Healthcare Cybersecurity

Ivanti Discloses Another Maximum Severity Endpoint Manager Mobile Vulnerability

Ivanti has disclosed another maximum-severity vulnerability in its Endpoint Manager Mobile (EPMM) solution (formerly MobileIron Core). The vulnerability is tracked as CVE-2023-35082, has a maximum CVSS v3.1 severity score of 10, and affects MobileIron Core 11.2 and older versions. The vulnerability is described as a remote unauthenticated API access issue that can be exploited remotely by unauthorized users to access restricted resources without authentication, potentially allowing the theft of users’ personally identifiable information and limited changes to be made to the server. Ivanti said it does not believe the flaw has been exploited in the wild.

Since MobileIron 11.2 reached end-of-support on March 15, 2022, a patch will not be released to fix the flaw. The only way of remediating the vulnerability is to upgrade to the latest version of Ivanti EPMM. Ivanti confirmed that the latest vulnerability does not affect any version of Ivanti Endpoint Manager or MobileIron Core 11.3 and above, or Ivanti Neurons for MDM.

The vulnerability was identified by Stephen Fewer, a Rapid7 security researcher, and is linked to the recently disclosed maximum-severity zero-day vulnerability – CVE-2023-35078 – that was exploited in an attack on the Norwegian government and other entities. The CVE-2023-35078 vulnerability is an authentication bypass issue that can be chained with another vulnerability, CVE-2023-35081, to gain administrative privileges on compromised systems. Ivanti released a patch for CVE-2023-35078 on July 23, 2023, and a patch for CVE-2023-35081 was released on July 28, 2023.

On August 1, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed that advanced persistent threat actors have been chaining the CVE-2023-35078 and CVE-2023-35081 vulnerabilities to gain privileged access to EPMM systems and have been deploying web shells on compromised systems. The flaws have been exploited from at least April 2023 through to July 2023 in a cyber espionage campaign that saw the networks of several Norwegian government entities compromised. CISA and the Norwegian National Cyber Security Centre (NCSC-NO) expressed concern that the vulnerabilities could be exploited in widespread attacks on government and private sector networks. Indicators of compromise (IOCs) and the threat actor’s tactics, techniques, and procedures (TTPs) have been shared by CISA, and users of vulnerable EPMM versions have been advised to update to the latest version as soon as possible.

The post Ivanti Discloses Another Maximum Severity Endpoint Manager Mobile Vulnerability appeared first on HIPAA Journal.

Ivanti Discloses Another Maximum Severity Endpoint Manager Mobile Vulnerability

Ivanti has disclosed another maximum-severity vulnerability in its Endpoint Manager Mobile (EPMM) solution (formerly MobileIron Core). The vulnerability is tracked as CVE-2023-35082, has a maximum CVSS v3.1 severity score of 10, and affects MobileIron Core 11.2 and older versions. The vulnerability is described as a remote unauthenticated API access issue that can be exploited remotely by unauthorized users to access restricted resources without authentication, potentially allowing the theft of users’ personally identifiable information and limited changes to be made to the server. Ivanti said it does not believe the flaw has been exploited in the wild.

Since MobileIron 11.2 reached end-of-support on March 15, 2022, a patch will not be released to fix the flaw. The only way of remediating the vulnerability is to upgrade to the latest version of Ivanti EPMM. Ivanti confirmed that the latest vulnerability does not affect any version of Ivanti Endpoint Manager or MobileIron Core 11.3 and above, or Ivanti Neurons for MDM.

The vulnerability was identified by Stephen Fewer, a Rapid7 security researcher, and is linked to the recently disclosed maximum-severity zero-day vulnerability – CVE-2023-35078 – that was exploited in an attack on the Norwegian government and other entities. The CVE-2023-35078 vulnerability is an authentication bypass issue that can be chained with another vulnerability, CVE-2023-35081, to gain administrative privileges on compromised systems. Ivanti released a patch for CVE-2023-35078 on July 23, 2023, and a patch for CVE-2023-35081 was released on July 28, 2023.

