Mitigating Healthcare Data Loss & Data Exposure
Executive Summary
Healthcare has had the most expensive data breaches of any industry for the last 11 consecutive years, but many of the leading factors of that cost can be reduced by focusing on managing the cyber risk associated with human error. From ransomware to state sponsored attacks to increasingly sophisticated social engineering, organizations must be more vigilant than ever. The move to remote and hybrid work models mark the shift to perimeterless corporate IT infrastructure and increasing reliance on cloud computing and third-party SaaS applications. These changes, while generally beneficial, have introduced a myriad of cybersecurity risks and challenges.
This paper examines the current state of data breaches, with a particular focus on the healthcare industry. It breaks down the various costs of healthcare data breaches, what causes or contributes to such data breaches, and provides insights into how an organization can mitigate the risks associated with these breaches. The average total cost of a data breach for healthcare increased 29.5% from $7.13 million in 2020 to $9.23 million in 2021. The average total cost of a healthcare data breach is nearly double that of the global average. Healthcare breaches are in part more costly because of HIPAA fines, of which the average HIPAA penalty cost in 2021 was $427,296.43. The primary cause for data breaches in healthcare organizations is human error and most often takes the form of misdelivery of sensitive data. Human error is particularly troublesome as 85% of breaches include a human element and ransomware was found in 13 percent of human-related breaches. Human error is primarily mitigated through cybersecurity awareness training, but security teams have often been left wanting for more active prevention of human error.
There are existing cybersecurity solutions, as well as new entrants, that can help healthcare organizations to address the cybersecurity risks created by human error. In order to maximize value and protection from human error, healthcare organizations should evaluate cybersecurity solutions that integrate zero trust, encryption, and security automation. Zero trust establishes how to best trust and authenticate users in increasingly perimeterless corporate IT infrastructures. Encryption continues to be the best form of protection for information and ensures that when mistakes are made, data is not useful to malicious actors. Security automation reduces the amount of human intervention required for cybersecurity processes, ensuring less mistakes happen and security is consistently applied.
Download this white paper here.
The State of Data Breaches in Healthcare
The prevalence of data breaches and their average cost continue to increase at staggering rates. In 2021 massive breaches affected Saudi Aramco, customers of Accelion’s file transfer application, and customers of Kaseya’s remote monitoring and management platform. Over the past year, the average total cost of a data breach increased by nearly 10% year over year, the largest single year cost increase in the last seven years. Customer PII was not only the most common data compromised, but it was also the most costly with an average cost per record of $180, up from $150 in 2020. The severity of breaches have in part been exacerbated by the COVID-19 pandemic and a shift to remote work. The average cost of a breach was $1.07 million higher where remote work was a factor in causing the breach, compared to those where remote work was not a factor.
Among all industries, healthcare not only experiences breaches more often than most, but they also incur the highest data breach costs. The Herjavic Group notes that more than 93% of healthcare organizations experienced a data breach in the past three years. According to IBM and the Ponemon Institute, healthcare has topped all industries in cost for 11 consecutive years. The average total cost of a data breach for healthcare increased from $7.13 million in 2020 to $9.23 million in 2021. Healthcare’s average total cost is nearly double that of the global average total cost of $4.24 million. Healthcare leads in cost not only because malicious actors stand to gain more financially from health records, but also because of the fines resulting from noncompliance with HIPAA. HIPAA violations can cost from $100 to $50,000 per patient record based on the level of negligence identified by the government. HIPAA Journal reports that the average HIPAA penalty cost in 2021 was $427,296.43.
Leading Cause of Breaches in Healthcare
According to Verizon’s Data Breach Investigation Report, the leading cause for breaches in healthcare is basic human error and has been for the past several years. They found the most common error continues to be misdelivery, making up 36% of total errors. The next most common errors include publishing errors and misconfigurations, making up just over 20% of total errors each. After human error, the next leading causes for breaches in healthcare are basic web application attacks, system intrusions, and social engineering.
