Healthcare Cybersecurity

NIST Updates Guidance on Developing Cyber Resilient Systems

The National Institute of Standards and Technology (NIST) has released a major update to its guidance on developing cyber-resilient systems.

A draft version of the updated guidance – NIST Special Publication 800-160, Volume 2, Revision 1: Developing Cyber-Resilient Systems: A Systems Security Engineering Approach – has been released which includes updates to reflect the changing tactics, techniques, and procedures (TTPs) of cyber threat actors, who are now conducting more destructive attacks, including the use of ransomware.

Organizations used to be able to focus their resources on perimeter defenses and penetration resistance; however, these measures are no longer as effective as they once were at preventing attacks. A modern approach is now required which requires more resilience to be built into IT systems, which requires measures to be taken to limit the ability of an attacker to damage infrastructure and move laterally within networks.

“The document provides suggestions on how to limit the damage that adversaries can inflict by impeding their lateral movement, increasing their work factor, and reducing their time on target,” explained NIST.

Hackers can gain access to internal networks even with sophisticated perimeter defenses in place, as recent cyberattacks on Colonial Pipeline, JBS Foods, and Kaseya have shown. The initial attack vector could be a phishing email, the exploitation of an unpatched software vulnerability, or even a supply chain attack. All these methods could be used to bypass traditional defenses and gain a foothold in the network. It is therefore critical for safeguards to be implemented to limit the harm that can be caused, which for many organizations will require improvements to their detection, response, and recovery capabilities.

The approach now advocated by NIST is more in line with zero trust, where it must be assumed that an attacker has already gained access to the network, applications, and systems. Organizations therefore need to build in resiliency into their IT systems to ensure that they will continue to function to a sufficient degree to continue to support mission critical business operations.

“What we want to achieve is a system that we call ‘cyber resilient’ or a system that is sufficiently resilient where it can continue to operate and support critical missions in business operations – even if it’s not in a perfect state or even in somewhat of a degraded state,” said NIST fellow Ron Ross.

The updates to the guidance cover three key areas:

  • Updated controls that support cyber resiliency, in line with the recommendations detailed in NIST Special Publication SP 800-53, Revision 5 – Security and Privacy Controls for Information Systems and Organizations.
  • The creation of a single threat taxonomy for organizations in line with MITRE’s Adversarial Tactics, Techniques, and Common Knowledge [ATT&CK] framework.
  • The addition of detailed mapping and analysis of cyber resiliency implementation which support NIST SP 800-53 controls and the MITRE ATT&CK framework techniques, mitigations, and candidate mitigations.

NIST’s cyber resiliency techniques were combined with the MITRE ATT&CK framework because of the high level of adoption of the MITRE ATT&CK framework, with the aim being to simplify the approach to building more resilient systems.

The guidance document was updated by NIST Fellow Ron Ross, NIST supervisory computer scientist Victoria Pillitteri, and Richard Graubart, Deborah Bodeau, and Rosalie McQuaid of MITRE.

NIST is seeking feedback on the draft version of the guidance document until September 20, 2021. The final version of the guidance is due to be published before year end.

The post NIST Updates Guidance on Developing Cyber Resilient Systems appeared first on HIPAA Journal.

Hospitals More Vulnerable to Botnets, Spam, and Malware than Fortune 1000 Firms

A recent study published in the Journal of the American Medical Informatics Association (JAMIA) sought to identify the relationship between cybersecurity risk ratings and healthcare data breaches.

The study was conducted using data obtained from the Department of Health and Human Services between 2014-2019 and hospital cybersecurity ratings obtained from BitSight. The data sample included 3,528 hospital-year observations and Fortune 1000 firms were used as the benchmark against which hospital cybersecurity ratings were compared.

For many years, healthcare has lagged other industries when it comes to managing and reducing cybersecurity risk. The researchers found that in aggregate, hospitals had significantly lower cybersecurity ratings than the Fortune 1000 firms; however, the situation has been improving and, based on BitSight risk ratings, the healthcare industry has now caught up with Fortune 1000 firms. By 2019, the difference between the cybersecurity risk ratings of hospitals and Fortune 1000 firms was no longer statistically significant.