On August 1, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed that advanced persistent threat actors have been chaining the CVE-2023-35078 and CVE-2023-35081 vulnerabilities to gain privileged access to EPMM systems and have been deploying web shells on compromised systems. The flaws have been exploited from at least April 2023 through to July 2023 in a cyber espionage campaign that saw the networks of several Norwegian government entities compromised. CISA and the Norwegian National Cyber Security Centre (NCSC-NO) expressed concern that the vulnerabilities could be exploited in widespread attacks on government and private sector networks. Indicators of compromise (IOCs) and the threat actor’s tactics, techniques, and procedures (TTPs) have been shared by CISA, and users of vulnerable EPMM versions have been advised to update to the latest version as soon as possible.

The post Ivanti Discloses Another Maximum Severity Endpoint Manager Mobile Vulnerability appeared first on HIPAA Journal.

Biden Administration Announces National Cyber Workforce and Education Strategy

The Biden Administration has unveiled its National Cyber Workforce and Education Strategy (NCWES) which seeks to address the current cyber workforce shortages and prepare the country for a cyber future. The NCWES was developed by the Office of the National Cyber Director in collaboration with 34 agencies, departments, and EOP components and lays out a comprehensive approach for addressing immediate and long-term cyber workforce needs while ensuring all Americans have the cybersecurity skills they need to participate in the digital ecosystem. The aim of the strategy is to empower all Americans looking to participate in the digital ecosystem, including communities that are currently underrepresented in the cyber workforce, and to promote and develop pathways for well-paying and fulfilling cyber careers. Under the strategy, the Biden Administration and its partners will leverage adaptable ecosystems to effect change at scale, enable the lifelong development of cyber skills, and grow and enhance the cyber workforce through diversity and inclusion.

“The plan is the product of over a year of work, including a National Cyber Workforce and Education Summit at the White House in July 2022,” said Camille Stewart Gloster, deputy national cyber director of technology. “The strategy is truly reflective of that collective effort and is the first step to securing and unleashing the next generation of American innovation.”

At present, there are an estimated 400,000 unfilled cybersecurity jobs in the United States and the lack of cyber skills is affecting the ability of the government and the private sector to build defenses resilient to increasingly numerous and sophisticated cyberattacks. No one actor is able to achieve the necessary changes at scale so all stakeholders – educators, industry, government, and more – must execute on all of the objectives detailed in the NCWES for it to be a success.

The NCWES is based on four pillars:

  1. To equip all Americans with foundational cyber skills to enable everyone to attain the full benefits of our interconnected society.
  2. To transform cyber education to address immediate cyber workforce needs and prepare to meet the future needs of a dynamic, technological environment.
  3. To expand and enhance the National Cyber Workforce by adopting a skills-based approach to recruitment and development and by improving access to cyber jobs for all Americans, including underserved and underrepresented groups.
  4. To strengthen the Federal Cyber Workforce by communicating the benefits of careers in public service to job seekers and current employees, improving career pathways, and lowering the barriers to hiring and onboarding.

The strategy calls for a shift in responsibility for defending cyberspace from individuals and small businesses to the most capable actors, and that requires cybersecurity to be built into education and workforce development programs relevant to sustaining the digital environment. It is also necessary to have incentives across both the public and private sectors that favor long-term investment in security.

While there is an immediate need for highly skilled individuals, it is necessary to build from the ground up. All Americans should have foundational skills that allow them to efficiently and confidently use computers and the Internet to ensure that they are qualified to pursue well-paid, fulfilling cyber jobs. Currently, one-third of U.S. workers lack digital skills, yet 92% of jobs across all industries require digital skills. Demand is currently outstripping supply and the skills shortage must be addressed to ensure U.S. economic competitiveness in the global economy.

