The CyberPHIx Roundup: Industry News & Trends, 8/4/21

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry.

In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week:

  • Analysis of IBM’s new 2021 Data Breach Report including:
    -  Impacts to healthcare organizations
    -  Healthcare’s breach costs and benchmarks against other industries
    -  HIPAA compliance implications for breach costs
    -  Cloud security breach trends
    -  Top sources of breaches and highest risk security domains
    -  Ways to reduce breach costs with targeted investments
  • Nine critical vulnerabilities identified for the “Pwned Piper” medical device vulnerability issue and related recommendations
  • Details of President Biden’s proposed $9.8b cybersecurity budget
  • President Biden’s commentary on the likelihood of cyberwars leading to physical wars
  • The new cybersecurity memorandum released by the White House this week
  • Trends and predictions for new federal and state cybersecurity regulations targeting healthcare


Brian Selfridge: [00:00:03] Good day and welcome to the CyberPHIx healthcare security roundup, your quick source for keeping up with the latest cybersecurity news trends and industry leading practices specifically for health care. I'm your host, Brian Selfridge. In addition to this roundup, be sure to check out our Resource Center on, which includes our CyberPHIx interviews with leading health care, security, privacy and compliance leaders, along with blogs, webinars, articles and lots of other educational material. We have some big updates to cover today, including the new IBM Ponemon breach report, my favorite of the year. So let's dive into it, shall we?

Brian Selfridge: [00:00:41] IBM and the Ponemon Institute released their 2021 cost of a data breach report. Being the health care cybersecurity nerd that I am, this is always one of my favorite reports of the year. And I'm excited to share some of the key findings with you today and my perspective on the implications for health care entities in particular. Of course, let's start with some of the details. So $9.23 million dollars is now the average cost of a breach for health care organizations. Yikes. That represents a 30 percent increase from 2020. And the next closest industry behind us is financial services coming in at $5.7 Million dollars. That's about three point five million more for health care than financial services. And then other sectors all fall underneath that. So that is a pretty significant gap.

Brian Selfridge: [00:01:25] Healthcare also wins the prestigious award or perhaps not so prestigious award of 11 consecutive years of having the highest breach costs across all industry verticals. Not good news for us, right? Organizations with a high level of system complexity, as they call it, had an average cost. That is two point one five million dollars higher than other organizations, according to the report. Hmm, system complexity....which industry does that sound like? That sounds like healthcare. Maybe that's that two point one million is leading into part of the reason why we're three and a half more than every other industry. So complexity equals cost. No, not not a huge surprise there.

Brian Selfridge: [00:02:03] Other findings, organizations that had more than one million compromised records, so what they're calling the mega breaches had an average breach cost of four hundred and one million dollars. So this isn't going to be your everyday breach. These are your big headline grabbers. But, you know, before you scoff at me and think that this must be just the big blue chip companies and the behemoth organizations that would be impacted by a mega breach, I would ask you to question the fact that the average health care organization has multimillions millions of patient records stored in multiple systems, multiple databases, many locations, not just cumulatively, but individually. So we're really good at amassing data for our analytics purposes and our health care delivery and all those different things. So a breach of any one of those systems kind of quickly puts us into that mega breach category of a million or more records. So don't ignore that number too quickly.

[00:02:55] So the Ponemon report, IBM report also notes that organizations with high levels of compliance gaps, we're likely to incur an additional two point three dollars million in costs per breach. So this also doesn't surprise us much, right? If you can't get the basics of HIPAA compliance in place, which is really kind of that floor of your information security and compliance program, you really have very little chance of coming out. Well, in an actual large scale breach, a data loss event or a ransomware attack, in my view. And it seems that the data bears that out quite a bit in terms of how much it will cost you if you aren't even getting the fundamentals of but compliance down. So speaking of ransomware, you mentioned that is one of the potential attack vectors. The average cost of a ransomware breach was four point six two dollars million, not including whatever ransoms were paid to the ransomware actors, which is typically in the multimillion dollar events. Now, I imagine they didn't get great data on self reporting of the ransomware payments. That's always been kind of difficult to get a handle on, since many organizations are traditionally very tight lipped about that particular part. So you've got a four point six, two million just in kind of organizational cost then whatever. You pay the ransom on top of that. So that number is getting up there pretty quickly.