The combination of human error and social engineering can prove disastrous for organizations. The Society for Human Resource Management (SHRM) noted that phishing attacks that trick employees into revealing login and personal information came up as the top avenue of incursion (more than 30 percent of all incidents). Overall, they suggest that 85% of breaches included a human element and 61 percent related to stolen or misused credentials. SHRM also found that ransomware was found in 13 percent of human-related breaches. In addition to locking organizational systems, about 10 percent of the ransomware attacks cost organizations an average of $1 million, which included the cash paid out in the ransom, the price tag for remediation and lost revenue. Among attack vectors that involve some level of human error, IBM reports that business email compromise had the highest average total cost at $5.01 million. The second costliest initial attack vector was phishing ($4.65 million), followed by malicious insiders ($4.61 million), social engineering ($4.47 million), and compromised credentials ($4.37 million).
Human errors continue to be a leading cause of data breaches due to the simple misalignment between an employee’s role and security decisions. Employees are primarily paid to be productive and support growing the bottom line of a business. Security tools either hinder productivity or in the case where an employee is faced with a security decision, they may sacrifice security for the sake of productivity. In order to improve productivity or even bypass security, employees may also adopt unapproved tools leading to a Shadow IT problem. Shadow IT directly impacts an organization’s cyber risk and can lead not only to data breaches but also compliance fines. Core found Shadow IT has exploded by 59% due to COVID-19, with 54% of IT teams considering themselves ‘significantly more at risk’ of a data breach. Employee education continues to be the primary mitigation for human error in an organization and few tools exist to easily mitigate this risk.
Organization Cost Breakdown
While knowing the average total cost of a data breach is helpful to understand the severity of a breach for a given industry relative to others, it is important to understand what components of a business incur the costs of the breach. The best way to break down the costs is to apply it to four primary cost centers: detection & escalation, lost business, notification, and post breach response.
Detection & escalation includes activities that enable a company to reasonably detect a breach, such as forensic and investigative activities, assessment and audit services, crisis management, and communications to executives and boards. Lost business includes activities that attempt to minimize the loss of customers, business disruption, and revenue losses, such as business disruption and revenue losses from system downtime, cost of lost customers and acquiring new customers, and reputation losses and diminished goodwill. Notification includes activities that enable the company to notify data subjects, data protection regulators and other third parties. Post breach response includes activities to help victims of a breach communicate with the company and redress activities to victims and regulators, such as help desk and inbound communications, credit monitoring and identity protection services, issuing new accounts or credit cards, legal expenditures, product discounts, and regulatory fines. IBM calculated the average distribution of costs across these four cost centers is 38% from lost business, 29% for detection & escalation, 27% for post breach response, and 6% for notification. For healthcare organizations, it is expected that post breach response would account for more of the cost distribution due to the cost of HIPAA fines. As previously stated, HIPAA violations can cost from $100 to $50,000 per patient record.
Not included in the costs and cost centers mentioned above is cyber insurance. In the event of a breach, an organization may have a hard time renewing their policy or maintaining their original premium, even if they significantly increase their retention. According to Marsh, cyber insurance pricing in the US increased an average of 96%, year-over-year, in the third quarter of 2021. The third quarter increase was a 40 percentage point rise over the prior quarter, and the largest since 2015. Marsh further added that prices rose even as more than 60% of their clients increased their retentions in an effort to minimize increases.
The recent data breach at Monongalia Health System (Mon Health) demonstrates the effect a cyber breach can have on a health organization. In July 2021, a vendor informed Mon Health of a missed payment. Upon investigating, they discovered several threat actors gained access to a contractor’s email account to send emails seeking to obtain funds via fraudulent wire transfers. The phishing attack resulted in unauthorized access to emails and attachments in several employee email accounts for three months between May 2021 and August 2021. The compromised accounts contained patient information and information pertaining to members of Mon Health’s employee health plan, including Medicare Health Insurance Claim numbers, addresses, birth dates, health insurance plan member ID numbers, medical record numbers, provider names, dates of service, claims information, and medical and clinical treatment information. While evidence suggests the purpose of the attack was to secure fraudulent wire transfers and to send further phishing emails the investigation could not rule out obtaining personal information. The potential compromise was determined in October 2021 and work is underway to determine how many of Mon Health’s 398,164 patients had their protected health information compromised.
