Verizon has published its 2021 Data Breach Investigations Report (DBIR) which shows the majority of healthcare data breaches are now caused by external threat actors rather than insiders. The healthcare industry was atypical in that most data breaches were, for many years, caused by insiders.
For the second consecutive year, data breaches caused by external threat actors have outnumbered insider breaches. In 2020, 61% of security incidents were caused by outside actors compared to 39% of breaches that were caused by insiders. Incidents involving malicious insiders did not even make the top three data breach causes.
The report was compiled from data from 29,207 reported security incidents from 88 countries, which included 5,258 confirmed data breaches. 655 incidents involved healthcare organizations, of which 472 involved a data breach.
The majority of data breaches – 86% – involved system intrusions, web application attacks, or employee errors, with the vast majority of attacks financially motivated. Considering the value of medical data on the black market, it is surprising that personal data was compromised more often (66%) rather than medical data (55%). Verizon believes this can be explained by the increase in attacks by external actors, who may have simply just taken whatever data they could find. Defenses to prevent unauthorized access to medical data are likely to be more stringent and difficult to breach.
Data breaches involving employee errors were mostly due to the misdelivery of electronic or paper documents (36% of incidents), with publishing errors behind 20% of incidents, misconfigurations involved in 20% of incidents, followed by data loss (15%) and improper disposal incidents (10%).
Across all industry sectors, phishing was the leading cause of data breaches. Phishing was cited as the breach cause in 36% of incidents, up from 25% last year. The increase in phishing related incidents could be due to threat actors adopting COVID-19 lures to conduct attacks on at-home workers. The researchers explained that the threat from phishing is closely linked to the use of stolen credentials; however, while a spike in the use of stolen credentials was expected due to the rise in phishing attacks, that was not the case. Incidents remained fairly flat year-over-year at just 25% of breaches.
2020 was a year where ransomware attacks increased considerably, although only by 6% according to Verizon’s data. Ransomware was used in 10% of all data breaches, raising ransomware up to third place in the threat table.
Exploitation of vulnerabilities is also a common way for threat actors to gain access to networks, and while many critical vulnerabilities were discovered in 2020, it is older vulnerabilities that were most commonly exploited. For example, the Windows Server Message Block (SMB) vulnerability that was exploited in the 2017 WannaCry ransomware attacks is still one of the most commonly exploited vulnerabilities, even though a patch to correct the vulnerability was issued by Microsoft in March 2017.