ISMG Editors: Ugly Health Data Breach Trends in 2023Also: Top Threat Actors Are Targeting Hospitals; Remembering Steve Katz Anna Delaney (annamadeline) • December 8, 2023
In the latest weekly update, editors at Information Security Media Group discuss the rampant rise in healthcare sector attacks and breaches in 2023, the most common vulnerabilities and targets, and the life of the Steve Katz, the world's first CISO who inspired generations of security leaders.
The panelists - Anna Delaney, director, productions; Tom Field, senior vice president, editorial; and Marianne Kolbasuk McGee, executive editor, HealthcareInfoSecurity - discussed:
- An overview of the most significant healthcare data breaches in 2023;
- Common vulnerabilities that contribute to the increased number of health data breaches;
- The remarkable life of Steve Katz, who will be remembered as a pioneering leader, generous mentor and colleague.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Nov. 24 edition on whether federal budget cuts will bite U.S. security and the Dec. 1 edition on what the Sam Altman/OpenAI saga taught us.
This transcript has been edited and refined for clarity.
Anna Delaney: Hello, and welcome to the ISMG Editors' Panel. I'm Anna Delaney, and this is a weekly panel discussion where ISMG editors examine the week's top cybersecurity and technology news stories. I'm delighted to be joined by Tom Field, senior vice president of editorial, and Marianne Kolbasuk McGee, executive editor for HealthcareInfoSecurity. Great to see you both. Tom, starting with you, we did indeed lose a light amongst lights this weekend, Steve Katz - the world's first CISO. And from what I read, he was a remarkable man. Marianne, you wrote a beautiful tribute to him yesterday. But Tom, you did know him personally. So how do you remember him?
Tom Field: Oh, I remember in so many ways. When I first started working at ISMG, some 17 years ago, one of the first calls I made was to Steve Katz to catch up on some of the topics that were hot, to hear some of the resources I should tap into, people I should talk to. And from day one, he was generous with his time, was generous with his insight. I remember him as a pioneer because he was the world's first CSO, I remember him as a visionary, because he was out there championing the notion of CISOs as business leaders, as well as security leaders long before many people were talking about it. I remember him as a mentor. There's an entire generation, maybe a couple of generations of security leaders, that oh, the starts to their careers, to Steve Katz and the generosity of his time and his wisdom. I remember him certainly, as a dedicated family man, I believe he had 13 grandchildren at last count, loved his family and was dedicated espouse the value of finding time for your family amidst all these business demands. And I remember him as a friend, was always happy to be seen at our events and to meet at conferences and roundtables and at RSA Conference. He had every right to be full of himself. And he never was, he was full of other people and made time for other people. That's what I remember about him.
Delaney: And a good humor as well, which has come up. I saw once he said that one of the most memorable phrases was, "I sleep like a baby. I cry every two hours."
Field: I asked him once what his advice was for the next generation of security leaders. And he told me pray. I think that was probably the last time I spoke to him. I met him last at RSA Conference 2020, it was just before the pandemic shut everything down. And he was out there and we spent time in the studio and I sat down to talk with him specifically about his advice for the next and the up and coming generation of security leaders. And I did ask him a question about the technologies that most caught his fancy. And I'd like to share with you if you don't mind, part of his response, because here he was in 2020, saying things about AI, that people in 2023 are only starting to say so. If I may, I want to share a little bit of our last conversation.
Steve Katz: But if I was starting today, I would be looking at how the heck I can effectively incorporate AI and ML to my entire cyber risk space. Most companies are bringing in two, three or four data feeds and number of threat hunters. And then they try to figure out what to do with it. If we are able to take those data feeds, plus feeds my own internal operation, my own infrastructure, my own vulnerability assessments, and use AI and ML and get daily analytics, coming out saying, here's what we need to be concerned about, the little bits and pieces of this but not enough to make enough sense. I think the future of what we're doing if we one have a slight chance of catching up is to use artificial intelligence. And suddenly that can be a little hairy to try to find that whatever that is, but find enough artificial intelligence combined with ML to bring in as much data points and many data points as I can.
Fiel: Isn't he talking about what we're all talking about today?
Delaney: Yes, absolutely. And ISMG made a short video tribute to him. And it was amazing talking with everybody on the video, their faces seemed to light up, just talking about him.
Field: You always felt better when Steve Katz was in the room.
Marianne McGee: I only met him once in person at one of the early healthcare summits that we had. But during the reporting yesterday, Anna, what I kept seeing over and over again, how generous he was with his personal time and helping people. even when it had nothing to do with the job at hand, he was always willing to kind of jump in and help people out. So, he was much beloved, and I'm sure he'll be very missed by everyone who knew him.
Delaney: Very much. So remembering the luminary that was Steve Katz. We thank him for his work. So Marianne, health breaches of 2023, there have been so many. You have been kept very, very busy. So we're in the last month of the year, what are the most significant health data breach trends you've observed this year?
