2018 was a record year. But not in a good way. U.S. organizations paid out a record $28 million in settlements or judgments for data breaches 1. That number was boosted by Anthem’s $16 million settlement for the largest healthcare breach in history.
But information security is getting better, isn’t it? Alright, fines for the year is not reflective of the number of data breaches for the same year, after all, the actual breaches for the fines mentioned above occurred years prior. Such as, the Anthem cyber-attack occurred in 2014 and 2015 2, and the $4.3 million judgment against the University of Texas MD Anderson Cancer Center occurred in 2012 and 2013.
In the Protenus 2019 Breach Barometer Report 3, the U.S.Department of Health and Human Services HHS reported 503 health care data breaches that compromised over 15 million patient records. That is up from 2017 of 477 data breaches with 5.5 million patient records. A 5% increase in number of breaches resulted in triple the number of patient records compromised.
How data was compromised varied from stolen/lost credentials, unauthorized insider access, “hacking” from an external source, human error, and phishing. One of the most common vector for intrusion comes through 3rd party vendors.
As in the largest breach for the year, it was through a billing services vendor AccuDoc that led to the Atrium Health patient information being compromised. In fact, it was a vendor that worked for AccuDoc that was “patient zero” in this case.
Data breaches involving 3rd party vendors are frequent. Home Depot’s 2014 data breach started out with stolen credentials for a 3rd party vendor login. So did Target’s 2013 breach, through an HVAC vendor.
If you are using a 3rd party vendor and allowing them access to your internal network or customer data, you need to perform a vendor security assessment for all of them. Vet their security practices as if your own. After all, you are still liable for any intrusion into your network or loss of your data through their negligence.
An organization may have invested heavily into securing their network but if a vendor is the weakest link within the company’s ecosystem, that gives an attacker an easy path in.
In addition, reputational risk lies solely on the main organization from where the data was exposed. What was the name of the vendor that contributed to the Target, Home Depot, Atrium Health data breaches? Often, they are not even named.
Interconnectivity, access to another’s business data and networks, and third party vendors. Compile a list of all vendors that have access to your data or network, perform a risk analyses and determine what data is exposed to them and what the potential risks are, then what mitigations should be taken to remediate the risk.
1 US healthcare data breach settlements topped $28m in 2018
2 Anthem pays out record $16m over data breach
3 Protenus 2019 Breach Barometer Annual Report
4 Vendors and Data Breaches: Why Your Valued Partners Are Also Security Threats/