Brian Selfridge: [00:04:05] The report notes a 10 percent increase in the average total cost of a breach year over year from twenty twenty to twenty twenty one. That's pretty significant. Your costs were significantly lower than for organizations with mature security programs and obviously much higher for organizations lacking security maturity, particularly in areas they called out, including what they call AI automation and cloud security. And we'll come back to those a little bit later in this update as being areas that can influence the total percentage of cost for on a breach by breach basis, the highest cost factor from breaches. So what led into that big number, that nine point whatever million number that I cited earlier? I should probably know it is nine point to three. What leads into that? Well, this was broken down into a couple of different categories. Customer turnover, lost revenue from downtime, diminished reputation being noted in particular. And the report average is one point five million dollars average costs for breach due to those factors alone, although the health care number is much higher since our overall breach cost average is much higher than other sectors. So as you might imagine, every hour and every day where health care services are interrupted from from a breach of an ransomware event or other sort of attack or loss of capability, we're losing revenue by visits, procedures if you're in the provider space and it can have just a direct impact.

Brian Selfridge: [00:05:27] So I think that's where those numbers add up really quickly in the health care sector in particular, the other two big sort of cost factors leading into the overall that overall sort of roll up number were around detection and escalation costs. So finding the incident, what happened escalating, getting forensics firms involved, those types of things, and then post breach response, which is kind of dealing with the fallout and getting everything ticked and tied. So interesting how that sort of breaks down, how the sources of breaches were predominantly derived from comprised, compromised. Now, the sources of breaches were predominantly derived from compromised account credentials, access credentials, so 20 percent of all the breaches were sourced or root cause effect from from authentication and compromised credentials. And this is not not surprising at all. As I'm saying, a lot of things are not surprising, but the numbers are still interesting. This this in particular, this category was the top source in twenty twenty as well in terms of loss to compromise credentials.

Brian Selfridge: [00:06:30] And also really interesting to note here is we we delivered a webinar last week with our sister company, CORL Technologies, where we looked at the aggregate vendor risk data. We've done assessments on over eighty thousand health care vendors and we're looking at what trends were vendors most likely to cause high risks and their their sort of security profile. And the number one issue and lacking control was around for vendors anyway, was around access, control and authentication. So we can see a direct correlation between the data that we have and the information we collect before a breach, namely an assessment data around access control, compromised credentials and then the root cause data from the actual breaches that we see in the IBM report here. So I find that to be really useful intel, I think, you know, as you assess your own programs and not just on the vendor front, but putting extra scrutiny and investment into identifying and remediating access and authentication controls as a priority over other items, I think would either in your risk register or in your risk governance processes, really focusing on those domains would be worthwhile investments to focus on because you get two sets of really big data from the breach data, as well as sort of some of the information I'm giving you that that are telling you the same thing. Also, as an aside, we plan to get our research report on the vendor data I mentioned later this year. So I'll keep you up to speed on that. And I think we're getting to the point where we can start actually predicting some of these breach outcomes in advance by digging into the assessment data. So stay tuned. That will be a lot of fun to see if we can get smarter upfront and avoid some of these breaches in the process.

Brian Selfridge: [00:08:05] Now, the report also went into breach costs associated with cloud deployments. And I'll touch on that really briefly as well, because I think that's pretty interesting and and top of mind for many organizations. So here's a few stats. Four point eight dollars million was the average cost of a breach for public cloud implementations. Four point five million was the average average breach cost for private cloud implementations and three point six million was the average cost for hybrid cloud environments. So no matter what flavor of cloud implementation you have and many of you likely have several variants, I would imagine it's still likely to cost you very material and significant dollars for breaches of your cloud environments. And that doesn't necessarily just get pushed to your cloud provider. That's that's sort of on the on the tenant as well. So we're doing here at Meditology a ton of work in securing cloud ecosystems. I know this is, again, top of mind for many folks. So feel free to reach out to us if you want to talk to any of our cloud security gurus for support there. And the last thing it notes for the report notes for for cloud is that it's a two hundred fifty two day average time to identify and contain a breach at organizations in a mature stage of cloud modernization, as they call it.

