A Closer Look at the Actual Cost of a Data Breach

Our world is increasingly digital. Data breaches are a common occurrence in our news feeds, and for good reason. According to HIPAA Journal’s October 2019 Healthcare Data Breach Report, 38 million health records have been stolen or impermissibly disclosed in 2019 alone: an increase of over 20% since last year. Ransomware through phishing attempts is the most common cause of these breaches.

And these breaches have consequences: they place those whose data has been breached at increased risk of identity theft and cripple the operations of the organization targeted.

In fact, a recent study by Vanderbilt University’s Owen Graduate School of Management exposed the impact data breaches at hospitals have on patient outcome (quick summary: it’s not good). The study evaluated patient mortality rates at 3,000 Medicare-certified Hospitals, 10% of which had experienced a data breach and found an increase in the death rate among heart attack patients at hospitals that experienced a data breach. This effect persisted for months and years afterwards.

Researchers concluded that it was cybersecurity remediation efforts that caused this negative impact on the quality of care delivered to cardiac patients. In short, the tighter security controls appear to “slow down” providers’ response time to emergency cardiac events. For example, centers that had previously been breached took on average an additional 2.7 minutes to order an electrocardiogram for suspected heart attack patients.

This study illustrates how providers can find themselves between a rock and a hard place in terms of implementing best practices in security (two factor authentication, password complexity and resets) while still enabling timely access to data and minimizing interruptions to work flow.  

Of course, not implementing rigorous security measures is really (really) not an option. But it is important to be targeted in our deployment and focus of security measures. For example, as noted earlier, the most frequent cause of data breaches in the health industry is from ransomware through phishing activities. It is therefore important that providers and their staff be knowledgeable about phishing and other socially engineered Trojan horse gateways beyond their practice’s firewall. For that reason, we sat down with Shawn Palmer (CHP, CSCP), Emtiro Health’s IT Support Manager and guru of all things cybersecurity, to discuss spear phishing and how providers can best protect themselves against this pervasive threat.

What do you identify as the most common cybersecurity threat to providers today?

Without a doubt it is phishing and other socially engineered attempts to breach security. With the ever-growing accessibility and use of social media like Facebook, Instagram, Twitter, Snapchat, etc., hackers known as “phishers” and identity thieves have a treasure chest of items, or people, to choose from. They have a lot they can draw from, and this means that their attempts to trick targets into releasing access or information are very sophisticated and can appear very authentic.

What exactly is Social Media Phishing?

Phishing, or the practice of trying to lure unsuspecting victims to click on links to install malware or divulging confidential information, is a tactic that unfortunately involves more than just malicious emails. Phishing attacks can also take place via text message, phone calls, or social media.

A recent infographic from Inspired eLearning defines social media phishing as, “When attackers use social networking sites like Facebook, Twitter, and Instagram instead of e-mail to obtain your sensitive personal information or get you to click on malicious links.”

The same infographic goes on to mention that the reason hackers love social media is because of the number of targets: Facebook has 2 billion users, Instagram has 700 million users, Twitter has 328 million users, and Snapchat has 150 million users. Just think about all the information available there.  You can triangulate a lot based on that.

What are the most common examples of social media phishing?

People are usually wary about releasing information about bank accounts and credit cards but will often let personal information flow like a sieve when talking to a perfect stranger on one of the aforementioned platforms. Many times you will get a “mistake message” where the phisher enters into a conversation by saying something like, “Hi there, I was looking through profiles for an old friend and saw yours and felt like I needed to talk to you.” They will then continue with small talk, occasionally tossing in questions like:

  • Where do you live?

  • How old are you?

  • Are you married or single?

  • Do you have any kids?

  • How old are your kids?

  • What are your kids’ names?

Often times one can be lulled into a sense of security thinking this information could not be harmful. However, these scammers are building a fact sheet on you. Each bit of information gained can be used to break into online accounts that you have or even to impersonate you. They will often ask for pictures of you or your family, pictures of your vehicles, what model of smartphone you have, or who is your cellular carrier. Some are even as bold to ask for your smartphone number and address.

This type of phishing circumvents the age-old adage of always trying to use a secure website (HTTPS) because you are on a safe site; you are just feeding the information willingly. Unless the person you are talking with has a legitimate reason to know any of the information they are asking for, you need to kindly refuse. In addition, if that does not do the trick, blocking them is the next best action.

There are also fake links that will take you to infected websites or even attempt to download virulent programs to your computer. According to an article from PhishLabs.com, “Each day, there is a good chance that you will run across a YouTube video, an embedded tweet in a news article, or even scroll through cute puppies on Instagram. However, the threats posed to social media as a whole are significantly larger than just the biggest social media sites. Blogs, forums, news sites, paste and doc sites, and even gripe sites are all part of the social media ecosystem.”

Can you give any other examples?

According to Metacompliance.com, the most common social media phishing scams include: 

  • Fake customer service accounts,

  • Fake comments on popular posts,

  • Fake online discounts, and

  • Fake trending videos.

What can providers and patients do to protect themselves? 

One way to stay safe on social media is to look towards the medical industry and divulge only the “Minimum Necessary” about yourself. To stay safe on social media: 

  • Never accept friend requests from someone you don’t know

  • Never click on links requesting personal information

  • Use unique login credentials for each account

  • Only enter personal information on secure websites

  • Make sure your anti-virus software us working and up to date

  • Make sure your operating system has the latest updates

  • Use enhanced privacy settings

Summary

In closing, always keep your personal information safe, as it is yours and no one else’s. If you are phished or an attempt to phish your information was made on an app or website, make sure to alert the app developer or site administrator of it. There are usually links to report such incidents. The more we, as users of the sites or apps, report these transgressions, the safer those places become.

Guest User