While the gap has virtually been closed between hospitals and Fortune 1000 firms, hospitals were found to be statistically more vulnerable than Fortune 1000 firms to certain types of cyberattack, notably botnets, malware and spam, where security still lagged other industry sectors.

Hospitals with low cybersecurity risk ratings were associated with a significant risk of suffering a data breach. Over the period of study, the probability of a data breach occurring at a hospital with a low cybersecurity rating was between 14% and 33%.

“Recent hacking and ransomware attacks may be shifting the security landscape for hospitals, with much larger potential hospital and patient consequences,” said researchers Sung Choi of the University of Central Florida and M. Eric Johnson of Vanderbilt University. “Ongoing risk assessment is needed to keep up with these threats and will likely require even further security investment.”

The researchers suggested hospital executives need to work to reduce risks related to their technical controls, should improve software and security applications, and tackle human vulnerabilities. Human vulnerabilities are often exploited by cyber threat actors in phishing and malware attacks. By enhancing employee security awareness training programs and conducting training more regularly, hospitals will be able to develop a security culture which will help to further reduce risk.

You can read the study in JAMIA 9DOI: 10.1093/jamia/ocab142).

The post Hospitals More Vulnerable to Botnets, Spam, and Malware than Fortune 1000 Firms appeared first on HIPAA Journal.

NCSC Password Recommendations

The UK’s NCSC password recommendations have been updated and a new strategy is being promoted that meets password strength requirements but improves usability. 

There are multiple schools of thought when it comes to the creation of passwords, but all are based on the premise that passwords need to be sufficiently complex to ensure they cannot be easily guessed, not only by humans, but also the algorithms used by hackers in their brute force attacks.

Each year lists of the worst passwords are published that are compiled from credentials exposed in data breaches. These worst password lists clearly demonstrate that some people are very poor at choosing passwords. Passwords such as “password,” “12345678,” and “qwertyuiop” all feature highly in the lists. Due to the risk of end users creating these weak passwords, many organizations now have minimum requirements for password complexity, but that does not always mean that strong passwords will be set.

The Problem with Password Complexity Requirements

The minimum requirements for password complexity are typically to have at least one lower- and upper-case letter, a number, and often a special character. Incorporating these elements makes passwords much harder to guess – in theory at least. In practice, individuals get around these requirements by setting passwords such as “Passw0rd!” or “Qwertyuiop1!” that meet complexity requirements but are still incredibly weak and extremely vulnerable to brute force attacks.

From a security perspective, all accounts should have a unique password which must never be used to protect multiple accounts. Passwords should ideally consist of random letters, numbers, and characters and be sufficiently long – 8 characters as an absolute minimum. The problem is that while these random complex passwords are strong and will be resistant to brute force attacks, they are also virtually impossible for most people to remember, especially considering the average person has around one hundred passwords.

The National Institute of Standards and Technology (NIST) highlighted this problem in its latest password guidance (SP 800-63B), and recommends the use of passphrases rather than passwords, as the length of a passphrase of, say 16 characters, adds the required complexity while being human-friendly.

Now, the National Cyber Security Center (NSCS), part of the UK Government Communications Headquarters (GCHQ) has suggested a new approach for creating passwords that combines security with usability.

NCSC Password Recommendations are to Use Three Random Words

The solution proposed by NSCS is contrary to the arbitrary complexity password requirements that are often recommended. Complex passwords consisting of lower- and upper-case letters, numbers, and special characters are often far from complex may give a false sense of security. The reason is the character combinations selected by end users are usually far from random. There are tricks that many people use to make passwords easy to remember and meet password complexity requirements, and those tricks are known to hackers. For example, replacing a 1 with an exclamation mark, an E with a 3, a 5 with an S, or an O with a zero.

There are also combinations of letters and numbers that are more common than others, and those more common combinations are incorporated into hackers’ password guessing tools. “Counterintuitively, the enforcement of these complexity requirements results in the creation of more predictable passwords,” explained NSCS in a recent blog post. “Security that’s not usable doesn’t work.”