If only one tenth of Mon Health’s patients had their information compromised, the total cost of the breach would be $7.17 million, with an average cost per record of $180. The cost for HIPAA violations would make up $3.98M on the very conservative end. Breaking down the costs into the cost centers would look something like this: $4.3 million for post breach response (60%), $2.08 million for detection & escalation (29%), $430,017 for notification (6%), and $358,348 for lost business (5%). You will notice that in this estimation we kept the average percentage for detection & escalation and notification consistent with IBM’s findings. The post breach response makes up a significantly larger percentage of the breach due to the inclusion of HIPAA fines. Lost business is displaced by the increase to post breach response, but is not unreasonable considering the nature of healthcare. Health systems tend to dominate the regions they operate in and insurance restricts where patients can go. This results in a lower likelihood of patients switching health systems or new patients avoiding that health system.
Solutions to Mitigate Data Loss
While the number of data breaches and their costs are cause for alarm among healthcare organizations, there are solutions that can mitigate both the likelihood and severity of a breach. This section focuses on technologies as opposed to operational activities like employee education and incident response planning. Current solutions that may be leveraged to reduce data breach risk include data loss prevention (DLP), cloud access security brokers (CASB), standalone encryption, file transfer tools and cloud storage.
When assessing solutions to reduce your data breach risk, there are three key features that can significantly impact your overall risk. They are zero trust, encryption, and security automation. Zero trust is a framework or architecture representing the notion of perimeterless security wherein an organization assumes they are always in a state of breach. Put another way, the goal of zero trust is to “never trust, always verify,” all devices and users accessing a corporate network, even if they have previously connected to the network or been verified. IBM reports the average cost of a data breach was higher for organizations that had not deployed or started to deploy zero trust. The average cost of a breach was $5.04 million in 2021 for those with no zero trust approach but for organizations in a mature stage of zero trust deployment, the average cost of a breach was $3.28 million, a cost difference of 42.3%. Solutions that layer in zero trust principles are much more effective at mitigating data breach risk than their counterparts without zero trust.
While we previously discussed standalone encryption tools, encryption can be built into many different systems and used in a variety of applications. IBM points out that organizations using high standard encryption (using at least AES-256 encryption, at rest and in motion), had an average total cost of a breach of $3.62 million, compared to $4.87 million at organizations using low standard or no encryption, a difference of $1.25M or 29.4%. Again, it is important to note encryption will not prevent data from being lost or stolen, but it will render the contents of that data useless to interceptors and so with robust encryption implemented, breach severity is greatly reduced.
Security automation consists of security technologies that augment or replace human intervention in the identification and containment of incidents and intrusion attempts. IBM found that organizations with no security automation experienced average breach costs of $6.71 million in 2021, but organizations with fully deployed security automation experienced average breach cost of only $2.90 million. In addition to significantly reduced average breach costs, IBM further noted that for organizations with fully deployed security AI/automation, it took an average of 184 days to identify the breach and 63 days to contain it, for a total lifecycle of 247 days. Organizations with no security AI/automation deployed took an average of 239 days to identify the breach and 85 days to contain it, for a total lifecycle of 324 days. Security automation reduced the average lifecycle by 77 days or 27%. Security platforms with automation built in to them will outperform those requiring additional human input.
Phalanx Vs Other Solutions
Phalanx is uniquely designed to overcome human error to mitigate data loss and breaches while providing oversight to a class of data that is traditionally very difficult to track. It can operate on its own and in conjunction with many other solutions to secure your organization’s data.
Phalanx Vs Data Loss Prevention (DLP)
DLP platforms perform both content inspection and contextual analysis of data sent via messaging applications such as email and instant messaging, in motion over the network, in use on a managed endpoint device, and at rest in on-premises file servers or in cloud applications and cloud storage. These solutions execute responses based on policy and rules defined to address the risk of inadvertent or accidental leaks or exposure of sensitive data outside authorized channels.
