The CyberPHIx Roundup: Industry News & Trends, 8/7/20

PODCAST TRANSCRIPT

[00:00:07] Good day and welcome to the CyberPHIx health care security roundup, a quick source for keeping up with the latest cybersecurity news trends and industry leading practices specifically for health care. I'm your host, Brian Selfridge. In addition to this roundup, be sure to check out our CyberPHIx interviews with leading health care security, privacy and compliance leaders at meditologyservices.com or on your favorite podcast hosting platform. Just search for CyberPHIx. Now let's dive into this week's episode as we have a lot of ground to cover. The 2020 IBM Cost of a Data Breach Report was issued this past week. Now it's still the same as the Ponemon Institute Cost of data breach report, which has been running for 15 years and is one of the best sources of information not only for the health care sector, but I think for for many sectors trying to figure out what's happening in cybersecurity. IBM took it over the last five years as a sponsor. So just if there's any confusion there, it's the Ponemon report, but it's really the IBM report and vice versa. Now, in terms of the results, health care, unfortunately, is once again the top cost sector for breaches for the past 10 years running 2020 included. We peaked, health care that is, peaked at ten million dollars per incident as an average breach cost in 2018 and has leveled back down to seven point one three million average breach costs in 2020 this year. But we're still the highest category by far with energy in the financial sectors right behind us. 

[00:01:35] The time to detect and contain a breach is 245 days on average for the industry. However, in health care we're at 329 to be able to detect and contain a breach that's almost a year. It takes us to handle a breach incident so you can imagine the level of disruption that that causes for the average health care entity. I remember the FBI giving us an update, the industry an update several years ago about this. And it was it was in that 250 range. And I was sort of my eyebrows were raised at the time. And unfortunately, it's gotten worse for up to three hundred twenty nine days. So where does this cost come from that seven point one three million dollars per breach? There's really top three categories that that add up to the most of that cost in the fourth category. That adds up to a little bit of it. The first and most prominent categories is lost business. So this is business disruption, downtime, both clinical and business downtime, lost customers lost patients, reputational damage. That is number one, by far the second most costly area. Adding up into that seven point one three number is post event response and remediation. So that's help desk calls, credit monitoring, identity protection services, legal costs, regulatory fines, all the "after" stuff, as well as the cost to to remediate issues that have been identified. 

[00:02:47] Detection and escalation are the third category. So this is your forensics assessments, your crisis management, your communication, internal and external, of what happened, how did it happen? How do we get to the bottom of it and go about fixing things? And then the fourth category, while still inclusive in that cost, but not really driving the bulk of it is notification. That's emails and letters and calls going out for breach notification, regulatory response and analysis and execution, engagement of outside experts, those types of things. What's interesting is the COVID situation. They did some analysis around this and estimated that the average breach cost would increase one hundred and thirty seven thousand dollars more just due to the remote work nature and increased time to detect and contain incidents during COVID. So we'll talk more about some recommendations about that situation later. Fascinating that misconfigured clouds were the leading cause of breaches this year. So that is a big change. The misconfigured were almost tied with the number two area of lost and stolen devices, which for those that have been following this over the years, lost and stolen devices have been king in breaches and breached data for for the last decade plus. And that's been around lost laptops and USB and encryption issues. I mean, they are still a big player and that's still a big factor. But fascinating to see the cloud environment misconfiguration is now leading cause, leaping up into the number one cause and that tide is turning. 

[00:04:15] Malicious attacks were the dominant source of those breaches versus human error, which is also a bit of a shift. For the malicious actor attacks, the top areas of compromise were compromised credentials. So login credentials, cloud configurations, vulnerabilities in third party software are the top three. And then, surprisingly to me, social engineering was the lowest category at only three percent of attack sources, which is, you know, we spent a lot of time on social engineering, but now it looks like the bad guys are really spending their time on cloud attacks for the most part and third party software. So we'll come back to some recommendations there in a minute, too. Stolen or compromised credentials led to the most expensive breaches. So if you had user credentials compromised one way or another, that was going to be the most costly flavor of breach. Incident response preparedness was the highest cost saver, so organizations that had incident response plans are doing tabletop exercises or saving an average of two million dollars per incident to that seven point one three average. That is a monster savings. And for the relative cost that it takes to to get your incident response plan in place, that's pretty awesome. So we'll come back to that one, too. But the other most effective interventions beyond incident response were business continuity, disaster recovery planning, red team and penetration testing exercises, employee training and what they called "extensive encryption", which is, you know, basically encrypting your laptops, hard drives, workstations and the like. 