The NCSC password recommendations add enough complexity while still making passwords easy to remember. They are to use three random words to make up a password. The use of three random words means passwords will be relatively long, sufficiently complex, but easy to remember.

The three random word approach to passwords works in several different ways:

  • Length – Passwords will generally be longer
  • Impact – The strategy is quick and easy to explain
  • Novelty – Encourages use of words not previously considered
  • Usability – It is easy to think of three words and remember them

“Traditional password advice telling us to remember multiple complex passwords is simply daft,” said NCSC’s technical director, Dr Ian Levy. “By following this advice, people will be much less vulnerable to cybercriminals and I’d encourage people to think about the passwords they use on their important accounts, and consider a password manager.”

The latter advice is important, as the strategy of using three random words does not work when unique passwords need to be created for 100 difficult online accounts. “Adopting three random words is not a panacea that solves the issue of remembering a lot of passwords in a single stroke, and we expect it to be used alongside secure storage,” said NCSC.

The aim of the latest NCSC password recommendations is not to solve the password problem completely, but simply to increase password diversity – that is, “reducing the number of passwords that are discoverable by cheap and efficient search algorithms, forcing an attacker to run multiple search algorithms (or use inefficient algorithms) to recover a useful number of passwords.”

The Best Password Strategy

The best password strategy based on the NCSC password recommendations is to create password of three random words, but also to use a password manager. A password manager allows users to generate truly random strings of numbers, letters, and characters that are incredibly complex, but importantly users never have to remember them. Those passwords are stored in encrypted form in a secure password vault and will be autofilled when a user needs them. There is never the need to remember them or type them in. These solutions are very secure, and many operate under the zero-knowledge model, where even the password manager developer does not have access to users’ password vaults.

All that is required is for a user to set a secure, master password for their password vault and set up 2-factor authentication. The strategy of using three random words would work well for the master password that provides access to user’ vault of truly random, long complex passwords.

Password manager solutions are usually low cost or even free. For example, Bitwarden provides a secure, open-source password manager solution under a free tier with the individual premium package only costing $10 per year, yet even with the low cost of these solutions, uptake is still low.

If businesses and individuals make the change and start using a password manager and implement the latest NCSC password recommendations, password security and usability will be substantially improved.

The post NCSC Password Recommendations appeared first on HIPAA Journal.

73% of Businesses Suffered a Data Breach Linked to a Phishing Attack in the Past 12 Months

Ransomware attacks have increased significantly during the past year, but phishing attacks continue to cause problems for businesses, according to a recent survey conducted by Arlington Research on behalf of security firm Egress. Almost three quarters (73%) of surveyed businesses said they had experienced a phishing related data breach in the past 12 months.

The survey for the 2021 Insider Data Breach Report was conducted on 500 IT leaders and 3,000 employees in the United States and United Kingdom. The survey revealed 74% of organizations had experienced a data breach as a result of employees breaking the rules, something that has not been helped by the pandemic when many employees have been working remotely. More than half (53%) of IT leaders said remote work had increased risk, with 53% reporting an increase in phishing incidents in the past year.

The increased risk from remote working is of concern, especially as many organizations plan to continue to support remote working or adopt a hybrid working model in the future. 50% of IT leaders believe remote/hybrid working will make it harder to prevent data breaches from malicious email attacks. There appears to be a disconnect, as only 61% of employees believe they are less likely or equally likely to cause a data breach when working from home.

Phishing attacks are naturally bad for organizations but there is also a human cost. In 23% of organizations, employees who fell for a phishing email that resulted in a data breach were either fired or voluntarily left after the incident.

“Organizations are being bombarded by sophisticated phishing attacks. Hackers are crafting highly targeted campaigns that use clever social engineering tricks to gain access to organizations’ most sensitive data, as well as leapfrog into their supply chain. Phishing is also the most common entry point for ransomware, with potentially devastating consequences,” said Egress VP of Threat Intelligence Jack Chapman. “Remote working has also made employees even more vulnerable. With many organizations planning for a remote or hybrid future, phishing is a risk that must remain central to any security team’s plans for securing their workforce.”