Phalanx can replace or work in conjunction with DLP systems. Since DLP solutions generally focus on the egress of data from boundaries it requires tedious policy management, and often generates a large number of requests for exceptions to policies. Phalanx provides foundational security for organizations without DLP, and supplemental security for those with DLP by enabling each file to have its own encryption so the data is secure at-rest and in-transit regardless of boundary controls.
In lieu of DLP, Phalanx is significantly more lightweight, easy to manage, and requires next-to-zero configuration. Alongside DLP, Phalanx will cover DLPs blind spots and reduce rule exception workarounds from causing data loss. Few DLPs include encryption as a feature of their platforms or only apply it in specific cases, but Phalanx automates encryption so that when data ends up where it shouldn’t be, it is still protected and organizations know who accessed the data.
Phalanx Vs Cloud Access Security Brokers (CASB)
A CASB is on-premises or cloud based software that sits between cloud service users and cloud applications, and monitors all activity and enforces security policies. A CASB can offer services such as monitoring user activity, warning administrators about potentially hazardous actions, enforcing security policy compliance, and automatically preventing malware. CASBs that deliver security must be in the path of data access, between the user and the cloud provider. Architecturally, this might be achieved with proxy agents on each end-point device, or in agentless fashion without configuration on each device.
Phalanx can enhance existing CASB solutions in a similar way to DLP. CASB solutions focus on monitoring cloud activities, and occasionally also provide encryption. CASBs rely on complex configurations and rulesets to detect and stop improper data use or access which often create significant amounts of management work and white noise for security monitoring.
Phalanx secures files in both cloud and local environments and provides encrypted security instead of just policy enforcement. Since Phalanx automates encryption in the background, it eliminates the need for technical know-how, and enables file sharing comparable to the experience of cloud sharing platforms but with fewer steps. The solution allows data to seamlessly move across environments without sacrificing security. Phalanx can add security to cloud storage environments as current cloud storage solutions may provide encryption within their environments but once data leaves their boundaries that protection disappears.
Phalanx Vs Secure File Transfer Protocol (SFTP)
File transfer tools allow individuals to move documents from one device to another or from person to another in a secure manner. File transfer tools come in a variety of forms from DLP email plug-ins, web portals, Secure File Transfer Protocol (SFTP), and cloud-enabled link sharing. These tools allow files to be exchanged in a secure manner, but usually require both parties to have the technology installed to be effective.
While a common secure transfer solution is to set up SFTP servers across organizations to create a secure connection between them, it is a cumbersome process that requires technical expertise on both sides as well as a significant amount of coordination. Both parties require SFTP servers to be set up and connected to each other. If the two users do not have the technical expertise to conduct the setup, this will require additional resources, often from the IT staff. Once the SFTP connection is established, the file transfer process is sustainable, but not scalable to other organizations.
Instead, Phalanx provides a solution that allows for the secure transmission of files while reducing the burden on both the sending and receiving parties. The solution enables organizations to easily store encrypted files in the cloud and only allow access to them via links. These links only display decrypted data to the receiving party when a secure connection via HTTPS is established, and after the receiving party authenticates themselves with a multi-factor authenticated code. The process is handled through Phalanx so the sending party only needs to right-click a file to generate a link and the receiving party only needs to receive the link. In the background, Phalanx handles automatic encryption, cloud uploading, and third-party access code management.
Phalanx Vs Standalone File Encryption
The best method to secure individual files is through encryption. Standalone encryption tools allow for the encryption of hard drives, folders, or files using a variety of different encryption algorithms. These tools often require the passing of keys or passwords across messaging services in order for separate users to decrypt information. Encryption does not itself prevent interference but denies the intelligible content to a would-be interceptor.
Current existing encryption solutions allow users to specify which files to encrypt but don’t easily allow other parties to decrypt the files. This often results in insecure practices, such as sending the encryption key or password in an email or other communication method.