The strategy sets out an approach for enabling the lifelong development of cyber skills, starting with foundational cyber skills such as digital literacy, computational literacy, and digital resilience, to ensure that all Americans have the skills to work efficiently, effectively, safely, and securely. To address the cyber workforce shortfall, it is necessary to draw on the full diversity of the American talent pool, and that requires improvements in diversity, equity, inclusion, and accessibility in cybersecurity. One of the easiest ways to achieve rapid gains is to attract people of all ages into cybersecurity, especially people from underrepresented communities such as women, veterans, military spouses, people of color, first-generation professionals, individuals with disabilities, LGBTQI+ individuals, Tribal nations, and members of rural communities. Many cyber jobs do not require a four-year degree, instead, there are alternatives that allow individuals to obtain the necessary digital skills that will allow them to join the cyber workforce.

Many stakeholders, including educators, industry, and government, have demonstrated their commitment to the strategy. For example, the National Science Foundation (NSF) has committed to investing more than $24 million in CyberCorps Scholarships for Service (SFS) awards over the next four years to support the development of a robust and resilient cybersecurity workforce. The National Security Agency (NSA) National Center of Academic Excellence in Cybersecurity will release four grants to support a pilot initiative to develop four new Cyber Clinics at colleges and universities in Nevada, Minnesota,  Louisiana, and Virginia. The Office of the National Cyber Director (ONCD) has committed to greater diversity among its internship applicants to increase recruitment and outreach to underrepresented communities, and the National Institute of Standards and Technology (NIST) will award up to $3,600,000 for Regional Alliances and Multistakeholder Partnerships to Stimulate (RAMPS) cybersecurity education and workforce development projects.

The post Biden Administration Announces National Cyber Workforce and Education Strategy appeared first on HIPAA Journal.

CISA Releases Guidance on Preventing Web Application Access Control Abuse

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) have issued a joint cybersecurity advisory warning about insecure direct object reference (IDOR) vulnerabilities in web applications and web application programming interfaces (APIs).

Threat actors actively seek IDOR vulnerabilities as they are common and can be abused at scale using automation tools to gain access to the sensitive information of millions of consumers. IDOR vulnerabilities are access control vulnerabilities that can be exploited by issuing requests to a website or web API specifying the user identifier of other, valid users. These attacks are usually made possible due to insufficient authentication and authorization checks.

For example, an application or API may require an identifier such as an ID number, name, or key to directly access an object such as a database record; however, an attacker may have a valid ID number, name, or key. In addition to an identifier, an application or API should also check the authentication or authorization of the user submitting the request.

There are different types of IDOR vulnerabilities. Horizontal IDOR vulnerabilities allow a user to access data that they should not be able to access at the same privilege level, such as another user’s data. Vertical IDOR vulnerabilities are when a user can access data that should be restricted to users with higher privilege levels. Object-level IDOR vulnerabilities are where a user can modify or delete an object they should not be able to, and function-level IDOR vulnerabilities are where a user can access a function or perform an action they should not be able to. These vulnerabilities typically exist because an object identifier is exposed, passed externally, or can easily be guessed.

IDOR vulnerabilities are difficult to identify outside of the development process and cannot be mitigated with a single function. It is therefore vital for vendors, developers, and web designers to build adequate authentication and authorization checks for any request that modifies, deletes, or accesses data, implement secure-by-design principles, and follow cybersecurity best practices.

CISA, NSA, and ACSC have shared mitigations for vendors, designers, developers, and implementors of web applications to reduce the prevalence of IDOR vulnerabilities. In addition to implementing secure-by-design principles and best practices at all stages of the software development life cycle, secure coding practices should be followed, such as ensuring that identifiers are not exposed in URLs and configuring applications to deny access by default and performing authentication and authorization checks for every request to modify, delete, or access sensitive data. The agencies also recommend CAPTCHA for limiting automated invalid user requests and code reviews to check for backdoors, malicious content, and logic flaws, and to verify compliance with security requirements.

CISA, NSA, and ACSC have also detailed cybersecurity best practices for end-user organizations for improving their cybersecurity posture and recommend developing an incident response and communication plan that can be implemented immediately in the event of a cyber incident or data breach.

The post CISA Releases Guidance on Preventing Web Application Access Control Abuse appeared first on HIPAA Journal.