The survey revealed an astonishing 94% of businesses had experienced an insider data breach in the past year. 84% of IT leaders said human error was the leading cause of insider breaches, although 28% said malicious insider breaches were their biggest fear.

89% of insider incidents had repercussions for the employees in question; however, an overwhelming majority (97%) of employees said they would report a breach they had caused, which is reassuring considering 55% of IT leaders said they rely on employees to alert them to security incidents.

The post 73% of Businesses Suffered a Data Breach Linked to a Phishing Attack in the Past 12 Months appeared first on HIPAA Journal.

Healthcare Industry has Highest Number of Reported Data Breaches in 2021

Data breaches declined by 24% globally in the first 6 months of 2021, although breaches in the United States increased by 1.5% in that period according to the 2021 Mid-Year Data Breach QuickView Report from Risk-Based Security.

Risk Based Security identified 1,767 publicly reported breaches between January 1, 2021 and June 30, 2021. Across those breaches, 18.8 billion records were exposed, which represents a 32% decline from the first 6 months of 2020 when 27.8 billion records were exposed. 85% of the exposed records in the first half of 2021 occurred in just one breach at the Forex trading service FBS Markets.

The report confirms the healthcare industry continues to be targeted by cyber threat actors, with the industry having reported more data breaches than any other industry sector this year. Healthcare has been the most targeted industry or has been close to the top since at least 2017 and it does not appear that trend will be reversed any time soon. 238 healthcare data breaches were reported in the first 6 months of 2021, with finance & insurance the next most attacked sector with 194 reported incidents, followed by information with 180 data breaches.

The report shows there have been significant shifts in data breach trends in 2021. While data breaches have declined globally and have remained fairly constant in the United States, there has been a marked increase in ransomware attacks. Risk Based Security recorded 352 ransomware attacks in the first 6 months of 2021 and, if that pace continues, the number of attacks will be significantly higher than 2020.

Ransomware attacks are extremely costly in healthcare due to the long period of downtime, and without access to medical records patient safety is put at risk. This is of course known to ransomware gangs. The reliance on access to data and the high cost of downtime increases the probability of the ransom being paid.

In 2020, data breaches started to take longer to be reported and that trend has continued in 2021. This is in part due to the increase in ransomware attacks, which can take longer to investigate, but even taking that into account there were many cases when breach notifications took an unusually long time to be issued and that has started to attract attention from regulators.

“Ransomware attacks continue at an alarming pace, inflicting serious damage on the victim organizations that rely on their services,” said Inga Goddijn, Executive Vice President at Risk Based Security. “The slow pace of reporting brought on by lengthy incident investigations has not improved and attackers continue to find new opportunities to take advantage of changing circumstances.”

The majority of reported breaches (67.97%) were hacking incidents, with only 100 (5.66%) due to viruses, and just 45 email incidents (2.55%). There were 76 web breaches reported (4.30%); however, they resulted in the highest number of records being breached.

Data breaches that exposed access credentials such as email addresses and passwords have remained consistent with other years, with email addresses exposed in 40% of breaches and passwords in 33%. The majority of reported breaches in 2021 were the result of external threat actors (78.66%), with 13.75% caused by insiders. Out of the confirmed insider breaches, the majority were accidental (58.85%), with 18.52% caused by malicious insiders.

Risk Based Security also notes that breach severity is increasing. Large numbers of data breaches have been reported in 2021 that involved sensitive data, which is a particularly worrying trend.

The post Healthcare Industry has Highest Number of Reported Data Breaches in 2021 appeared first on HIPAA Journal.

NSA & CISA Issue Guidance on Hardening Security and Managing Kubernetes Environments

Kubernetes is a popular open-source cloud solution for deploying and managing containerized apps.  Recently there have been several security breaches where hackers have gained access to poorly secured Kubernetes environments to steal sensitive data, deploy cryptocurrency miners, and conduct denial-of-service attacks.

