2018 has come a close and cybersecurity is more relevant than ever. As we continue to move more of our work and personal lives online, our defenses are becoming even more critical parts of holding our world together.
When these defenses are inadequate, we see a range of devastating results. From big data breaches to HIPAA violations, ransomware to cryptomining attacks, both organizations and individuals feel the destructive results of poor security and lack of compliance.
We’ll never be able to get things perfect, but if we take the time to review the biggest issues that have been plaguing our online world, as well as evaluate the way trends are heading in the future, then we put ourselves in a much better position for protecting our lives, businesses and data as we move forward.
That brings us to our roundup for 2018, covering the biggest data breaches of the year, the cybersecurity world at large, as well as the key developments at security’s intersections with healthcare and email.
2018’s Biggest Data Breaches
Data breaches are here to stay, and those companies that don’t take a proactive and cautious approach to their security are the easiest targets. There were hundreds of reported breaches this year, resulting in the compromise of anywhere between just a few records to millions.
Every time that PHI is exposed, it can have serious ramifications for the individuals that the data pertains to. This is especially true for medical records, because they contain so much data that can be used for a variety of criminal acts, such as identity theft.
Email continues to be a common attack vector, because it’s ubiquitous and makes it relatively easy for attackers to leverage techniques like social engineering to load malware onto their targets’ computers, or to steal their credentials.
Some of this year’s biggest email-related data breaches affected healthcare providers like UnityPoint Health, Augusta University Health and HealthEquity.
In a phishing attack against UnityPoint Health, up to 1.4 million patient and employee records may have been compromised. The data breach affected people in Iowa, southern Wisconsin and Western Illinois.
In the attack, hackers posed as high-ranking executives. They emailed lower-level employees and pressured them into handing over login credentials for company email accounts. These details were then used to enter the systems and access a large volume of patient records.
UnityPoint Health has offered one year of credit monitoring services to anyone whose driver’s license or Social Security number was exposed during the breach.
This data breach comes on top of another one that UnityPoint Health announced earlier in the year. On April 16, it began notifying the 16,429 patients whose PHI had been exposed in attacks that ran from November 1,, 2017 until February 7 of this year. The company stated that they did not discover the attack until the following week.
Following the first breach, a class action lawsuit was launched against UnityPoint Health, claiming that the company violated the HIPAA Breach Notification Rule, because it only notified the authorities and patients after the allotted 60 day period.
The lawsuit also claims that UnityPoint misrepresented the extent of the breach by claiming that Social Security numbers were not part of the breach. The lawsuit has since been amended to cover the second breach as well.
Augusta University Health
In the second biggest email-related breach, the data from more than 417,000 patients, staff members and students were exposed. Augusta University Health was actually struck by two attacks, the first and largest occurred over September 10 and 11, 2017, while the second hit on July 11, 2018.
The breach mainly involved the data of patients who visited the Children’s Hospital of Georgia or Augusta University Medical Center, but 80 other Georgia-based outpatient clinics were also affected.
The data was stolen when hackers used phishing to trick employees into disclosing their login credentials. All up, 24 of the University’s email accounts were compromised, exposing the patient data that was contained in the bodies of emails and their attachments.
The attacks yielded an extensive range of information, from names and addresses to lab test results, treatment information and health insurance details.
Augusta University Health did not report the breach until July 31, 2018, claiming that they were waiting for the completion of an external investigation. The organization is offering one year of free credit monitoring to those whose Social Security number was compromised.
A second attack also occurred on July 11, 2018, but at this stage it appears to have affected fewer people. This attack compromised a smaller number of employee accounts than the previous year’s attack and was also investigated by third-party experts.
Around 165,800 patient records may have been exposed in an attack that took place in September and October. The actual numbers aren’t one hundred percent clear, as many reports say that only 21,000 patients were affected. This figure seems to only account for the California-based victims, and not those from the rest of the country.
In a statement to DataBreaches.net, HealthEquity indicated that up to 190,000 people may have been affected. When the figures were later released to the Department of Health and Human Services, the number was 165,800.
In the attack, two employee email accounts were compromised when attackers exploited a configuration error. This allowed them to get around the normal authentication methods. HealthEquity is offering five years of credit monitoring alongside an identity-theft insurance policy to those who were affected.
