Speaker 1: If you follow cybersecurity news at all, you probably know that healthcare organizations have been under constant attack. We wanted to know where should healthcare organizations focus their cybersecurity efforts to make the most impact on mitigating those attacks and preventing large data breaches. To do this, we analyzed 2,700 publicly disclosed healthcare data breaches. While analyzing this data, we found some very interesting points that showed the areas that healthcare organizations are suffering the most and how attackers are getting into their organizations. So today, we wanted to take our research and share with you what we learned analyzing 2,700 healthcare data breaches. Before we get started, be sure that you subscribe and you hit the bell notification so that you're notified when we release future videos on the SMB Secure YouTube channel. So if you're familiar with HIPAA and healthcare cybersecurity at all, you know that business associates have to abide by the HIPAA regulations just like covered entities. And to briefly define, a covered entity is an organization that is covered under the HIPAA regulation. A business associate is an organization that creates, receives, maintains, or transmits protected health information on behalf of the covered entity. And those organizations have to abide by HIPAA just like covered entities do. One thing that we found very interesting is that business associates have been responsible for 20% of leaked data records since 2009. That is 49 million records. So this tells us that business associates are a huge risk for covered entities to take very seriously. Covered entities need to do due diligence, security questionnaires, and be sure that the business associates they choose are reputable and are making wise security decisions. Another very interesting statistic was that paper is not necessarily much more secure than electronic records. You probably know that HIPAA deals with electronic records. There are some parts that deal with paper, but for the most part, HIPAA deals with electronic records. And some organizations opted to stay with paper records so they could avoid HIPAA compliance and not have to deal with what they call the HIPAA compliance headache. However, based on the publicly disclosed breaches on the OCR portal, the Office of Civil Rights, where organizations are mandated to report their breaches, and these are publicly available for anyone to go see, 4.9 million records that have been leaked in 2009 have been on paper. The reason is paper records are so often overlooked. They get old, they're put in a closet, someone comes, they're doing cleanup, they get thrown away, and paper records end up getting disclosed. There was a very interesting paper record breach several years ago where the paper records had been picked up by an organization who was supposed to be shredding them. They were put into a truck, and somehow the truck doors opened and those papers spread all over the highway. And thousands and thousands of people had their medical records disclosed on the highway. Email is not secure. You should just count that anything in your emails will be disclosed. Unfortunately, it's very likely that all of us at some point will be phished and attackers will get access to our emails. Unless we have very, very stringent two-factor authentication, we are very, very diligent looking out for phishing attacks, it's very likely. Because of this, emailing a PHI is a huge risk for your organization. 17% of healthcare data breaches over the last 10 years or so have involved email in some way or another. That is 7.6 million records have involved email. That could be an attacker gained access to an organization's email accounts or PHI was in the email. They might've used that email as a pivot point to get into other systems with things like single sign-on. The moral is you should not send PHI in email. If you have to send email, it should be encrypted as an attachment that the individual can go and access. But just sending email between providers and business associates is a huge risk that you should avoid. It's probably happened to a lot of us at some point. We're at a restaurant, we get our computer out to do some work or we're at a hotel, we shove a computer in the closet, we leave for the day, we come back and it's gone. We leave the restaurant, we forget we left a laptop or a phone laying there and we come back and it's gone. This unfortunately happens to healthcare workers as well. They will lose their laptops. They do get stolen and this is a huge security risk. We found in our research, analyzing all of these records that 31% of breaches were because of stolen unencrypted devices. That's a lot of stolen devices and that's a lot of records on stolen devices. A couple issues we have going here. One, these devices should be encrypted so that if an attacker gets them, they don't have access to the data. Two, why is so much data on a device? Why aren't we storing these in central systems on our networks that we can protect better or in centralized cloud systems? 31% of breaches or 23 million healthcare records have been stolen on unencrypted devices. In one incident at a hospital, in a couple of months, they had several stolen devices and several million records on these devices potentially exposed. Okay, do you wanna know what the biggest contributor to leaked healthcare records is? Hacked servers. We found, while analyzing all of the data from these 2700 data breaches, that hacked servers accounted for 79% of leaked records. 164 million leaked records were the result of hacked servers. Now, some of these hacked server breaches were very, very large and that does sort of skew the data a little bit, but improperly configured accessible servers have been a huge cause for data breaches over the last decade. So what can we learn from this? We need to pay attention to servers where we store data. Be sure that we are using secure baselines. Be sure that we are using principal release privilege so that even if an attacker gains access, they have limited access. Be sure that we are patching. 9.9 million of these records that were leaked, the leak was because of existing vulnerabilities on these servers. These are vulnerabilities that could have been patched and prevented. 