[00:05:45] And then there's another category of security. Analytics was another area that they said helped to reduce the overall breach cost substantially. The other category that they studied, although it's a bit nebulous to me, is organizations with security automation, which they defined as mature programs with artificial intelligence somehow baked into their technology stack from a security perspective. For organizations that had that security automation in place, they had substantial reductions in breach costs. They said organizations in that posture have two point five dollars million average breach versus six million dollars for those that did not have the technology in place. Healthcare was one of the middle tier sectors with the deployment of security automation. The top ones that are doing this are financial services, technology and communications firms, which you might expect, those are typically the the entities that will spend more on security, tech and security budgets in general. The mega-breach costs, which are the big, big, big breach costs. Those that data was kept out of the report, at least in terms of the main data, because as outliers as that was skewing either very, very large breaches are very, very small breaches were skewing the data. So they sort of carved those out. But they did a separate analysis mega-breaches and showed that those costs are skyrocketing. So if you do have a mega breach that means the mega-breach is getting worse. 

[00:07:07] Not surprising there. Now, 53 percent of the attacks were by financially motivated attackers. This is nation states being the sort of most costly. So if you get attacked by a nation state, that's going to be the most expensive. And, you know, if you have been listening to these podcasts, I don't I don't blame me if you don't, but we've been talking a lot about the attacks on COVID research that's been going on. And I'll give you another update on that throughout the roundup here today. But those nation state actors are very much involved in those and targeting healthcare. The rest of the financially motivated attackers were hacktivists or system glitches and misconfigurations leading to the breaches or other unknown sources was a pretty big category, like 20 percent. Ransomware costs as a subset of the attacks, if you if you received a ransomware event, the average breach cost is four point four million. So ransomware, pretty expensive, not expensive as the average, but obviously extremely disruptive to the organization. Cyber liability was studied a bit here, which I found really useful. They said cyber liability for breaches covered things like consulting and legal services, restitution to victims, regulatory fines, support recovery technology of getting things back online and ransomware payment support and those types of things. Now, the report didn't go into the detail, or at least I couldn't find it, if you find it let me know, about how much of the overall breach cost was covered by cyber liability policies and insurance. 

[00:08:33] I really wanted to know that answer, but they didn't really get into it. Maybe the data wasn't sufficient. I don't know. I also found it interesting that "who is to blame for breaches" was it was an interesting part of the study. And by far, CISOs were left holding the bag on breach, responsibility and accountability. So the study found that most organizations found the CISO and followed shortly by the directors and VPs of security to be the most culpable and responsible for security breaches. And then the categories of culpability went: it went security leadership, then followed by some IT leadership. Then the next category was, well, "no one's to blame and this stuff happens", you know. And then underneath that was the CIO, the CEO and the Board. So so nobody is holding the leadership, organizational leadership accountable. So CISO and security folks, you are on the hook from a perception standpoint. That's a tough one for those that have been like myself, have been security officers, that's it's a tough pill to swallow. But, hey, you know, for the good and the bad, we're front and center these days. All right. So let me talk about some recommendations, as is more of my analysis coming out of the report to see what do we do, what can we learn? What are some of the big takeaways? For me, cloud security investments are essential in 2020. 

