Healthcare Data Security

Vulnerabilities Identified in IDenticard PremiSys Access Control System

Posted by HIPAA Journal

ICS-CERT has issued an alert about three high severity vulnerabilities in the IDenticard PremiSys access control system. All versions of PremiSys software prior to version 4.1 are affected by the vulnerabilities.

Successful exploitation of the vulnerabilities could result in full access being gained to the system with administrative privileges, theft of sensitive information contained in backups, and access being gained to credentials. The vulnerabilities could be exploited remotely and require a low level of skill to exploit. Details of the vulnerabilities have been publicly disclosed.

The highest severity vulnerability CVE-2019-3906 concerns hard-coded credentials which allow full admin access to the PremiSys WCF Service endpoint. If successfully exploited, and attacker could obtain full access to the system with administrative privileges. The vulnerability has been assigned a CVS v3 base score of 8.8.

User credentials and other sensitive information stored in the system are encrypted; however, a weak method of encryption has been used which could potentially be cracked resulting in the exposure and theft of information. The vulnerability (CVE-2019-3907) has been assigned a CVS v3 base score of 7.5.

Backup files are stored by the system as encrypted zip files; however, the password required to unlock the backups is hard-coded and cannot be changed. Potentially an attacker could gain access to the backup files and view/steal information. The vulnerability (CVE-2019-3908) has been assigned a CVS v3 base score of 7.5.

Tenable’s Jimi Sebree discovered and reported the vulnerabilities.

IDenticard has corrected the hard-coded credentials vulnerability (CVE-2019-3906). Users should update to version 4.1 of the software to correct the flaw. IDenticard is currently working on a fix for the other two flaws. A software update correcting those flaws is expected to be released in February 2019.

As an interim mitigation, NCCIC recommends restricting and monitoring access to Port 9003/TCP, locating the system behind a firewall, and ensuring the access control system is not accessible over the Internet. If remote access is necessary, secure methods should be used for access, such as an up to date VPN.

The post Vulnerabilities Identified in IDenticard PremiSys Access Control System appeared first on HIPAA Journal.

New Cybersecurity Framework for Medical Devices Issued by HSCC

Posted by HIPAA Journal

The Healthcare and Public Health Sector Coordinating Council (HSCC) has issued a new cybersecurity framework for medical devices. Medical device vendors, healthcare providers, and other healthcare industry stakeholders that adopt the voluntary framework will be able to improve the security of medical devices throughout their lifecycle.

The HSCC is a coalition of private sector critical healthcare infrastructure entities that have partnered with the government to identify and mitigate threats and vulnerabilities facing the healthcare sector. The group comprises more than 200 healthcare industry and government organizations. Together they work on developing strategies to address current and emerging cybersecurity challenges faced by the healthcare sector.

More than 80 organizations contributed to the development of the Medical Device and Health IT Joint Security Plan (JSP), which builds on recommendations made by the Healthcare Industry Cybersecurity Task Force established by the Department of Health and Human Services following the passing of the Cybersecurity Information Sharing Act of 2015.

“It is important for medical device manufacturers and health IT vendors to consider the JSP’s voluntary framework and its associated plans and templates throughout the lifecycle of medical devices and health IT because doing so is expected to result in better security and thus better products for patients,” explained HSCC.

Cybersecurity controls can be difficult to integrate into existing processes. Organizations often fail to recognize how important security controls are, and when considering how to enhance cybersecurity many do not know where to start or have insufficient resources to devote to the task. The framework helps by providing guidance on how to create a security policy and procedures that align with and integrate into existing processes.

HSCC is urging organizations to commit to implementing the JSP as it is believed that by doing so patient safety will be improved.

The JSP can be adopted by organizations of all sizes and stages of maturity and helps them enhance cybersecurity of medical devices by addressing key challenges. Many large manufacturers have already created similar cybersecurity programs to the JSP, so it is likely to be of most use for small to medium sized companies that lack awareness of the steps to take to improve cybersecurity as well as those with fewer resources to devote to cybersecurity.

