In addressing data breaches – What do they look like and how can they be prevented?

Data breaches are increasing in amount, and they are not only a risk to the system itself but also to individuals whose data are part of the data layer.  Therefore, data breaches don’t only pose an economic threat but also are a major challenge to the public confidence to the process of health data handling. There have been five major surveys/reports during the period of 2021-2023 reporting on data breaches [1-5]. Five focus points to remember from these are:

1. Credentials – the major weakness

The first level of security is our credentials. This is a weakness in all datasets. Not surprisingly does stolen credentials represent the most common mode of data breach [1,2]. A special mode of action is the Phishing through which the data user is tricked to either unvoluntary download malware or give up their credentials. Stolen credentials also cause the longest recovery times [2]. The healthcare sector is especially vulnerable and has internal actors mistake as a main culprit facilitating the attacks [1] Thus, it is of uttermost importance to keep your staff updated on phishing techniques and credential vulnerability. Pseudonymization or encryption of data protects the data but also comes with less risk of attack [2].

2. The most common perpetrator – organized crime with rogue nations on the rise

Major actors are: organized crime (seeking profit), company insider , which may be malicious (with intent; company-traitor: black-mailed or for money) or non-malicious (by accident), nation/nation-affiliated (on a nation mission or being blessed and supported by a nation) and Hacktivists (mainly driven by ego or the performance or driven by increasing their competence/capabilities)[1,2,5]. Nation/nation-affiliated actors are expected to rise with the increasing conflict level internationally. Increased awareness and filters towards the most hostile nations creates some protection but attacks are mainly through VPN servers as well. The major action variety when server has been intruded, in about 80% of the incidents is the application of ransomware and major route of deployment of these is through e-mails [1].

3. Action vectors

While backdoor entries are one of the most common vectors discussed, in 2023 they comprised only a few percentages of all incidents [1] the stolen or compromised credentials do represent the major vector of access. Vulnerabilities are to the largest degree (>75%) explored through web applications, desktop sharing software and e-mails. The major action of server intrusions (80%) is then resulting in deployment of ransomware, which is interestingly is more common than attacks by organized crime attacks. Specifically, to ransomware E-mail, desktop sharing software followed by web application, in falling order of frequence. Thus, suggesting that ransomware might be part of nation or nation-affiliated activities as well [1]. Key in the protection is an active firewall updating policy but awareness of inside actors as well. Further, user downloading of software is a major risk.

4. Costs of data breaches

While reports in general do suggest a stable cost of breach, some report a varying picture in different regions of the world, and one even suggests an increase [1-5]. By area healthcare is suffering from the highest cost of data breach 2023 with an estimated 10.93 million USD [2]. Once again, but when not only frequency but also cost is considered the Stolen/compromised credentials and Phishing are standing out as not only the most frequent but also the most expensive. Interestingly, the cloud misconfiguration has a much lesser role [2]. Time to confine an attack was the longest with compromised credentials or company insider, which therefore drive the costs of these attack vectors towards others [2]. Clouds are not a risk per se, but the way how security is formed around these is. Thus, they are not a reason per se to not being allowed. The cost of recover after cloud-mediated attacks is more expensive than server-mediated attacks but allowing VPN connections, with remote users, to a server [2] makes the attacks on server almost as  expensive.

Individuals and how they handle security; downloading of software or opening e-mails are a major drive of the costliness of attacks and recovery time. Clouds are not a major risk mediator, if properly secured.

5. How do you detect an attack and what to do when it happens

A key protection is to section your IT network to facilitate damage control, in case of an attack. The most common mode of detection is through a benign third-party and only second to that by the own security team [2]. Paying ransom is on average more expensive than recovery [2]. Beside that by paying ransom you not only support the criminal activity but also will be identified as a “victim willing to pay”, which the majority isn’t.

Third benign collaborator are part of your safety and attack monitoring system. A continuing safety discussion with your collaborators is mandated. There are many reasons not to pay ransom or to fall at any demands of the data breacher.

Text by Stefan Volk Jovinge, MD, PhD, Skåne University Hospital

References

1. Verizon: Data Breach Investigations Report 2023
2. IBM; Cost of Data Breach Report 2023
3. Gov.uk: Cyber security breaches survey 2023
4. Ernest Young: Cybersecurity: How do you rise above the waves of a perfect storm? 2021
5. ENISA: AI Cybersecurity Challenges 2020

Programme Manual Online

Choose