This month, security researchers discovered Kubernetes clusters were being targeted by cyber actors who were exploiting misconfigured permissions for the web-facing dashboard of Argo Workflows instances. In these attacks, the computing power of Kubernetes environments were harnessed for mining cryptocurrencies. In another attack, a vulnerability in the Kubernetes API Server was being exploited to steal sensitive data.

In light of these attacks, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a 52-page technical report that includes detailed guidance on how to correctly set up and manage Kubernetes environments to make it harder for the environments to be compromised by hackers.

The report includes details of the most common threats to Kubernetes environments, including supply chain attacks, malicious external cyber actors, and insider threats. Improving defenses against supply chain attacks can be a major challenge. These can arise in the container build cycle or infrastructure acquisition. Vulnerabilities and misconfigurations of the Kubernetes architecture such as the control plane, worker nodes, and containerized applications are often exploited, while insiders with high-level privileges can easily abuse their privileges to conduct a range of attacks.

There are multiple ways that hackers gain access to Kubernetes environments, and while it is not possible to eliminate risk entirely, by setting up Kubernetes correctly, avoiding common misconfigurations and implementing mitigations, security can be significantly strengthened. Implementing appropriate access controls and limiting privileges can greatly reduce the risk from insider threats.

The most common way for hackers to gain access to Kubernetes is by exploiting vulnerabilities and misconfigurations. It is therefore important for security teams to conduct scans of their Kubernetes containers and pods to identify vulnerabilities and misconfigurations and ensure they are corrected, or mitigations are implemented. Periodic reviews of Kubernetes settings and regular vulnerability scans should be performed.

The NSA and CISA also recommend running containers and pods with the least privileges possible, and using network separation, firewalls, strong authentication, and log auditing. It is also important to keep on top of patching, updates, and upgrades to ensure the Kubernetes environment remains secure.

The guidance includes detailed recommendations on Kubernetes pod security, network separation and hardening, authentication and authorization, log auditing, and details best practices for application security.

The Kubernetes Hardening Guidance can be downloaded on this link (PDF).

The post NSA & CISA Issue Guidance on Hardening Security and Managing Kubernetes Environments appeared first on HIPAA Journal.

Multiple Critical Vulnerabilities Identified in Pneumatics System Used in 2,300 U.S. Hospitals

Nine critical vulnerabilities have been identified in the Nexus Control Panel of Swisslog Healthcare Translogic Pneumatic Tube System (PTS) stations, which are used in more than 80% of major hospitals in the United States. Pneumatic tube systems are used to rapidly send test samples and medications around hospitals and the vulnerable PTS stations are present in 3,000 hospitals worldwide, including 2,300 in the United States.

The vulnerabilities, collectively named ‘PwnedPiper’, were discovered by researchers at Armis Security. In total, 9 critical flaws were identified in the Nexus Control Panel and the firmware of all current models of Translogic PTS stations are affected.

The vulnerabilities identified by the researchers are common in Internet of Things (IoT) devices but are far more serious in pneumatic tube systems, which are part of hospitals’ critical infrastructure. The Armis researchers pointed out that these systems are prevalent in hospitals, yet they have never been thoroughly analyzed or researched.

The flaws could be exploited by a threat actor to cause denial of service, harvest sensitive data such RFID credentials of employees, and to perform reconnaissance to identify the functions or location of the stations and gain an understanding of the physical layout of the PTS network. The vulnerabilities could also be exploited in a ransomware attack.

The flaws include the use of hard-coded passwords, memory corruption vulnerabilities, privilege escalation flaws, unencrypted connections, unauthenticated firmware updates, and remote code execution vulnerabilities. If exploited, an attacker could gain full control of all Nexus stations in a hospital.

“This research sheds light on systems that are hidden in plain sight but are nevertheless a crucial building block to modern-day healthcare,” said Nadir Izrael, Armis co-founder and CTO. “Understanding that patient care depends not only on medical devices, but also on the operational infrastructure of a hospital is an important milestone to securing healthcare environments.”