10 million records because of patches not being in place. So be sure that you have a patch management system in place. Be sure that when critical patches are released, that they are updated on your systems. You have segmentation and isolation in place. You have the principal release privilege so that even if an attacker gains access, their access is limited. Before we go on to some of the other data points, if you are interested in accessing all of the raw data in our analysis, we have that available on our website. Check out the link. You can download the data that we use. You can see the formulas we ran and how we analyze this data. So if you go to security conferences, especially the big ones, there are thousands and thousands of people at these conferences and there are usually hundreds and hundreds of vendors displaying all kinds of security solutions. Over the last decade, we've seen all kinds of new security solutions come. We've seen new companies grow, all kinds of innovation in the security space. So you would think that data breaches have been decreasing. Unfortunately, that's not true. Since 2017, data breaches have been on the rise. Generally, if you look at the data since 2009, the number of breached records and the number of breaches have been increasing. There were two points in 2011 and 2015 where there was a decrease. However, the overall trend is that data breaches in the healthcare space are increasing. What does this tell us? What we're doing is not working. We need to do something different. Too often, we see data breaches with massive, massive records being compromised. Why are all of these records in one place accessible to one person? Let's start thinking about segmentation. Let's think about least privilege. Let's think about the principle of zero trust, zero trust architecture in our networks. And if we begin implementing these controls, and most of the times, it's the basics that organizations are getting wrong, patch management, forgetting a device is accessible, configuring things wrong, create processes and systems, if you deploy a new server, that it is checked for security baselines, patches, proper configurations, all of these things. If we get the basics right, we can prevent so many data breaches. So if you look at the public data breaches on OCR, which you can see in our data if you go get it from our website, there are three main categories of organizations that report to OCR. There are health plans or insurance groups, there are healthcare providers or covered entities and our business associates. So we did some analysis because we wanted to see which of these categories has the most breaches, the largest breaches, et cetera. And we found that healthcare providers have more breaches, but health plans have larger breaches. So health plans have been responsible for the leaking of 112 million records and healthcare providers have been responsible for 60.9 million. Business associates have been responsible for somewhere around 30 million or involved in the leaking of 30 million records. So health plans are more than healthcare providers and business associates combined. One reason for this is because insurance companies usually have a lot more data than the smaller business associates and covered entities do. They have a lot of centralized data coming from some of these healthcare providers to them. And they're a big target. So this means that health plans need to pay extra attention to the data they hold and securing that data. We shouldn't have to tell you, you already know probably that phishing is a huge risk for every organization. When we do social engineering engagements, when we do phishing engagement for organizations and our clients, we usually get a 50% click rate. And we have yet to have a social engineering engagement that we did not get credentials and gain access to employee systems. The attackers are just as good as this. And in the healthcare industry, specifically in our research, we found that 81 million records have been leaked, have been involved with phishing. That is 39% of the leaked records since 2009. Phishing was involved in some way. So how can we prevent this? We can implement security awareness training. We can implement two factor authentication and we can implement segmentation so that when an attacker gains access to a system, their reach and how far they can pivot is limited. Implementing these three basic controls could decrease phishing tremendously. When we do social engineering training for companies, we usually see a huge drop in phishing. If you keep it in front of your users, they are aware of it. Think about multiplication. How did you learn it? You learned it by practicing it every day when you were in grade school. And that is how we can train our employees to be aware of phishing and social engineering attacks. We keep it in front of them constantly. So when you do security awareness training, do it regularly. Annual phishing training, annual security awareness training doesn't work. Did you learn your multiplication by studying one time a year? No, it was repetition and constantly practicing. So keeping security issues in front of your employees, keeping it top of mind, they'll be aware of it. And the final interesting data point that we wanted to bring out was portable electronic media. I can't think of a reason that data should be stored on portable electronic media. It should be stored in a central location that can be secured. There might be some very rare cases where it makes sense, but obviously from the data, it's happening way too much. We found that unauthorized disclosure and access of portable media has accounted for 3 million healthcare records being compromised or leaked since 2009. Lost electronic media has been responsible for another 1.2 million. Theft has been responsible for another 1.2 million and improper disposal has been responsible for 0.8 million or 800,000 records. 3 million records on portable media since 2009 compromised. That is a lot of records. That's a lot of data being stored on portable media. If that had been a central location, maybe that could have been secured better. Maybe it wouldn't have been lost and stolen. So that's something to keep in mind. If you're looking for a security roadmap for your cybersecurity program at your organization, if you are in healthcare, or if you're not in healthcare, be sure to check out our small business cybersecurity plan. It is a complete guide on cybersecurity for small businesses so that you have a step-by-step roadmap that teaches you what you need to do in your security program.