Verizon, the broadband and telecommunications company, has released its 2015 data breach investigations report which reveals the extent to which hackers have managed to break through security defense.
Data Breach Investigations Report Shows Many Vulnerabilities Exist
This year the healthcare industry is featured heavily in the report following a number of high profiles HIPAA breaches last year. The report highlights some of the healthcare security vulnerabilities that exist, and what needs to be addressed in order to bring healthcare cybersecurity defenses up to the standards demanded by the Health Insurance Portability and Accountability Act (HIPAA).
Verizon has been compiling its annual data breach report for 8 years and this year has seen the data sample grow to include approximately 80,000 data security reports from 70 different organizations. The sample size has been increased by 26% this year and the number of organizations submitting data has increased by 52%. This is the largest survey conducted in its 8 year history.
In addition to detailing the data breaches of 2014, guidance is provided to help organizations bring their security systems up to the required standard, and some best practices to adopt in order to do that have been included.
How do Hackers Steal Healthcare Data?
The data breach investigations report highlights a serious security vulnerability that is particularly prevalent in the healthcare industry, which has tended to suffer from under investment in IT over the years. Many healthcare providers are working with aging software and even new applications and operating systems need to be patched regularly.
Security updates such as patches need to be installed as soon as they are released. However that is not happening, and that creates holes in defenses that hackers can exploit. The Verizon data breach investigations report not only identifies the problem, but it shows that that problem is getting worse.
In the company’s 2008 data breach investigations report, 71% of exploited vulnerabilities were due to patches not being installed. In the 2015 data breach investigations report that figure was 99.9%. In all of these cases a security patch was available for over a year, and the installation of that patch would have prevented a data breach.
The data for this section of the report was taken from over 200 million successful exploitations, which included 500 vulnerabilities and 20,000 feed partners contributed data from over 150 countries around the world.
What is the True Cost of Healthcare Data Breaches?
This year Verizon has added a data breach cost calculator to its report which provides an indication of the true cost of data breaches. According to the report, the average cost is $18,120 to $35,730 for a breach involving 100 records, which could potentially rise to $555,660. However, the report indicates that a breach involving 100 million records could result in costs of up to $200 million. Their method of calculation determined the cost per record to be $0.58.
It is difficult to accurately calculate the cost of a data breach until many years after that breach has occurred, and that task is made almost impossible with potential class action lawsuits to factor in, as well as OCR, ONC and attorney generals’ fines.
A security data scientist from Verizon’s Enterprise Solutions division, Bob Rudis, said “we’re as disappointed as anyone to say that there are a lot of things contributing to the cost of breaches that we can’t account for yet.”
These variables can greatly affect the cost of a breach. Under Verizon’s model, Tenet Health’s 32.5 million class action lawsuit would not have been included. That suit was filed by 5,649 class members indicating the extent to which predication figures can be incorrect.
What is clear is that data breaches result in considerable costs, many of which can be avoided by employing a number of relatively simple safeguards. These include: promptly installing patches and virus software updates, installing and maintaining firewalls, conducting regular virus scans on computers and servers, and logging and monitoring PHI access attempts. If the staff is also trained to be on alert for phishing scams and malware, the number of data breaches can be greatly reduced.