Health3PT Shares Best Practices for Improving Third Party Risk Management in Healthcare

The Health 3rd Party Trust Initiative (Health3PT) has published the findings of a recent survey of HIPAA-covered entities and their business associates that explored the current state of third-party cyber risk management in healthcare and identified some of the key challenges faced by HIPAA-regulated entities.

Supply chain vendors and service providers introduce risks that need to be identified, managed, and reduced to a low and acceptable level; however, the methods used to manage third-party risks are often burdensome and inadequate. According to the survey, which was conducted on 59 HIPAA-covered entities and 128 business associates, significant resources and money are committed to managing third-party risk but 68% of covered entities and 79% of business associates say third-party risk management (TPRM) processes are inefficient and 60% of HIPAA-covered entities and 72% of business associates think TPRM is not effective at preventing data breaches.

55% of healthcare organizations have experienced a data breach in the past year through a third party, and 90% of the most significant healthcare data breaches in 2022 occurred at business associates of HIPAA-covered entities. The average cost of those data breaches was more than $10 million per incident. According to Health3PT, there are significant blind spots in organizations’ third-party information security management programs. These are caused by organizations and vendors handling assessments differently and, in many cases, relying on manual processes.

Many organizations lack the necessary resources to follow up on vendor risk management efforts, and while vendors provide assurances that information security controls have been implemented, they do not consistently demonstrate that appropriate controls are in place. One of the main problems is covered entities and business associates relying on outdated TPRM approaches which result in inconsistent and unclear risk management outcomes. TPRM processes at many healthcare organizations have not changed for decades and were not particularly effective even when they were introduced as they were adopted from other verticals and never properly matched the needs of healthcare organizations. These processes have also failed to maintain pace with advances in technology, such as the use of the cloud.

The biggest challenge for covered entities is keeping pace with the volume of security assessments. Due to the number of vendors used by healthcare organizations, vendor audit fatigue often sets in. Healthcare organizations are receiving a high volume of security questionnaires from vendors but they do not have the necessary IT resources to deal with the questionnaires they receive, which means third-party vendors are not properly evaluated and risks fail to be properly addressed. Other key challenges were getting vendors to address deficiencies, the turnaround time for assessments, obtaining transparent assurances from vendors to satisfy requests the first time around, and keeping up with changing threats and risks associated with vendors.

The biggest challenges for business associates were customers’ willingness to accept a validated assessment in lieu of questionnaires, handling the variability of questionnaires and audits, and the time allowed to provide quality responses and evidence to requesting customers. Covered entities and business associates both admitted to feeling overwhelmed with TPRM processes and felt current processes are effective at preventing data breaches. Covered entities and business associates both expressed a desire to improve TPRM efficiency through improved collaboration, standardization, and automation.

Third parties pose major risks to healthcare organizations and there is considerable potential for those risks to compromise privacy and patient safety. Some of the main shortcomings with TPRM are the lack of an overarching methodology for risk-tiering vendors, overreliance on verbose contract terms, inconsistent questionnaires and validation of the information collected, limited follow-ups on the resolution of identified security gaps, and limited organization-wide insight into vendor security risk.

To help address these shortcomings, Health3PT has shared best practices in its Recommended Practices & Implementation Guide which helps covered entities and business associates improve TPRM efficiency and effectiveness. “Establishing and adopting these more effective and efficient TPRM processes will transition TPRM in healthcare from a superficial check-the-box exercise that exposes organizations to unnecessary risks to more robust, collaborative information protection programs that ultimately will benefit all participants across the healthcare community,” explained Health 3PT.

The post Health3PT Shares Best Practices for Improving Third Party Risk Management in Healthcare appeared first on HIPAA Journal.

Patches Released to Fix Actively Exploited Flaw in Ivanti Endpoint Mobile Manager

Ivanti has released patches to fix a maximum-severity zero-day vulnerability in its Endpoint Mobile Manager (EPMM) mobile device management solution (formerly MobileIron Core). The vulnerability is tracked as CVE-2023-35078 and is an authentication bypass vulnerability with a CVSS score of 10. Successful exploitation of the vulnerability will allow an unauthorized user to access restricted functionality or resources of the application, gain access to sensitive user data, and potentially make limited changes to the server.