The JSP utilizes security by design principles and identifies shared responsibilities between industry stakeholders to harmonize security standards, risk assessment methodologies, reporting of vulnerabilities, and improve information sharing between device manufacturers and healthcare providers. The JSP covers the entire lifecycle of medical devices, from development to deployment, management, and end of life. The JSP includes several recommendations including the incorporation of cybersecurity measures during the design and development of medical devices, handling product complaints related to cybersecurity incidents, mitigation of post-market vulnerabilities, managing security risk, and decommissioning devices at end of life.

The Medical Device and Health IT Joint Security Plan can be downloaded on this link.

The post New Cybersecurity Framework for Medical Devices Issued by HSCC appeared first on HIPAA Journal.

Patches Released to Mitigate Stryker Medical Bed KRACK Vulnerabilities

Posted by HIPAA Journal

Nine vulnerabilities have been identified in Stryker Medical Beds. The vulnerabilities could be exploited in a man-in-the-middle attack by an attacker within radio range of vulnerable product to replay, decrypt, or spoof frames.

The vulnerabilities are present in the four-way handshake used by WPA and WPA2 wireless security protocols which allow nonce reuse in Key Reinstallation (KRACK) attacks. Similar vulnerabilities have been identified in a wide range of wireless devices.

The nine vulnerabilities are summarized below:

  • CVE-2017-13077: Reinstallation of pairwise key in the four-way handshake.
  • CVE-2017-13078: Reinstallation of group key in the four-way handshake.
  • CVE-2017-13079: Reinstallation of Integrity Group Temporal Key in the four-way handshake.
  • CVE-2017-13080: Reinstallation of group key in the group key handshake.
  • CVE-2017-13081: Reinstallation of Integrity Group Temporal Key in the group key handshake.
  • CVE-2017-13082: Reinstallation of Pairwise Transient Key Temporal Key in the fast BSS transmission handshake.
  • CVE-2017-13086: Reinstallation of Tunneled Direct-Link Setup Peer Key in the Tunneled Direct-Link Setup handshake.
  • CVE-2017-13087: Reinstallation of the Group Temporal Key when processing a Wireless Network Management Sleep Mode Response frame.
  • CVE-2017-13088: Reinstallation of the Integrity Group Temporal Key when processing a Wireless Network Management Sleep Mode Response frame.

The group of vulnerabilities have collectively been assigned a CVSS v3 base score of 6.8 – Medium severity. The flaws were identified by Mathy Vanhoef of imec-DistriNet, KU Leuven and reported to the National Cybersecurity & Communications Integration Center (NCCIC).

Mitigations

Software updates have been released by Stryker to mitigate the vulnerabilities:

  • Users of Gateway 2.0 should upgrade to software version 5212-400-905_3.5.002.01
  • Users of Gateway 3.0 should upgrade to software version 5212-500-905_4.3.001.01

No patch is available for Gateway 1.0.

Additional measures can also be taken to reduce the risk of exploitation of the vulnerabilities. These include disabling iBed functionality if it is not being used, operating the products on a separate VLAN, and applying updates that include the KRACK patch to wireless access points.

The post Patches Released to Mitigate Stryker Medical Bed KRACK Vulnerabilities appeared first on HIPAA Journal.

Vulnerability Identified in BD FACSLyric Flow Cytometry Solution

Posted by HIPAA Journal

Becton, Dickinson and Company (BD) has identified an improper access control vulnerability in its BD FACSLyric flow cytometry solution. If the flaw is exploited, an attacker could gain access to administrative level privileges on a vulnerable workstation and execute commands. The vulnerability requires a low level of skill to exploit.

BD extensively tests its software for potential vulnerabilities and promptly corrects flaws. BD is currently taking steps to mitigate the vulnerability for all users of vulnerable FACSLyric flow cytometry solutions.

