can defend itself significantly against identity-based attacks.
Ransomware and Malware made up another 16% of ‘Malicious or criminal attack’ breaches. These can be prevented by implementing suitable endpoint and email threat protection solutions.
As Australian organisations are now subject to Notifiable Data Breach laws to drive better security standards for protecting personal information, companies who fail to disclose breaches may be subject to large fines which also extend personally to company directors.
Of the ‘Human Error’ category, 42% of breaches occurred using email. An example of this might be sending sensitive data to the wrong recipient. Companies can prevent this kind of breach by implementing a system which scans outbound email. If the system determines that the email contains sensitive information, it can immediately block the mail delivery or alert a team member.
Protecting your organisation against system fault breaches relies on a combination of luck and due diligence. According to the OAIC, these types of breaches involve ‘disclosure of personal information on a website due to a bug in the web code, or a machine fault that results in a document containing personal information being sent to the wrong person.’
To defend against system faults, we recommend storing your sensitive data with reputable vendors only and choosing an IT partner who will regularly monitor and maintain your systems. Many SME's simply procure licences such as Microsoft Office 365 licences with the underlying assumption that their data is secure. To be effective in the modern threat landscape, these systems must be configured and monitored with policies applied and adhered to.
To paraphrase Mark Twain, 'reports of ransomware’s death have been greatly exaggerated'. Ransomware attacks resumed with a vengeance last year, despite conjecture by some researchers that CPU mining would overtake ransomware as a leading threat vector. Instead, the ransomware threat is stronger than ever, impacting more than 750 healthcare providers in the USA alone and racking up recovery costs approaching $4 billion. Some healthcare firms managed to overcome their paralysis while others never fully recovered.
Increasingly, threat actors are double-crossing ransomware victims by encrypting and exfiltrating their data. In December, Canadian firm LifeLabs paid a ransom to recover personally identifiable information for up to 15 million patients. Ransomware attacks also threatened quality of care by forcing providers to suspend treatments until their systems and data were restored, with potentially fatal consequences for patients.
Healthcare organisations make attractive targets because of their huge stores of easily monetised patient and medical data, their limited security resources, and their sometimes lax approach to cyber defense. More than half of the healthcare providers surveyed by Cisco Security, for example, are still running critical applications on Windows 7 systems, leaving them vulnerable to the same exploits that fueled the WannaCry pandemic. Healthcare providers have also invested less in their security controls historically than other industries. On average, health systems devote only four to seven percent of their IT budgets to cybersecurity, whereas most other industries typically invest around 15%.
The ransomware risks for healthcare firms can only get worse. Cybercriminals are continually refining their tactics, techniques and procedures to make their attacks more efficient and profitable. Recently, BlackBerry Cylance's threat research team profiled Zeppelin, the newest member of the Delphi-based Ransomware-as-a-Service (RaaS) family initially known as Vega or VegaLocker. It is optimised to attack a handful of carefully chosen tech and healthcare firms globally. Zeppelin is wily and sophisticated, utilising obfuscation and environment-awareness techniques, among others, to successfully evade signature-based endpoint defenses.
Biotech, Healthcare and Life-science organisations must recognise that well-organized and technically proficient threat actor groups can all-too-easily exploit glaring holes in their security fabric. To protect both themselves, their R&D and the patients they serve, providers must move swiftly to replace reactive signature-based tools with proactive endpoint security solutions like CylancePROTECT that utilise artificial intelligence (AI) to stop Zeppelin and similar ransomware from compromising their data.
Biotech, Healthcare and Life-science organisations must also take other meaningful steps to modernise their security infrastructure and policies. All networked systems should be rigorously tested to identify and eliminate vulnerabilities that could otherwise be exploited by adversaries. A proactive Managed Security Services relationship should be forged with incident response consultants to ensure that ransomware breaches are quickly contained and prevented from recurring. This includes the proactive managed detection and response capability.
Finally, healthcare organisations must recognise that a passive approach towards cybersecurity is no longer viable. A more comprehensive and nuanced approach to cyber risk management will be needed if they hope to survive and continue delivering quality care. Exigence stands ready to help, offering the cybersecurity solutions and consulting services healthcare organisations need to transition seamlessly from a reactive to a prevention-first security posture.
For many, the popular misconception is that getting compromised is not a matter of if, but when. You do have the power to put measures in place today to prevent attacks, now and into the future. Moreover, you can carry out specific steps to implement silent, secure, and sustainable prevention. By doing so, you proactively safeguard against threats before they occur and when needed, you can also detect and mitigate existing vulnerabilities and breaches.
Some Immediate steps you can take to prevent data breaches:
The COVID-19 crisis will eventually subside. As Biotechs, LifeSciences, and Healthcare organisations are challenged to navigate these difficult times, understanding that remote working has meant traditional data protection perimeters have dissolved to protect data at every touch point everywhere. Managed Cybersecurity is no longer a luxury but a core business requirement.