Ivanti said the vulnerability affects all supported versions of its EPMM solution (11.10, 11.9, and 11.8) as well as older versions, although the patches have only been released for supported versions. Evidence has been found that indicates the vulnerability has already been exploited in attacks, although the extent to which the vulnerability is being exploited is unclear. The Norwegian government is believed to be one of the victims. Hackers allegedly exploited the flaw to compromise 12 government ministries in the country.

According to security researcher Kevin Beaumont, the flaw is very easy to exploit, and given the severity of the flaw and known active exploitation, immediate patching is strongly recommended. Beaumont recommended that anyone still using an unsupported version that has reached end-of-life should switch off the appliance until an upgrade to a supported version is possible. The updated EPMM versions with the patch applied are EPMM 11.8.11, 11.9.11, and 11.10.02. More than 2,000 MobileIron user portals are exposed to the Internet and are potentially able to be exploited, most of which are located in the United States.

The post Patches Released to Fix Actively Exploited Flaw in Ivanti Endpoint Mobile Manager appeared first on HIPAA Journal.

June 2023 Saw Massive Spike in Ransomware Activity

A recent analysis of ransomware activity by NCC Group’s Global Threat Intelligence team shows a major spike in cyberattacks by ransomware groups in June, with attacks occurring at 221% the level of June 2022 with 434 recorded attacks in the month.

NCC Group tracks ransomware attacks and data theft/extortion attempts by ransomware groups and reports that the massive increase was mostly driven by the Clop ransomware group’s mass exploitation of a zero-day vulnerability – CVE-2023-34362 – in Progress Software’s MOVEit Transfer file transfer solution. The ransomware remediation firm Coveware estimates the Clop group generated between $75 million and $100 million in profit from those attacks, which directly impacted more than 1,000 companies and indirectly affected a great deal more.

According to NCC Group, the Clop group was responsible for 21% of all recorded attacks in June, with attacks continuing to be conducted in high numbers by LockBit 3.0 affiliates, which accounted for 14% of attacks, although this was a reduction from the 21% of attacks the previous month. Several new ransomware groups have emerged that started to conduct attacks at relatively low levels in May, but one of those groups – 8base – has rapidly increased activity and conducted at least 40 attacks in June – 9% of the month’s total. Two other new groups – Rhysida and Darkrace – conducted 26 attacks in June (6%). The most targeted sectors in June were industrials (33%), consumer cyclicals (12%), and technology (9%), with North America the most targeted region with 51% of the attacks.

While attacks have increased significantly, the percentage of victims that are choosing to pay the ransom has fallen considerably. Coveware reports that ransom payments have fallen to a record low, with just 34% of victims paying ransoms in Q2, 2023, down from more than 75% in Q1, 2019. With ransom payments continuing to decline, cybercriminal groups have been forced to increase their ransom demands. In Q2, 2023, the average ransom payment increased by 126% from Q1, 2023, to $740,000 and the median payment increased by 20% to $190,424. Coveware says the attacks by the Clop group have driven the increase. While relatively few companies chose to pay the ransom to recover the data stolen in the MOVEit attacks, those that did pay paid very high ransom payments.

Coveware attributes the record low to the compounding effects of companies continuing to invest in security, continuity assets, and incident response training, but warns that the fall in revenue is forcing ransomware gangs to evolve their attack and extortion tactics, such as the switch from encryption to pure extortion by the Clop group. While this attack method is quicker and quieter, without the disruption caused by encryption, the percentage of victims paying the ransom is much lower; however, these attacks may prove to be more profitable for ransomware gangs. Encryption attacks require more time and resources, with teams of individuals involved in the different stages of the attacks and those individuals need to be paid, which decreases the profit.