The flaw (CVE-2019-6517) is due to improper enforcement of user access control for privileged accounts. It has been given a CVSS v3 base score of 6.8 – Medium severity. BD self-reported the vulnerability to the National Cybersecurity & Communications Integration Center (NCCIC).

The vulnerability is present in the following cytometry solutions:

  • BD FACSLyric Research Use Only, Windows 10 Professional Operating System, U.S. and Malaysian Releases (Nov 2017 and Nov 2018)
  • The U.S. release of BD FACSLyric IVD Windows 10 Professional Operating System.

FACSLyric flow cytometry systems on Windows 7 are unaffected.

BD is contacting all affected users and will perform remediation activities to correct the flaw. These include disabling the admin account for users with BD FACSLyric RUO Cell Analyzer units on Windows 10 Pro. Computer workstations with BD FACSLyric IVD Cell Analyzer units on Windows 10 Pro will be replaced.

Users of the vulnerable solutions that have not yet been contacted by BD can contact BD Biosciences General Tech Support for further information.

To minimize the risk of exploitation of vulnerabilities such as this, NCCIC recommends locating medical devices and systems behind firewalls, minimizing network exposure for medical devices and systems, restricting access to authorized individuals, applying the rule of least privilege, adopting defense in depth strategies, and disabling unnecessary accounts and services.

The post Vulnerability Identified in BD FACSLyric Flow Cytometry Solution appeared first on HIPAA Journal.

GDPR Incorporated into the HITRUST CSF

Posted by HIPAA Journal

HITRUST has combined the European Union’s General Data Protection Regulation (GDPR) into the HITRUST Cybersecurity Framework (HITRUST HSF) and is working toward the creation of a single framework and assessment covering all regulatory requirements.

Many countries have introduced new data privacy and security regulations that require companies to implement new policies, procedures, and technologies to keep consumers’ and customers’ data private and confidential. Organizations that wish to conduct business globally must ensure they comply with these country-specific regulations and should conduct assessments to make sure they are fully compliant. The penalties for violations of these regulations can be considerable. GDPR violations can attract a fine up to 4% of global annual turnover, or €20 million, whichever is greater.

Meeting complex compliance requirements and assessing compliance efforts can be a major challenge, although HITRUST’s “one framework, one assessment” model makes the process as simple as possible.

“As countries around the world continue to adopt and advance data protection laws, the challenge of doing business on a global scale grows increasingly complex,” said HITRUST chief privacy officer, Anne Kimbol. “Many countries have their own unique regulatory requirements, creating costs and challenges for organizations to determine if they are compliant to conduct business globally.”

HITRUST has completed the formal application process to the Irish Data Protection Commission and the EU Data Protection Board to have the HITRUST CSF officially recognized as meeting GDPR certification standards and hopes to be confirmed as an accredited certification body for GDPR.

In addition to GDPR, HITRUST has incorporated the Singapore Personal Data Protection Act (PDPA) into the HITRUST HSF and is currently working toward becoming an Accountability Agent under Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules and Procedures for Processing programs.

“Businesses leveraging the HITRUST Approach will be able to leverage a single HITRUST CSF Assessment to report their security, privacy and compliance posture to various audiences globally,” explained HITRUST VP of standards and analysis, Bryan Cline.

The post GDPR Incorporated into the HITRUST CSF appeared first on HIPAA Journal.

Multiple Flaws Identified in LabKey Server Community Edition

Posted by HIPAA Journal

Security researchers at Tenable Research have discovered multiple flaws in LabKey Server Community Edition 18.2-60106.64 which could be exploited to steal user credentials, access medical data, and run arbitrary code through the Labkey browser.

LabKey Server is an open source collaboration tool that allows scientists to integrate, analyze, and share biomedical research data. While the platform serves as a secure data repository, vulnerabilities have been identified that allow security controls to be bypassed.

CVE-2019-3911 – Reflected XSS

Multiple flaws have been identified in all versions of LabKey Server Community Edition prior to v 18.3.0 related to the validation and sanitization of query functions, in particular, the query.sort parameter. The parameter is reflected in output to the user and is interpreted by the browser, which opens to door for a cross site scripting attack. If the flaws are exploited, an attacker could run arbitrary code within the context of the browser. Attacks are possible with and without authentication.