Brian Selfridge: [00:09:14] So even if you've got sort of very robust, strong cloud deployment, you're still getting upwards of 250 days, better part of a year just to detect and contain the breach. And you've got different parties to deal with the cloud provider. You got your own organization. You have to figure out where stuff is, who does what. It gets tricky really fast. The report notes that organizations took fifty eight days longer to identify and contain breaches for organizations that had more than 50 percent of their workforce remote. So there's a big focus around the impact of COVID and remote workforce and all that.

Brian Selfridge: [00:09:46] So in a nutshell, it's taking us fifty eight days longer than the average to to deal with responding to attacks in those remote sort of environments. And, you know, we're already almost taking two hundred and eighty seven days, not almost. We're taking two hundred and seventy eight, eighty seven days on average to identify and contain breaches according to report. Anyway so this tax on another fifty eight days. So we might as well take a full year I guess at this point. Now this basically in sort of layman's terms, if you, if you had a breach on January one, you wouldn't find out about it until just about the holiday season. And as they get underway into late November, which as a former CEO, I. This means that if we had a breach on January one, for example, we wouldn't find out about it until just around the holiday time, somewhere in late November, which as a former CISO, is exactly when security incidents seem to always surface from here, right there, right before the holidays or Friday afternoons, around 4:00 p.m. or so.

Brian Selfridge: [00:10:47] But I'll joking aside, and I think we're not trending in the right direction here on our detection and response times when these attacks and breaches are becoming increasingly imminent. So that's that's a bad cocktail for the go forward view here this year. And twenty, twenty two, I think next year is going to be all about maturing incident response controls. It's going to be a lot about vulnerability management and patching, just dealing with trying to prevent these ransomware attacks and other vectors for the remote workforce. And then, of course, supply chain risk, which we talk about quite a bit here, is going to be the major theme. So if you do nothing else in the near term, get a jump on these domains in particular.

Brian Selfridge: [00:11:25] Now, a couple more points about the report. I'm spending a lot of time on it, but again, it's one of the best ones of the year. So I got some great insights. So I'll sort of wrap up with a couple more thoughts. The report data includes indicates that the sooner we detect an attack, the less costly it will be. Specifically, you can save about one point two dollars million by detecting an attack in under two hundred days. So there's some good budget justification there for any detection tools and monitoring. But I guess don't try to spend more than one point two dollars million on those tools or else you won't be able to keep your return on investment and check. In a similar sense, organizations that employed strong incident response capabilities saved an average of two point six I'm sorry, two point four six million dollars. They're on on having instant response capabilities in place so that return on investment is even stronger in that case. And organizations that deployed AI and automation saved three point eight dollars million per incident and breach costs were double for organizations that did not play, did not deploy AI and automation. So if you're trying to figure out where to put your budget and where you get the most bang for your buck, those three areas in terms of detection, response and AI and automation are all going to get you some return on your investment. From the looks of it, based on this data, at least. Now, the last point I'll make is that smaller organizations also incurred less breach costs on average, as you may expect.

Brian Selfridge: [00:12:47] And so while that may seem like good news for small companies, their average was two point nine eight million dollars per breach. I can promise you that an unexpected three million dollar hit to a small business is often enough to even put them out of business altogether. So it's a smaller number compared to big organizations, but it's often one that may not be sustainable. So lots in this report that's worthwhile. And I do recommend you check it out on IBM's website and dig into the details, some really cool graphs and things that don't come across well on a podcast. So you'll have to take a look at them yourselves.

Brian Selfridge: [00:13:22] OK, moving on from the IBM and Potvin report, there was an important medical device security alert this week for nine critical vulnerabilities for the Swisslog Healthcare Translogic Pneumatic Tube System. Well, I couldn't really understand anything of what I just said there except the words healthcare and tube. Apparently, these bad boys are used in over 80 percent of US hospitals. So we should pay attention to these vulnerabilities. The vulnerabilities have a catchy marketing title called 'Pwned Piper', and we were discovered by researchers from the Aramis med device security platform.