McGee: Well, I have been sort of starting some of the number crunching for 2023. And some of the trends that are emerging they're not big surprises. But when you start looking at the numbers, they are sort of startling, and that includes eye-popping numbers in terms of hacking incidents that were reported to federal regulators so far this year. Now, with less than a month left in 2023. It appears that hacking incidents were responsible for a whopping 92% of the nearly 106.5 million of the 115 million people that were affected by all major health data breaches so far are posted on the Department of Health and Human Services, so called Wall of Shame website that lists major health data breaches. And of those 624 major breaches posted on the HHS website so far, as of today, 80%, or about 490 of them were hacking incidents. But in comparison to last year, the HHS site, showed a total of 720 major breaches affecting 56.5 million people. So already in 2023, there are more than double the number of people affected this year by health data breaches in the healthcare sector versus last year. Now, the top hacking culprits are not surprises. But, it is disturbing. Again, they continue to be ransomware attacks, such as encryption and/or data exfiltration. But also this year, a wave of incidents involving vulnerability exploitations most notably, MOVEit and then GoAnywhere. Now, overall business associates or the third parties were involved in 242 major health data breaches so far this year that affected about 77 million people. And those data breaches involving business associates are eight of the 10 largest health data breaches that alone affected more than 50 million people. So as of now, of the health data breaches reported by business associates, 201 of those were hacking incidents involving vendors. What's also noteworthy is that the second most common type of data breach reported or unauthorized access or disclosure incidents. Now, typically, those could be insider sort of things where somebody emails the wrong information to somebody those sorts of things. But when you start digging into what happened with some of these incidents that are reported as unauthorized access or disclosure incidents, they're hacking incidents. And there are about 118 such breaches reported so far to HHS this year, affecting about 8.5 million people that are unauthorized access to disclosures. Now the largest of those breaches, again, it's more of a hacking incident than it is an unauthorized access or disclosure breach. That largest breach was reported by a health plan in Ohio called CareSource. It affected 3.2 million people and it involved exploitation of the MOVEit vulnerability. So when you start shaking things down and start looking at what's happening, some of the top lessons that are emerging are from hacking incidents because the business associates have also been involved with that. And there is this urgent need for entities to become more proactive in their path patch management and their software updates. And that brings me to another important year and reminder for healthcare sector entities, especially hospitals regarding the Citrix Bleed vulnerability that affects certain Citrix and NetScaler ADC and Gateway devices. In recent days, HHS, as well as the American Hospital Association, have issued urgent warnings about ransomware attacks involving active exploitation of the Citrix Bleed vulnerability, and they're urging hospitals and other healthcare sector entities to follow Citrix's guidance to upgrade their devices and to remove any active or persistent sessions with specific commands that Citrix is providing. It's suspected, but it's not confirmed that a few of the recent ransomware attacks we've seen on hospital chains in the U.S. in the last couple of weeks involved exploitation of Citrix Bleed. And HHS in its warning said it strongly encourages users and administrators to review their Citrix recommended actions and to upgrade their devices in order to prevent serious damage to the healthcare and public health sector. So I think they're kind of worried about a trickledown effect one entity affecting another entity, because perhaps that entity gets hit with a ransomware attack involving Citrix and their systems go down. And then you have other entities not only affected from an IT perspective of maybe supply chain, maybe the ability to respond to patient needs, and all those sorts of collateral damage that we often see in the ransomware attacks. So interesting year and disturbing too.
Delaney: Troubling trends. So have certain types of healthcare organizations or entities been more frequently targeted this year.
McGee: Usually it's sort of the same where you see a big a mix of some of the specialty group practices there's a big surgery practice that was recently hit, there is an imaging system chain that was recently hit. But lately, it's been the hospital chains regional hospital chains, where you have like, three or four related hospitals, either in a specific region, or kind of scattered around the country where there is not that many hospitals in that region. So, yeah, they seem to be going after the hospital chains. That's what I see.
Field Makes you long for the days of lost and stolen devices.
McGee: Right. So again we're all so used to hearing about hacking incidents, and you hear about, oh, 92% of the people are affected by health data breaches were victims of hacking incidents, it sounds okay. But if you compare it to years ago, where again the lost or stolen unencrypted laptop was 92% of why people got their data compromised, it's a big difference.
Delaney: You look a lot at patient privacy as well. So are there any emerging threats, or risks to patient privacy that have become more prominent this year? Do you think, Marianne?
McGee: Yeah I think the hot subject and it's kind of hasn't cooled down, but for a while, there was a big flurry of these sorts of incidents involving web trackers, like Pixel from Meta, and then Google Analytics, embedded in patient portals and hospital websites that collect IP addresses and other information about patients and they send it to third parties either for marketing or advertising. And then perhaps for other purposes that are not as widely talked about, but are kind of feared enforcement of the outlawing of abortions in certain states where did this person get their health care? Where did they wind up going who was the doctor, I don't know if that's happening yet, but that's the fear. So that's a privacy concern in a major way.
Delaney: What about next year, are there any trends on the horizon developments on the horizon that might impact the landscape?
McGee: I was going to say more of the same. But the thing is that the cybercriminals are always kind of coming up with new schemes and maybe more of the same, but let's try something a little different this time. So I think overall the healthcare sector needs to be on its toes, because you never know who's going to be the next victim. And again, you might not be the victim, but you might be the client of a victim who is then affected. So you have to have backups in terms of your suppliers, perhaps if your main supplier gets hit, and they can do what they need to do for you. There's a lot of considerations.
Delaney: Thanks, Marianne. For now, of course, because well, there's always a week with a healthcare incident. So thank you so much. Well, finally and just for fun, if you have to rewrite a classic festive carol to be about of course, cybersecurity, what would the title be?
McGee: Jingle Bells, ransomware smells, data exfiltration stinks. That's as far as I can go. And I think that's as far as you can tolerate.
Delaney: Because I had - Crypto bells, crypto bells, encrypt all the way. Oh, what fun it is to code in a secure and safe array. Hey!
McGee: I like yours better.
Field: I've got something appropriate if you're at the event you're going to tomorrow, Anna? I'm dreaming of a White Hat Christmas.
Delaney: Very good. And you got the backdrop for it, perfect. I also had - Deck the halls, deck the halls, secure the walls; but anyway, glad we ended on a tune. Thank you so much, Tom, Marianne. Insightful as always. And thank you so much for watching. Until next time.