Coveware’s report separates extortion and encryption attacks. Its data indicates BlackCat and Black Basta are the dominant encryption groups, each accounting for 15.5% of attacks in Q2. Royal accounted for 10.1% of attacks, followed by LockBit 3.0 (6.2%), Akira (5.4%), and Silent Ransom and Cactus each with a 3.1% share. Coveware reports that sophisticated affiliates of ransomware groups that have previously been using ransomware variants such as Dharma and Phobos are increasingly conducting attacks using 8base, hence the increase in attacks. In Q2, 2023, phishing was the most common initial access vector followed by RDP compromise and software vulnerabilities. Professional Services was the most targeted sector (15.5%) followed by healthcare (14%), materials (11.6%), and the public sector (10.1%).

The post June 2023 Saw Massive Spike in Ransomware Activity appeared first on HIPAA Journal.

HC3 Stresses the Importance of Robust Identity and Access Management

The Health Sector Cybersecurity Coordination Center (HC3) has highlighted the importance of implementing a robust Identity and Access Management (IAM) program. Identity and access management has become more complex due to an increase in remote working, which was accelerated due to the COVID-19 pandemic and the pressure on organizations to move high-risk transactions online. While the COVID-19 public health emergency has officially been declared over, many organizations have continued to support remote working, with 48% of employees continuing to spend at least some of the week working remotely and 62% of employees believing their employers will support remote working in the future.

While there are benefits from remote working and moving transactions online, doing so considerably increases the attack surface and provides malicious actors with more opportunities to attack an organization. Threat actors actively seek exploitable vulnerabilities in access protocols, software solutions, and organizations’ mitigation capabilities to hide their malicious activities. According to the 2023 Cost of a Data Breach Report from IBM Security, stolen and compromised credentials are the second most common initial access vector. Data breaches that stem from stolen and compromised credentials take longer than any other breach cause to identify and contain, giving threat actors ample time to conduct a range of malicious actions undetected.

Healthcare organizations need to ensure that they have a comprehensive IAM program covering employees, vendors, and customers that allow all parties to build mutual trust when performing transactions in person and remotely, yet it can be challenging to balance robust authentication to establish the real identity of a user without negatively impacting the user experience. Consequently, IAM programs must be well thought-out and IAM policies comprehensively implemented. The policies must cover remote access and vendor, employee, and customer onboarding to ensure that identity is properly identified and users are authenticated before being granted access to systems and services. Once access has been granted, individuals should not be automatically trusted. Identity should be repeatedly reaffirmed to ensure that an individual is the true owner of their previously determined identity.

Malicious insiders pose a considerable risk and controls need to be implemented to deal with the threat. Data breaches caused by malicious insiders are the costliest type of breach, according to IBM Security, and these breaches often result in considerable harm. Criminals make contact with healthcare employees and convince them to misuse their access to internal systems to steal sensitive data or conduct destructive attacks, such as abusing their access rights to install ransomware.

Mitigating insider threats can be a challenge for healthcare organizations. It requires collaboration between leaders and administrators involved with all stages of hiring and employment processes and the creation of a multi-disciplinary team that collaborates along all business lines to prevent and mitigate insider threats, combining monitoring, surveilling, investigating, escalating, and incident response and remediation.

Processes should include rigorous identity verification and background checks pre-employment and analysis of behavior during employment to identify any changes compared to an established baseline, ideally involving automated monitoring that can flag any anomalous behavior rapidly. Policies should also be implemented covering post-employment, to ensure that all equipment is recovered and access rights and accounts are immediately terminated

“By implementing and designing an IAM security framework and technologies which tie your governance and subsequent policy rules into a centrally managed identity and access system, the ability of your organization to prevent and detect insider threats will be greatly enhanced,” explained HC3 in its recent analyst note.

The post HC3 Stresses the Importance of Robust Identity and Access Management appeared first on HIPAA Journal.

IBM: Average Cost of a Healthcare Data Breach Increases to Almost $11 Million

The 2023 IBM Security Cost of a Data Breach Report shows the average data breach cost has increased to $4.45 million ($165 per record), with data breaches in the United States being the costliest at an average of $9.48 million, up 0.4% from last year. Data breaches are the costliest that they have ever been and have increased by 15% since 2020. The data for this year’s report was collected by the Ponemon Institute and included breach data from 553 organizations in 16 countries with interviews conducted with thousands of individuals. All data breaches studied for the report occurred between March 2022 and March 2023.