Brian Selfridge: [00:14:05] If you're familiar with those folks, the vulnerabilities can introduce ransomware and other attacks on health care, according to the alert, which is a common situation for most medical device security vulnerabilities and lapses. So, by the way, of recommendations, of course, go and find these health care tube pneumatic logic things and then patch them up. It's also a good reminder to invest in better inventory and tracking of devices, because I would imagine many of you listening to this. Chances are if you're anything like the folks that I've dealt with over the years, chances are your medical device inventory is a hot mess and it becomes really difficult to identify and patch these issues if you don't know where your devices are or how many you have or where the deployed or what floor they're on or what what kind of tube they are. I'll spare you a lot of other medical device security program recommendations, although have no shortage of them. But I'm glad to put you in touch with our dedicated team that does medical device security stuff if you have any questions or want to figure out how to deal with these patches or your program overall.

Brian Selfridge: [00:15:08] In other news, President Biden released details on his six point two trillion dollar fiscal year budget for 2022. The proposed budget includes nine point eight billion dollars for cybersecurity initiatives, a major, major improvement, an increase in investment from really any any historical time period previously. The budget also has civilian departments requesting another one point two billion dollars more than last year in this area. So we're seeing a lot more investment, thankfully, and commensurate with the attacks. So that that that's good that we're reacting to those. What's interesting also is the overall budget includes 750 million dollars earmarked specifically to respond to the solar wind's attack. So that's that's kind of interesting, that much sort of allocated to a specific incident against a specific organization and supply chain attack.

Brian Selfridge: [00:16:00] President Biden also made comments this last week that cyber threats, including ransomware attacks, are, quote, increasingly are able to cause damage and disruption in the real world. He continued. If we end up in a war, a real shooting war with a major power, it's going to be as a consequence of a cyber breach, end quote. So this stuff is getting real, folks. So, you know, keep your heads down and doing the good work that you all do to protect our critical systems and avoid any such catastrophic outcomes like large scale global wars. Losing money is one thing as we talk about an IBM cost of a breach report. But losing lives is a whole different kettle of fish altogether, as they say. And you wouldn't want that kettle of fish. Sounds messy to me.

Brian Selfridge: [00:16:44] In other federal cyber news and action, President Biden also released a cybersecurity memorandum as a follow up to his prior to executive orders released earlier this year on cybersecurity. The new memorandum is called Improving Cybersecurity for Critical Infrastructure Control Systems, and it notes itself as a voluntary collaboration between the federal government and critical infrastructure community to significantly improve the cybersecurity of these critical systems. So that's a mouthful. But you get the gist of the directive includes the development of voluntary measures, voluntary, not mandatory yet. We'll come back to that to comply with including multifactor authentication, encryption and some other pretty, I think, standard high critical impact controls. The directive instructs the Cissé to develop preliminary cyber goals for organizations and to be able to share those with both the private and public sector. So all good stuff there, I think all trending in a consistent direction. As I've noted in previous discussions, I believe the new cyber regulations are imminent and coming at both the federal and state levels and are going to target health care and other critical infrastructure sectors. It's been almost 13 years since we had a major regulatory updates in the health care sector and really almost twenty five years since we've had a major regulation overhaul or introduction in health care. When HIPAA was initially released in 1996, you so subsequent updates like HITECH Act are really just kind of amendments to to HIPAA all along. So we're due and the recent spate of breaches and Supply-Chain attacks and ransomware, I think is just going to expedite and beat a lot of the straw that breaks the camel's back there in terms of introducing new legislation and all these executive orders as well.

Brian Selfridge: [00:18:24] So, you know, we saw a bipartisan data breach notification bill drafted in July this year that just last month, a couple of weeks ago from from the recording of this and the US Committee on House Committee on Homeland Security advanced five new bills in June to improve cyber defenses. So the regulation train is coming soon. Keep keep your eye on these new directives like these presidential directives, the draft bills in the cyber goals that are be putting out for public private sector. I think there's a high degree of likelihood that those will end up in law at some point. And a lot of the politicians are already kind of clamoring to escalate these into law. So best to keep your eye on the ball there and get ready for the regulations to come, whether they be good, bad, indifferent. Let's hope they're drafted.

Brian Selfridge: [00:19:11] Well, that's all for this episode of the CyberPHIx Healthcare Security Roundup. We hope it's been informative for you. We'd love to hear from you. If we want to talk about any of this, just reach out to us at [email protected]. So long, and thank you for everything you do to keep our health care systems and organizations safe. And we'll see you next time.