CVE-2019-3912 – Open Redirects

Open redirects via returnURL are present throughout LabKey Server which could be manipulated to redirect users to a location under the control of the attacker. __r paths are the easiest to manipulate.

CVE-2019-3913 – Network Drive Mapping Logic Flaw

Improper sanitization of supplied values in the mount function allows a user to manipulate arguments in the ‘net use’ command when mapping network drives. Tenable has illustrated one of the vulnerabilities in a proof of concept exploit, which allows a user to supply any valid drive letter which will result in the application ending the connection, even if the remainder of the mapping command is not correct. Admin access to the web interface would be required for this vulnerability to be exploited. This flaw could be exploited to map a malicious drive to the server.

Tenable Research disclosed the vulnerabilities to LabKey and patches were developed to correct the three flaws. Updates correcting each of the vulnerabilities were released on January 16, 2019.

To prevent the flaws from being exploited, all users should update to LabKey Server Community Edition 18.3.0-61806.763 or later as soon as possible.

The post Multiple Flaws Identified in LabKey Server Community Edition appeared first on HIPAA Journal.

Analysis of 2018 Healthcare Data Breaches

Posted by HIPAA Journal

Our 2018 healthcare data breach report reveals healthcare data breach trends, details the main causes of 2018 healthcare data breaches, the largest healthcare data breaches of the year, and 2018 healthcare data breach fines. The report was compiled using data from the Department of Health and Human Services’ Office for Civil Rights (OCR).

2018 Was a Record-Breaking Year for Healthcare Data Breaches

Since October 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of U.S. healthcare data breaches. In that time frame, 2,545 healthcare data breaches have been reported. Those breaches have resulted in the theft, exposure, or impermissible disclosure of 194,853,404 healthcare records. That equates to the records of 59.8% of the population of the United States.

The number of reported healthcare data breaches has been steadily increasing each year. Except for 2015, the number of reported healthcare data breaches has increased every year.

Healthcare data breaches 2009-2018

In 2018, 365 healthcare data breaches were reported, up almost 2% from the 358 data breaches reported in 2017 and 83% more breaches that 2010.

2018 was the worst year in terms of the number of breaches experienced, but the fourth worst in terms of the number of healthcare records exposed, behind 2015, 2014, and 2016. The last two years have certainly seen an improvement in that sense, although 2018 saw a 157.67% year-over-year increase in the number of compromised healthcare records.

healthcare records exposed 2009-2018

2018 Healthcare Data Breaches by Month

Healthcare data breaches in 2018 by month

Healthcare Records Exposed Each Month in 2018

records exposed in healthcare data breaches in 2018 by month

Largest 2018 Healthcare Data Breaches

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1  AccuDoc Solutions, Inc. Business Associate 2,652,537 Hacking/IT Incident
2 Iowa Health System d/b/a UnityPoint Health Business Associate 1,421,107 Hacking/IT Incident
3 Employees Retirement System of Texas Health Plan 1,248,263 Unauthorized Access/Disclosure
4 CA Department of Developmental Services Health Plan 582,174 Theft
5 MSK Group Healthcare Provider 566,236 Hacking/IT Incident
6 CNO Financial Group, Inc. Health Plan 566,217 Unauthorized Access/Disclosure
7 LifeBridge Health, Inc Healthcare Provider 538,127 Hacking/IT Incident
8 Health Management Concepts, Inc. Business Associate 502,416 Hacking/IT Incident
9 AU Medical Center, INC Healthcare Provider 417,000 Hacking/IT Incident
10 SSM Health St. Mary’s Hospital – Jefferson City Healthcare Provider 301,000 Improper Disposal

Click for further information on the largest healthcare data breaches of 2018.

