At a glance.
- The price of a healthcare breach.
- Your digital exhaust could be due for an emissions inspection.
- Library breach makes readers’ data an open book.
- BlackByte ransomware gets an upgrade.
- Comment on the Novant Health data incident.
The price of a healthcare breach.
IBM Security and the Ponemon Institute have released their annual Cost of a Data Breach report, and their findings show the healthcare sector maintained its leading position – twelve years running – as the sector suffering the costliest breaches. The sector set a new record, averaging $10.10 million in breach costs, nearly $1 million higher than last year’s report and more than double the global average cost of breaches across all sectors. Security Intelligence examines why healthcare breaches are so much pricier than those in other sectors, noting that the number of breaches in healthcare have grown from just double-digits in 2009 to more than 700 in 2021 alone. The increase is partly due to more than 90% of medical institutions moving from paper records to electronic health records, and while many organizations store these records on the cloud, only 23% of those surveyed consider themselves mature when it comes to cloud security. As well, interoperability has led to an increase in third-party data exposure incidents. Making matters worse, breaches in the healthcare sector took the longest to detect (an average of 232 days), and disruptions caused by attacks are more expensive than any other sector, costing up to a whopping $7,900 per minute. This high price tag is due in part to the sensitive nature of the data collected by health institutions – averaging a unit cost of $172 to $185 per record compared with the global average of $164 – and in turn these records rake in the highest amount of cash when sold by cybercriminals on the dark web. And this is all before considering the penalties incurred by breached institutions found in violation of the Health Insurance Portability and Accountability Act (HIPAA), which can amount to $2M per violation in fines alone.
Your digital exhaust could be due for an emissions inspection.
Digital exhaust – the data we all leave behind whenever we use the internet – creates a breadcrumb trail of information that, when compiled, paints a vivid picture of who we are: our location, likes and dislikes, work experience, and even relationship history. As the use of smart devices like thermostats, vacuums, and health gadgets increases, every move we make and breathe we take is quite literally recorded in the cloud. In Part I of their investigation of digital exhaust, Constella Intelligence explores just how our digital footprint is created, both intentionally through the voluntary sharing of information on social media and other platforms, and unintentionally through accidental data leakages, the ever-growing data brokerage industry, and malicious data breaches. Part II offers advice on how to lessen your digital footprint. Recommendations include signing up for a credit and identity monitoring service, creating an inventory of the online vendors you use and opting out of data collection wherever possible, using temporary email addresses or leveraging Apple’s “hide my email” option, and implementing multi-factor authentication whenever it’s available.
Library breach makes readers’ data an open book.
The Cascadia Daily reports that the Whatcom County Library System (WCLS) is investigating a breach that exposed the personal data of library users. System administrators first detected malware on the libraries’ computers in late June, and in July discovered that the names, birthdates, library card numbers, and PINs of over seven hundred library cardholders had been compromised. However, initial reports from WCLS erroneously stated all user data were “secure” and the security breach was “confined to internal communication systems.” When asked for an explanation for the misinformation, Executive Director Christine Perkins stated, “Our primary interest is in protecting the information in our care, and we're cautious about speculating about what happened or sharing information about how we're enhancing our security protocols.” Though Perkins also declined to disclose the exact number of impacted users, the affected individuals have been notified directly and all users’ PINS have been automatically updated.
BlackByte ransomware gets an upgrade.
BlackByte ransomware has reappeared, BleepingComputer reports, and represents an enhanced, double-extortion threat to personal data. The gang has launched a new data dump site with a focus on individual victims. Ilia Kolochenko, ImmuniWeb's founder, sent over some comments on the implications of developments like BlackByte 2.0:
“Ransomware extortion campaigns become increasingly more creative and damaging, I won’t be surprised if later this year cybercriminals start offering credit services to victims, so the latter can pay ransom in several tranches, somewhat usurping the role of banks in the cyberspace. Despite that many law enforcement agencies are publicly called not to pay the ransom, but under a narrow set of circumstances, it can be the least costlier way to minimize damage of data breach – subject to rigorous analysis and considerations.
"First, an external law firm should carefully assess the legality of payment, for instance, not to violate US sanctions when paying in cryptocurrencies – as expressly warned by the OFAC. Second, victims should always bear in mind that payment cannot and does not guarantee that the data will be securely deleted: copies or backups may be already shared with third parties unbeknownst to the victim. Third, aftershock attacks are a relatively new phenomenon to consider: once a wealthy victim pays a ransom, other smaller threat actors immediately try to break in – whilst the vulnerabilities are not yet patched – being motivated by the victim’s submissiveness to pay. In sum, payment of a ransom is a slippery slope that requires meticulous scrutiny both by legal and technical professionals.”
Comment on the Novant Health data incident.
We've discussed the data incident at Novant before (the Winston-Salem Journal has an account, should you want to review the story). Since then we've received some comment on healthcare providers sharing data with social media platforms. Amit Shaked, CEO of Laminar, commented, “Organizations must take a data-centric approach to security. IT teams must prioritize visibility into cloud data in order to prevent third-parties from gaining access to sensitive data, and cloud data security solutions must continuously protect this data, even as it is copied or moved by developers and data scientists. In this case, continuously monitoring who or what has access or is accessing data would have almost instantly uncovered that Meta had full access to sensitive data they were not supposed to. Having full visibility of your data and knowing when a third party has access to sensitive data can help prevent data breaches such as these.”