The researchers detailed a scenario in which the flaws could be exploited to deliver ransomware. First an attacker would need a foothold in the hospital network. This could be as simple as exploiting a vulnerability in a low-grade IoT device such as a hospital IP camera. Once network access is gained, the Translogic PTS could be targeted since it is connected to hospital networks. Any of 5 vulnerabilities could then be exploited to achieve remote code execution in an attack that could see all Nexus stations compromised, either using ransomware or simply shutting down stations.

“In this volatile state, the hospital’s operations can be severely derailed,” said the researchers. “Medications supplied to departments, timely delivery of lab samples, and even blood units supplied to operating rooms all depending on constant availability of the PTS.”

Armis presented the findings at Black Hat USA. Swisslog Healthcare has patched 8 of the 9 vulnerabilities in Nexus Control Panel version 7.2.5.7, with the one remaining vulnerability due to be fixed in an upcoming release. The remaining vulnerability, tracked as CVE-2021-37160, affects legacy systems and is due to the lack of firmware validation during a file upload for a firmware update.

There have been no known cases of the vulnerabilities being exploited. Swisslog Healthcare has suggested mitigations and workarounds in its security advisory for hospitals that are unable to upgrade to the latest version of the Nexus Control Panel.

The post Multiple Critical Vulnerabilities Identified in Pneumatics System Used in 2,300 U.S. Hospitals appeared first on HIPAA Journal.

CISA Publishes List of the Most Commonly Exploited Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) have issued a joint cybersecurity advisory about the most common vulnerabilities exploited by cyber actors in 2020, many of which are still being widely exploited in 2021.

The advisory lists the top 30 exploited Common Vulnerabilities and Exposures (CVEs), how each vulnerability is exploited, recommended mitigations, indicators of compromise, and tools and methods that can be used to check whether the vulnerabilities have already been exploited.

Recently disclosed vulnerabilities are exploited by cyber threat actors, but most of the commonly exploited vulnerabilities are not new and were disclosed in the past two years. In 2020, the pandemic forced many businesses to switch from an office-based to a remote workforce, so it is not surprising that 4 of the most commonly exploited vulnerabilities in 2020 concern remote working solutions such as VPNs and cloud-based technologies. Since these remote working solutions are constantly in use, many businesses failed to apply patches and the vulnerabilities were exploited. It is essential that time is taken to apply patches as soon as possible and for IT teams conduct rigorous patch management.

Patches are available to address all of the most commonly exploited vulnerabilities included in the security advisory. Patching should be prioritized, starting with the vulnerabilities that are known to be currently exploited or those that are available to the largest number of potential cyber actors – for example, vulnerabilities in Internet facing systems. If it is not possible to apply patches, consider implementing temporary workarounds and other mitigations suggested by vendors.

The top 12 exploited vulnerabilities in 2020 are detailed in the table below

Vendor CVE Type
Citrix CVE-2019-19781 arbitrary code execution
Pulse CVE 2019-11510 arbitrary file reading
Fortinet CVE 2018-13379 path traversal
F5- Big IP CVE 2020-5902 remote code execution (RCE)
MobileIron CVE 2020-15505 RCE
Microsoft CVE-2017-11882 RCE
Atlassian CVE-2019-11580 RCE
Drupal CVE-2018-7600 RCE
Telerik CVE 2019-18935 RCE
Microsoft CVE-2019-0604 RCE
Microsoft CVE-2020-0787 elevation of privilege
Netlogon CVE-2020-1472 elevation of privilege

In 2021, cyber actors continued to target vulnerabilities in perimeter-type devices, with the most commonly exploited flaws in Pulse, Accellion, VMware, Fortinet, and Microsoft Exchange. CISA is urging security teams to prioritize patching for the following vulnerabilities, which have been extensively exploited in 2021 in addition to addressing the above vulnerabilities.

Vendor CVE
Microsoft Exchange  CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065
Pulse Secure  CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900
Accellion CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104
VMware CVE-2021-21985
Fortinet CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591

The post CISA Publishes List of the Most Commonly Exploited Vulnerabilities appeared first on HIPAA Journal.