[00:09:52] I mean, this data just hits that over the head. We've been talking about that anyway, and we've been seeing that trend and that requirement and you know all that for for a while. And you'll see that in our updates we've been putting out. But this data is pretty hard to contend with on that front. Also, third party risk management is right up there, front and center, because your cloud hosting platforms are inclusive of that. Those are third party platforms that need configuration, security controls, monitoring all that stuff in addition to everywhere else that your third party data is going. Cloud is is a big part of that. So getting getting your cloud in your third party risk management programs ramped up and prioritized is really critical. Also, the pen testing of cloud environments is also a must, in my view. There's there's no better way to find out if you're actually exposed than just find the obvious stuff that's out there and close it up before the bad guys do. I mentioned third party risk management. That's going to continue to be king as we go forward. And you know, this issue of third party software vulnerabilities topping the list of malicious attack vectors in addition to cloud stuff is just a reinforcement for that. Now, those figures on incident response savings can't be ignored. Two million dollars saved per breach of seven dollars million. Total breach cost is a pretty compelling reason to spend some more time and budget on incident response planning, tabletop exercises. 

[00:11:10] These are some of the lowest cost interventions in your toolkit that you can do and have some of the highest dividends and return on investment for protections. And also remember that, you know, with COVID being in the mix now, if you haven't done a tabletop or updated your instant response plans to reflect both the remote workforce as well as the remote leadership team into the equation, then you're you're potentially at risk for those increased costs, for the reduced time, detection and response during COVID, which I think is going to be the normal for quite a while from the looks of it. So make sure you get a tabletop done in what I call sort of "post COVID" times, I there's no "post COVID, it's "post introduction of COVID". We're still in the middle of it and learn how to respond in those settings. And I think if you do nothing else, the data is showing that's some of the biggest bang for the buck you can get on protection mechanisms. And pen testing, saves an average of two hundred and forty three thousand dollars per breach, according to the data. And that's right up there with instant response savings on the aggregate. So another relatively low cost intervention of getting an internal external pen test done. Figure out where your stuff is. Get those configurations in place, whether they're going to be exploited by malicious outsiders or misconfigurations or whatever. Pen testing is going to find that stuff, find it quick and find it relatively cheaply. 

[00:12:28] So why wouldn't you? And then credentials, protections will be paramount going into the rest of the year. So this is your multifactor protections, your privileged access management, fishing protections and training, strong password and authentication management. All that good stuff needs to be front and center. That's the bad guys are getting the credentials, when they do, it's super costly and it's a long time till we find out that they have them in many cases. All right. So that's enough on the the Ponemon IBM report. I've got two other updates for you for the roundup this week just to keep you posted on what's going down. Number one is President Trump issued an executive order this week to expand telehealth adoption specifically for Medicare or elderly patients in rural settings. So it's called the Improving Rural and Telehealth Access Executive Order. It includes payment, restructuring for telehealth and more flexibility in Medicare rules for for telehealth services. And it also includes investments in communication infrastructure to bring broadband Internet out to rural areas to support telehealth requirements. So really looking to handle that, that external environment there. The last update that I'll provide you is a stimulus bill proposal that's been put forth to improve cybersecurity and protect COVID-19 research data. So we've spoken at some length in our prior CyberPHIx Roundup episodes about the attacks on COVID research and health care entities, particularly academic medical centers. 

[00:13:58] So those trends have gotten the attention of lawmakers. Republican senators this week have introduced and proposed a cash injection of 53 million dollars for the Department of Homeland Security, Cybersecurity and Infrastructure Security Agency. That's a mouthful. The CISA for short to be able to provide more protections for COVID research. They also introduced three hundred and seven million dollars proposed for the Department of Energy's Office of Science to support COVID-19 research in general and vaccine development. That makes a whole lot of sense. And then Democratic senators have urged the Republican group to include privacy protections for health data collected in relation to COVID-19. So without the appropriate privacy protections, they say, there's a concern that many Americans will not engage contact tracers and efforts to collect valuable information that might help COVID tracing and response without those those privacy protections in place. So none of that has been put into law yet. Those funds haven't been released, but they're percolating. And I think there's a likelihood of some or all of that making it into these these latest stimulus packages. So that's it for now, for this session, a CyberPHIx healthcare security round up, I hope this has been informative for you. We'd love to hear from you. If you'd like to talk about any of this, just reach out to us at [email protected]. So long and thank you for everything you do to keep our health care systems and organizations safe and we'll see you next time.