This attack comes on top of another breach that HealthEquity revealed in June. Around 23,000 records were compromised when an employee’s email account was accessed in an unauthorized manner. Those whose data was exposed have also been offered five years of free credit monitoring as well as an identity-theft insurance policy.
How Can You Protect Your Organization from Data Breaches?
You might have noticed something about these attacks. Not only were they the largest cases where email was used to attack organizations within the health industry, but each of these businesses was the victim of multiple breaches.
Sure, it’s possible for hackers to make their way into even the most well-protected organizations, but when you begin to see multiple, large-scale breaches within such a small time period, you have to question whether there are serious systematic issues at play.
For the most part, breaches in the industry come from hackers who are looking for an easy way to make money. Organizations that take their cybersecurity seriously are much more difficult to successfully attack, so hackers tend to move on to easier prey,
Comprehensive Security Policy
It all starts with a plan. If businesses want to prevent attacks, they need to take stock of their situation, their assets and their weaknesses. By evaluating their current positions, they can come up with comprehensive security policies that make the chance of successful breaches far less likely.
Not only can a solid plan help to prevent attacks, but if a company ever is breached, it can help to minimize the impact and make recovery much quicker.
Regular Training & Awareness
Two of the above attacks were initiated through phishing. Although phishing continues to evolve, it’s not a new form of attack, so businesses can prepare themselves against it. With regular training and awareness campaigns, employees can learn to identify suspicious emails and not get fooled by them.
If you want to prevent these kinds of attacks, it’s also important to promote a cautious company culture. It’s much better to encourage employees to ask the IT department if they ever come across something that looks suspicious, rather than for employees to assume it’s fine and risk letting an attacker access company resources.
How else can you prevent phishing? Stop the emails from ending up in your employees’ inboxes.
Using a spam filter such as LuxSci’s HIPAA-compliant offering helps to reduce the chance of your employees clicking on dodgy links or corresponding with attackers. That’s because effective filtering can dramatically cut down on the number of phishing emails that they are exposed to.
Cyber Attacks in 2019 & Beyond
As we wrap up the year, it’s time to take a look at some of the broader trends that are occurring in cybersecurity. By staying aware of evolving technologies and the ever-changing threat landscape, we place ourselves in a much better position to deal with the new challenges that the future brings us.
Ransomware continues to plague the healthcare industry, causing huge disruptions to any organization that it hits. Some companies choose to pay up in the hope that they receive their critical data back, but it’s not uncommon for them to never receive the key even after the bitcoin payment has been made.
If businesses want to protect themselves from ransomware, they need to have an effective backup strategy in place. If regular backups are made, your company won’t face the same devastation if its data is ever locked up in a ransomware attack. It can simply use the backup data, rather than relying on the whims of some hacker to return its critical information.
Cryptomining attacks involve hackers infecting an organization’s systems with malware. The malware can sit there quietly for months or years, mining cryptocurrency for its owners. While these attacks might not seem as insidious as others, they can put excessive strain on an organization’s systems, causing them to slow down, cut productivity and interrupt business processes.
Phishing is one of the main tools in the hacker’s handbook and it’s here to stay for the foreseeable future. To minimize the chances of it affecting your employees, make sure you implement a comprehensive security policy, regular training and effective spam filters like we covered in the previous section.
Nothing is static in the online world, so we have to stay abreast of the latest developments and changes if we want to be able to defend ourselves adequately. In the coming years, we will continue to see expansion in medical devices, wearables, telehealth, cloud technologies and AI, among other developments.
With each of these emerging technologies, we will need to come up with adequate defenses to go alongside them. While exciting trends such as AI have a lot of potential to help us with security, we also have to be aware that hackers are embracing the same developments to make their attacks more sophisticated and effective.
The world of information security is constantly shifting, so staying safe requires a strategic and vigilant approach. Unfortunately, the landscape is too complicated for businesses to manage the threats alone. The good news is that there are trusted and experienced companies like LuxSci that can help you.
With a cutting-edge approach to secure email and other technologies, we offer the knowledge and services you need to keep your organization safe. From small business support to enterprise-scale offerings, LuxSci has the robust and flexible solutions you need to stay secure in 2019 and beyond.