Causes of 2018 Healthcare Data Breaches

The biggest causes of healthcare data breaches in 2018 were hacking/IT incidents (43.29%) and unauthorized access/disclosures (39.18%), which together accounted for 82.47% of all data breaches reported in 2018. There were 42 theft incidents (11.5%) reported in 2018, 13 cases (3.56%) of lost PHI/ePHI, and 9 cases (2.47%) of improper disposal of PHI/ePHI.

Causes of 2018 Healthcare Data Breaches

There was a 5.33% annual increase in hacking/IT incidents – 158 breaches compared to 150 in 2017. While the number of hacking/IT-related breaches rose only slightly, the breaches were far more damaging in 2018 and resulted in the theft/exposure of 161.89% more healthcare records. The mean breach size of hacking/IT incidents in 2017 was 23,218 records and in 2018 it rose to 57,727 records in 2018 – A year-over-year increase of 148.63%.

2018 saw an even larger increase in unauthorized access/disclosure incidents. 14.4% more incidents were reported in 2018 than 2017 and 146.49% more healthcare records were exposed in unauthorized access/disclosure incidents than the previous year. The mean breach size of unauthorized access/disclosure incidents in 2017 was 9,893 records and 21,316 records in 2018 – An increase of 115.47%.

Loss, theft, and improper disposal incidents all declined in 2018. Loss incidents fell from 16 to 13 year-over-year (-18.75%), improper disposal incidents fell from 11 to 9 (-18.18%), and theft incidents fell from 56 in 2017 to 42 in 2018 (-25%).

While there was a reduction in the number of cases of theft and improper disposal year-over-year, the severity of those two types of breaches increased in 2018. The mean breach size of theft incidents rose from 6,908 records in 2017 to 16,605 records in 2018 – A rise of 140.37%. Improper disposal incidents increased from a mean of 2,802 records in 2017 to 37,794 records in 2018 – A rise of 1,248.82%.

There was a slight reduction in the severity of loss incidents, which fell from an average of 2,461 records in 2017 to 2,305 – A fall of 6.33%.

records exposed by breach cause

Location of Breached Protected Health Information

The breakdown of 2018 healthcare data breaches by the location of breached PHI highlights the importance of increasing email security and providing further training to healthcare employees. 33.42% of all healthcare data breaches in 2018 involved email. Those breaches include phishing attacks, other unauthorized email access incidents and misdirected emails.
While healthcare organizations may be focused on preventing cyberattacks and improving technical defenses, care must still be taken with physical records. There were 81 breaches of physical PHI such as charts, documents, and films in 2018. Paper/films were involved in 22.19% of breaches.

The next most common location of breached PHI was network servers, which were involved in 20.27% of breaches in 2018. These incidents include hacks, ransomware attacks, and malware-related breaches.

Location of Breached Protected Health Information

2018 Healthcare Data Breaches by Covered Entity Type

Given the relative percentages of healthcare providers to health plans, it is no surprise that more healthcare provider data breaches occurred. 74.79% of the year’s breaches affected healthcare providers, 14.52% occurred at health plans, and 10.68% affected business associates of HIPAA-covered entities.

2018 Healthcare Data Breaches by Covered Entity

Business associate data breaches were the most severe, accounting for 42% of all exposed/stolen records in 2018, followed by healthcare provider breaches and breaches at health plans.  The mean breach size for business associate data breaches was 140,915 records, 53,471 records for health plan data breaches, and 17,974 records for healthcare provider data breaches.

2018 Healthcare Data Breaches by Covered Entity (records)

States Worst Affected By 2018 Healthcare Data Breaches

Being the two most populated states, it is no surprise that California and Texas were the worst affected by healthcare data breaches in 2018. Only four states avoided healthcare data breaches in 2018 – New Hampshire, South Carolina, South Dakota, Vermont.