Phalanx enhances the file encryption process by enabling automatic encryption, in addition to the ability to perform on-demand encryptions. Furthermore, there is a greater benefit when it comes time to decrypt. Since keys are managed through Phalanx, each user only needs to keep track of their Phalanx account information and never need to share passwords or keys.
Phalanx Vs Cloud storage
Cloud storage platforms can operate as secure environments to host data, collaborate on files, and share information. Cloud storage platforms usually incorporate some form of encryption and access management to protect information. Since these platforms are usually focused on productivity instead of security they can be integrated with DLP and CASB solutions to further increase security around the information stored within them.
The rise of cloud storage enabled enhanced productivity as users were able to access their files without being constrained to any one device. However, since cloud storage was designed to prioritize accessibility it doesn’t always offer much security for files. Also, even if there are access controls for the data in the cloud, if it’s not encrypted then there is always a possibility of data breaches through the provider. Phalanx allows for agnostic use of cloud storage providers while still providing encrypted security on each of the files.
How Phalanx Can Help
Phalanx mitigates data exposure risk and data breaches through lightweight, human-centric data security that leverages automation to make a frictionless everyday user experience. As human error causes a significant portion of data loss and breaches, Phalanx allows workers to practice security without even realizing it and without the need for technical knowledge. It is designed to work within current workflows and even enhance productivity. Phalanx’s secure file sharing and storage solution combines high standard encryption, automation, and zero trust principles to seamlessly protect organizational information at the file level. Phalanx applies zero trust by delivering a method of encryption to each file on a user’s device in a way that is minimally invasive to the users’ workflow but provides provable security. While most zero trust methods currently focus on authenticating devices on a network, Phalanx knows that this architecture should also be applied to data on devices. The automation built into Phalanx’s solution not only allows for a seamless user experience but also reduces the burden placed on IT and security teams. Phalanx is a lightweight, low configuration platform that can be deployed quickly across an enterprise without time-consuming monitoring and modifying.
Phalanx’s secure file sharing and storage solution consists of both an endpoint and web application. The endpoint application handles the automated encryption and sharing functionalities while the web application allows for organization management. IT and security teams can fine-tune Phalanx’s configuration, manage users, and access data analytics. Phalanx’s metrics, security alerts, and audit logs paint your organization’s data picture and enhance your ability to understand your cyber risk. In the case of a possible HIPAA breach, Phalanx can prevent the need for a breach notification through the automated encryption and audit logs as illustrated in the graphic below. All of the data that Phalanx provides can be accessed by API as well, automating reporting and notification. Administrators will also have the power to immediately revoke all files shared by links in the event of a security incident to further limit potential data breach fallout.
Conclusion
While data breaches and their associated costs have continued to increase year over year for healthcare organizations, there are numerous, proactive steps organizations can take to reduce their risk and mitigate losses in a breach. Organizations must first understand that the question is not if, but when will they experience a breach. Accepting this reality allows for a mindset of continuous improvement and awareness. Healthcare organizations need to focus on the prime factors leading to data breaches in their industry; human error and social engineering. While employee education and cyber-savvy culture are necessary to mitigate human error and social engineering, minimally invasive cybersecurity tools that take into account human behavior and work alongside employee workflows must be adopted. When education fails you’ll want a safety net. In this line of effort, healthcare organizations should evaluate cybersecurity solutions that integrate zero trust, encryption, and security automation. Zero trust establishes how to best trust and authenticate users in increasingly perimeterless corporate IT infrastructures. Encryption continues to be the best form of protection for information and ensures that when mistakes are made, data is not useful to malicious actors. Security automation reduces the amount of human intervention required for cybersecurity processes, ensuring less mistakes happen and security is consistently applied. Phalanx can help healthcare organizations secure sensitive information and mitigate human error by combining zero trust principles, encryption, and automation in a solution that works with end users to keep them safe and productive while enriching the organization’s view of their data exposure risk. If you would like to learn more about how to mitigate data breaches or about Phalanx’s secure file collaboration solution, please visit us at https://www.phalanx.io or email us at info@phalanx.io. Click to download this whitepaper here.