The Average Cost of a Healthcare Data Breach is Now $9.42 Million

IBM Security has published its 2021 Cost of a Data Breach Report, which shows data breach costs have risen once again and are now at the highest level since IBM started publishing the reports 17 years ago. There was a 10% year-over-year increase in data breach costs, with the average cost rising to $4.24 million per incident. Healthcare data breaches are the costliest, with the average cost increasing by $2 million to $9.42 million per incident. Ransomware attacks cost an average of $4.62 million per incident.

Source: IBM Security

The large year-over-year increase in data breach costs has been attributed to the drastic operational shifts due to the pandemic. With employees forced to work remotely during the pandemic, organizations had to rapidly adapt their technology. The pandemic forced 60% of organizations to move further into the cloud. Such a rapid change resulted in vulnerabilities being introduced and security often lagged behind the rapid IT changes. Remote working also hindered organizations’ ability to quickly respond to security incidents and data breaches.

According to IBM, data breaches costs were more than $1 million higher when remote work was indicated as a factor in the data breach. When remote work was a factor, the average data breach cost was $4.96 million compared to $3.89 million when remote work was not a factor. Almost 20% of organizations that reported data breaches in 2020 cited remote work as a factor, with the cost of a data breach around 15% higher when remote work was a factor.

To compile the report, IBM conducted an in-depth analysis of data breaches involving fewer than 100,000 records at 500 organizations between May 2020 and March 2021, with the survey conducted by the Ponemon Institute.

The most common root cause of data breaches in the past year were compromised credentials, which accounted for 20% of data breaches. These breaches took longer to detect and contain, with an average of 250 days compared to an overall average of 212 days.

The most common types of data exposed in data breaches were customers’ personal data such as names, email addresses, passwords, and healthcare data. 44% of all data breaches included those types of data. A data breach involving email addresses, usernames, and passwords can easily have a spiral effect, as hackers can use the compromised data in further attacks. According to the Ponemon Institute survey, 82% of individuals reuse passwords across multiple accounts.

Breaches involving customers’ personally identifiable information (PII) were more expensive than breaches involving other types of data, with a cost per record of $180 when PII was involved compared to $161 per record for other types of data.

Data breach costs were lower at companies that had implemented encryption, security analytics, and artificial intelligence-based security solutions, with these three mitigating factors resulting in data breach cost savings of between $1.25 million and $1.49 million per data breach.

Adopting a zero-trust approach to security makes it easier for organizations to deal with data breaches. Organizations with a mature zero trust strategy had an average data breach cost of $3.28 million, which was $1.76 million lower than those who had not deployed this approach at all.

“Higher data breach costs are yet another added expense for businesses in the wake of rapid technology shifts during the pandemic,” said Chris McCurdy, Vice President and General Manager, IBM Security. “While data breach costs reached a record high over the past year, the report also showed positive signs about the impact of modern security tactics, such as AI, automation and the adoption of a zero-trust approach – which may pay off in reducing the cost of these incidents further down the line.”

Security automation greatly reduces data breach costs. Organizations with a “fully deployed” security automation strategy had average breach costs of $2.90 million per incident, compared to $6.71 million at organizations that had no security automation.

Companies with an incident response team that had tested their incident response plan had 54.9% lower breach costs than those that had neither. The average data breach cost was $3.25 million compared to $5.71 million when neither were in place.

The cost of a data breach was $750,000 (16.6%) higher for companies that had not undergone any digital transformation due to COVID-19. Cloud-based data breach costs were lower for organizations that had adopted a hybrid cloud approach, with an average cost of $3.61 million at organizations with hybrid cloud infrastructure compared to $4.80 million for organizations with a primarily public cloud and $4.55 million for those that had adopted a private cloud approach. Data breach costs were 18.8% higher when a breach was experienced during a cloud migration project.

Organizations that were further into their cloud migration plan were able to detect and respond to data breaches far more quickly – on average 77 days more quickly for organizations that were at a mature state of their cloud modernization plan than those in the early stages.

Mega data breaches – those involving between 50 million and 65 million records – cost an average of $401 million per incident, which is more than 100 times the cost of breaches involving between 1,000 and 100,0000 records.

The post The Average Cost of a Healthcare Data Breach is Now $9.42 Million appeared first on HIPAA Journal.