Number of Breaches State
38 California
32 Texas
19 Illinois
18 Florida
18 Massachusetts
16 New York
14 Missouri
11 Pennsylvania
10 Iowa, Michigan, Minnesota, Wisconsin
9 Maryland, Ohio, Oregon
8 Arizona, North Carolina, Virginia
7 Georgia, New Jersey, Tennessee, Washington
6 Colorado, Kansas, Nevada
5 Arkansas, Indiana, Nebraska, New Mexico, Utah
4 Connecticut, Kentucky
3 Alaska, Louisiana, Mississippi, Montana, Rhone Island
2 Alabama, District of Columbia, Oklahoma, Wyoming
1 Hawaii, Idaho, Maine, North Dakota, West Virginia
0 New Hampshire, South Carolina, South Dakota, Vermont

HIPAA Fines and Settlements in 2018

The HHS’ Office for Civil Rights is the main enforcer of HIPAA Rules and has the authority to issue financial penalties for violations of Health Insurance Portability and Accountability Act (HIPAA) Rules. State attorneys general also play a role in the enforcement of HIPAA compliance and can also issue fines for HIPAA violations.

In 2018, OCR issued 10 financial penalties to resolve HIPAA violations that were discovered during the investigation of healthcare data breaches and complaints.

Summary of 2018 HIPAA Fines and Settlements

The financial penalties issued by OCR in 2018 totaled $25,683,400, making 2018 a record-breaking year for HIPAA penalties.

2018 HIPAA fines and penalties total

12 financial penalties were issued by state attorneys general over violations of HIPAA Rules.

You can read more about the – HIPAA fines and settlements in 2018 here.

The post Analysis of 2018 Healthcare Data Breaches appeared first on HIPAA Journal.

DHS Issues Emergency Warning About DNS Hijacking Attacks

Posted by HIPAA Journal

The U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA) has issued an emergency warning about DNS hijacking attacks. All government agencies have been instructed to audit their DNS settings in the next 10 days.

CISA reports that hackers have been targeting government agencies and modifying their Domain Name System records. DNS records are used to determine the IP address of a website from the domain name entered into the browser. By modifying the DNS records, web traffic and email traffic can be re-routed.

This method of attack allows sensitive data to be stolen without compromising a network and users are unlikely to be aware that their communications have been intercepted. Re-routed emails are likely to go unnoticed and web traffic could be re-routed to identical copies of legitimate sites.  Since those sites have TLS/SSL certificates, no warning would be triggered by browsers.

DNS attacks allow hackers to gather information about the websites visited by users and the information could be used in phishing campaigns. The attacks appear to be concerned with obtaining domain and login credentials.

The DNS attacks are not limited to the United States. Attacks have also been observed in the Middle East, North Africa, and Europe by FireEye and Cisco Talos researchers. The DNS hijacking campaign is extensive and many of the attacks have succeeded. Several executive brand agency domains have been impacted by the attacks. Those agencies have been notified by DHS but the campaign, but further attacks can be expected.

While the individuals behind the attacks have not been identified the campaign appears to be linked to Iran.

DHS has issued a four-step plan that must be enacted in the next 10 days.

  1. Audit all .gov and agency-managed domains on authoritative and secondary DNS servers and ensure that they direct traffic to the intended location. NS records and those associated with key agency services should be prioritized. If DNS changes are discovered, they must be reported to CISA.
  2. All federal agencies have been instructed to change DNS account passwords on accounts that can make changes to the agency’s DNS records. New unique, complex passwords should be set.
  3. All DNS accounts that can make changes to DNS records should have multi-factor authentication enabled. If MFA cannot be enabled on systems, CISA must be notified.
  4. CISA will begin regular delivery of newly added certificates to Certificate Transparency (CT) logs for agency domains via the Cyber Hygiene service in the next 10 days. CT logs must be immediately monitored for certificates that have been issued that have not been requested by the agency. If logs are found to be inaccurate, they must be reported to CISA.

Any agency that discovered anomalous DNS records will be provided with technical assistance by CISA.

A status report must be submitted to CISA by January 25, 2019 and a completion report must be submitted to CISA by February 5, 2019 confirming the above four steps have been implemented.

