Between 60-80% of data breaches aren’t publicized.
We recently signed an agreement with a large group purchasing organization (GPO) to offer services to healthcare companies across America—services like cybersecurity risk assessments, policies, procedures, vulnerability scans, penetration testing, and some ongoing managed detection response services. We pay close attention to threats (both internal and external) to best serve our clients and have found some alarming statistics:
Most data breaches aren’t publicized[i]
39% of healthcare organizations only became aware of a breach months afterward.[ii]
88% of healthcare workers in recent years open phishing emails.[iii]
Almost 100% of the attack vectors in 2020 were already known to cybersecurity professional
In prior posts, I have often referred to cybersecurity as a human endeavor because it is a human problem. There are a great many similarities between cybersecurity and the health care industry: both and inherently human-centric, and most of the core issues would be addressed by proper behaviors (e.g., personal ownership and attention to physical, mental, spiritual, and cyber hygiene). Most of the health care breaches were negligence breaches, meaning that they can be attributed to issues such as an individual improperly configuring a firewall or inadequately securing data. Negligence breaches happen, statistically, twice as often as malicious ones.[iv] What makes it worse is that almost 40% of healthcare organizations only became aware of a breach months after it happened. Not days or weeks, but months. As you might imagine, an inability to control the damage, stop the hacker, or notify your customers of the problem only makes matters worse.
Another staggering statistic: almost 90% of healthcare workers open phishing emails (we know that end-user training is very rarely effective). Now, we could dig into this and find that some of these numbers come from a phishing test, or they could be related to actual phishing emails. Regardless, it continues to emphasize the point that cybersecurity is a human problem. Even with amazing technologies, like Zero Trust Edge which provides a zero-trust architecture to protect end-users from themselves, we still need to provide dramatic attention to the human element of cybersecurity—the people behind the technologies.
The cybersecurity issues facing healthcare providers appears to be getting worse (although some recent data shows that successful attacks are on the decline). Healthcare may be the most targeted industry and yet has underinvested in cybersecurity. Simple measures go a long way—like maintaining a proper asset inventory, reducing the attack surface, MFA security for all web-facing assets, scanning for known vulnerabilities, properly protecting and segmenting credentials for data access to the data, data encryption, air-gapped backups, and so on. But there should be more.
Considering that most attack vectors were already known to cybersecurity professionals, we know we train cybersecurity professionals who will make a difference in the healthcare industry (et al). The reason we are so excited to partner with GPOs is that our mission is to develop cybersecurity professionals of character. All these engagements are aimed at giving students across the Carolina Cyber Network real-world experience under the coaching and mentorship of industry veterans because we want to change these statistics. We want to equip professionals in a reproducible way so that someday soon, each one of these statistics will be completely outdated and irrelevant.
[i] Data was extrapolated by 25+ Alarming Healthcare Data Breaches Statistics 2022 (techjury.net) from Data Breaches | Privacy Rights Clearinghouse
[iv] Benjamin Edwards, Steven Hofmeyr, Stephanie Forrest, Hype and heavy tails: A closer look at data breaches, Journal of Cybersecurity, Volume 2, Issue 1, December 2016, Pages 3–14, https://doi.org/10.1093/cybsec/tyw003