For the 13th year in a row, healthcare data breaches were found to be the costliest, with the average cost increasing to $10.93 million, which is a 53.3% increase over the past 3 years and an 8.22% increase from the $10.10 average breach cost in 2022. Small organizations with fewer than 500 employees saw average data breach costs increase by 13.35% year-over-year to $3.31 million. There was a 21.4% increase in costs for mid-sized organizations (501-1,000 employees) to an average of $4.06 million, a 20% rise in costs for large organizations (1,001-5,000 employees) to $4.87 million, but a 1.8% decrease in costs for very large organizations (10,001–25,000 employees), which fell to an average of $5.46 million. The time to identify and contain a breach remained the same as in 2022 with the decrease in detection time cancelled out by an increase in containment time. In 2023, the average detection (204 days) and containment (73 days) time was 277 days.

The most common causes of data breaches were phishing attacks and compromised credentials, with phishing the initial access vector in 16% of data breaches and compromised credentials the vector in 15% of breaches. The average cost of a phishing attack was $4.76 million and an attack caused by stolen or compromised credentials cost an average of $4.62 million. The costliest breaches were caused by malicious insiders, with those incidents costing an average of $4.90 million per breach, although these breaches were relatively rare, accounting for 6% of the total. Breaches stemming from stolen or compromised credentials took the longest to identify and contain, taking 328 days compared to the average of 277 days.

Only one-third (33%) of data breaches were detected by the breached entity, with a benign third party such as law enforcement or a security researcher notifying the victim about the breach in 40% of cases, and the attacker notifying the breached entity about the attack in 27% of cases. Breaches where the attacker informed the victim cost around $1 million more than breaches that were detected by the victim ($5.23 million vs. $4.3 million). Data breaches that were disclosed by an attacker also had a much longer lifecycle (detection to containment), taking 320 days – 79 days longer than breaches that were identified by the victim.

Data breaches often occur in multiple locations such as on-premises as well as public and private clouds. IBM Security found attackers were able to breach multiple environments undetected, and when multiple environments were breached the costs soared. Multi-environment breaches cost an average of $750,000 more than data breaches in single environments and took 15 days longer to contain. Malicious attacks often rendered systems inoperable with destructive attacks accounting for 25% of all malicious attacks and ransomware accounting for 24% of attacks. Destructive attacks cost an average of $5.24 million and ransomware attacks cost an average of $5.13 million. 47% of ransomware victims chose to pay the ransom.

IBM Security was able to dispel a common myth – that involving law enforcement involvement in ransomware attacks increases the complexity and recovery time, when the reverse was found to be true. Ransomware attacks with law enforcement involvement took an average of 33 days less to contain than when law enforcement was not involved, and law enforcement involvement also shaved an average of $470,000 off the breach cost. Despite speeding up recovery and significantly reducing breach costs, 37% of ransomware victims did not seek help from law enforcement to contain a breach.

Law enforcement recommends not paying the ransom as there is no guarantee of a faster recovery and payment of a ransom encourages further attacks. IBM Security found that paying the ransom only resulted in minimal savings – a cost difference of $110,000 or $2.2%, although that does not include the ransom amount. Taking the ransom payment into consideration, many organizations ended up paying more than they would likely have spent had they chosen not to pay the ransom.

The biggest cost mitigators were the adoption of a DecSecOps approach (integrating security in the software development cycle), which saved almost $250,000 on average, employee training (-$233,000), incident response planning and testing (-$232,000), and AI and machine learning insights (-$225,000). AI and automation shaved an average of 108 days from identification and containment and attack surface management (ASM) solutions shaved an average of 83 days off of the response time. The biggest cost amplifiers were security systems complexity (+$241,000), security skills shortages (+$239,000), and non-compliance with regulations (+$219,000).

The report revealed 95% of organizations had suffered more than one breach and the costs of these breaches were passed onto consumers by 57% of organizations, with only 51% of organizations increasing security investments following a data breach.

The post IBM: Average Cost of a Healthcare Data Breach Increases to Almost $11 Million appeared first on HIPAA Journal.