The post DHS Issues Emergency Warning About DNS Hijacking Attacks appeared first on HIPAA Journal.

New Report Reveals Spiraling Cost of Cyberattacks

Posted by HIPAA Journal

A new report from Radware has provided insights into the threat landscape in 2018 and the spiraling cost of cyberattacks. The report shows there was a 52% increase in the cost of cyberattacks on businesses in since 2017.

For the report, Radware surveyed 790 managers, network engineers, security engineers, CIOs, CISOs, and other professionals in organizations around the globe. Respondents to the survey were asked about the issues they have faced preparing for and mitigating cyberattacks and the estimated cost of those attacks.

The 2018 Threat Landscape

93% of surveyed firms said they had experienced a cyberattack in the past 12 months. The biggest threat globally was ransomware and other extortion-based attacks, which accounted for 51% of all attacks. In 2017, 60% of cyberattacks involved ransoms. The reduction has been attributed to cybercriminals switching from ransomware to cryptocurrency mining malware.

Political attacks and hacktivism accounted for 31% of attacks, down from 34% in 2017. The motive behind 31% of attacks was unknown, which demonstrates that attackers are now more purposeful about hiding their motives. 27% of attacks were insider threats, 26% were attacks by competitors, 19% were attributed to cyberwar, and 18% were conducted by angry users. The primary aim of the attacks was service disruption (45%), data theft (35%), and espionage (3%). 16% of attacks had another aim or the purpose had not been established.

One in five businesses reported being attacked daily: A 62% increase year over year. 13% reported weekly attacks, 13% monthly attacks, and 27% experienced one or two attacks in the past year. 19% were unsure how many times they had been attacked.

Healthcare was the second most attacked industry behind the government sector. 39% of healthcare organizations reported having to fend off daily or weekly cyberattacks by hackers. Only 6% of healthcare organizations claimed they had not been attacked in the past year.

The biggest threats were malware and bots (reported by 76% of organizations), social engineering attacks such as phishing (65%), DDoS attacks (53%), web application attacks (42%), ransom threats (38%), and cryptocurrency miners (20%).

Respondents from healthcare organizations felt they were best prepared for phishing and other social engineering attacks (58%), malware, bots and DDoS attacks (55%), and web application attacks (52%). Only 39% felt they were well prepared to deal with ransomware attacks and advanced persistent threats.

The Rising Cost of Cyberattacks

The Radware study asked respondents about the business cost of a successful cyberattack. According to the report, the cost more than doubled compared to last year and is now $1.1 million. Respondents that had a formalized calculation to determine the financial impact of a cyberattack reported the cost to be $1.7 million, compared to $880,000 for those with no formal calculation.

For SMBs with fewer than 1,000 employees, the average cost of a cyberattack was estimated to be $450,000. That rose to $1.1 million for enterprises with between 1,000 and 10,000 employees, and $2.1 million for large corporations with more than 10,000 employees.

The average cost of a successful cyberattack on a healthcare organization was determined to be $1.43 million. Fortunately, most healthcare organizations (82%) had a breach response plan in place, which can limit the cost of a cyberattack.

The True Cost of a Cyberattack

The cost of a cyberattack is likely to be significantly higher than the estimates. Radware notes that the estimates do not factor in direct costs such as extended labor, investigations, and the development of software patches, indirect costs such as the hiring of technical consultants, legal expenses, and stock price drops, and costs associated with the prevention of future cyberattacks.

Other costs that are difficult to calculate are lost revenue, brand reputation damage, and loss of customers – All real possibilities after a data breach. Radware notes that following a successful cyberattack, 43% of respondents said there had been a negative customer experience, 37% suffered brand reputation damage, and 23% reported a loss of customers.

“The cost of cyberattacks is simply too great to not succeed in mitigating every threat, every time,” explained Radware. “Customer trust is obliterated in moments, and the impact is significant on brand reputation and costs to win back business.”

The post New Report Reveals Spiraling Cost of Cyberattacks appeared first on HIPAA Journal.