The Breach Report is out. Let's take a look.
Today, health it healthcare cybersecurity. How are we doing? We're going to take a look at the. The breach report for 2023 and see how we're doing. My name is bill Russell. I'm a former CIO for a 16 hospital system and creator this week health instead of channels, dedicated to keeping health it staff current and engaged. We want to thank our show sponsors who are investing in developing the next generation of health leaders. Short tests, artist's eye parlance and service. Now check them out at this week. Health. Dot com slash today. Having a child with cancer is one of the most painful and difficult situations a family can face. In 2023 to celebrate five years at this week health, we are working to give back. We are partnering with Alex's lemonade stand all year long. We have a goal to raise $50,000 and we have, and we thank you for your generosity. We think, , we are so, , just incredibly grateful for this community and the giving nature of this community. , for those of you who want to join us, we want to blow past that number. , you can join us by hitting our website and the top right-hand corner. You're going to see a logo for the lemonade. Stand, go ahead and click on that to give today. We believe the generosity of our community. And we thank you in advance. All right. New reports out. We're going to take a look at it. The title of the article, it's healthcare. It news, by the way, title of the articles, healthcare incurs, highest date of breach costs for 13th year in a row. So I guess we answered the question. For the heat title, which is how are we doing? , this is not a good stat healthcare incurs, highest state of breach costs for 13th year in a row. , we're going to go through the article a little bit and then I'll come back with some comments. , new research by the Amman Institute and IBM security revealed that the global average cost of a data breach reached 4.45. Million and the cost of avoiding law enforcement after the ransomware attack. Has increased by $470,000. Not even sure what that is. Anyway. Keep going. Looking across industries at 553 organizations impacted by data breaches. That occurred between March 20, 22 and 2023. Not only did the healthcare sector CA 53% jump in breach costs since the COVID-19 pandemic. Health data breach costs reached nearly $11 million. The cost of a data breach report, 2023 examine the root causes and both a short-term and long-term consequences of data breaches, as well as the factors and technologies that enabled organizations to either limit losses or increase their recovery costs. All right. So the most common breach tactic, as we all know is fishing 16%. , by CA and the next one is compromised credentials. Along with soaring costs for breaches, the healthcare sector contends with cyber attacks that weaponize medical records for extortion. And I'm going to come back to that specific phrase. In my, so what, so only one third of the organization studied, detected the briefs themselves compared to 27%. That's all breaches disclosed by an attacker. Wow. We're really not doing well. If that's. Let me reread these things cause this, this is pretty amazing. One third of the organization studied, detected the breaches themselves only 33%. Of organizations detected the breaches themselves. Compare that to essentially 33%, that's all breaches disclosed by the attacker. So we didn't even know we were attacked until the attacker came to us and said, okay, we're ready to, we're ready to run to. , to extort you forward with the information that we found. , Oh, man, those are, those are some telling numbers. So we'll come back to what we can do. , the ladder saw brief life cycles nearly 80 days longer than those. That detected their breaches sooner. Meanwhile, researchers said that the artificial intelligence automation had the biggest impact on the speed of breach identification and containment among the studied organizations with AI organizations experienced a data breach lifecycle. That is 108 days. Shorter. Compared to those in the study that did not deploy these technologies. Interesting. Although the number of days is pretty, still pretty high. 214 days versus 322 days. The researchers said that deploying security, AI and automation, extensively lowered data breach costs. By nearly 1.8 million. More than organizations that didn't deploy those technologies. They also said that 51% of impacted organizations are planning to increase. Their security investments in. Incident response planning. And testing employee training. And threat detection and response technologies. Okay. While defenders weren't able to halt while defenders were able to halt a higher proportion of ransomware attacks over the previous year, according to the threat index. Threat intelligence index, the new data breach. Cost study found that adversaries reduce their average time to complete an attack. So if we reduce the amount of time, but there. Getting better at the attack. All right. So let's go back to a couple of things here. One is, , what's my, so what, yes. We should have, you know, There's obvious things. Employ AI, employ automation. , employ the right tools. Make sure you're protecting you. It's phishing attacks. , compromised credentials is important as well. I, you know, the security around the identity is so important. , but I do want to come back to this. This, , this whole concept, the healthcare sector content's with cyber attacks that weaponized medical records for extortion. , I had a conversation recently with some CIO. So we were talking about the fact that we do have Phi strewn around most health systems. And that's within the four walls. Clearly we have it also. Within our business associates. Covered by RPA agreements. That doesn't mean we can lose the information and it's not our fault. It means we are still required to identify where that Phi is and know how to. Protect it. Right. And as we were having this conversation, it. It's it reminded me of a conversation. I had a long time ago. There was a, , Deloitte, , consultant. She was a former NSA. , employee. And after they get done doing our internal audit of our security practices. One of the things she said that has stuck with me is. , she just looked at me and she said, bill. You have to act. You have to protect as if they're already in your network. Because there likely are already in your network. So you have to devise your, your plans. You have to build your controls. You have to build your response, all that with the idea that they are already on your network. And one of the things that is interesting, I'm bringing all these things together is one of the things we can do. If we know they're already on our network and we know that they are working to move laterally. Is, we can take away access to. The things that they're looking for. And not just leave them strewn around is the word I keep using. And it's, it's interesting to me because our Phi is an email it's on file stores. It's in teams, it's on intranets. It is it's in a lot of places. And.
I I've, I've heard some people say essentially, I don't want to know where my Phi is, because if I know where it is, I have to do something about it. I think that is negligence. I, I, you know, I believe that as CEOs, we should really focus in on what we need to do to protect our patients' information. As much as possible, not only for the good of our organization, but definitely for the good of our patients. Right. And so there are, there are great tools. There are tools out there that is going to identify where your Phi is. , we've. Interviewed the guys over a task site, they have a great set of tools that they have, where they can identify where your Phi is, but then it takes not only identifying it, but put, putting together. The process and the tools and the mechanism for, , protecting that data. But the first thing is you have to find it. So you find it and then you have to have the systems to protect it. I think this is a lot like application rationalization. It is a project that should be going on all the time. It should be a, a standard operating procedure for, for all security operators, security. , departments within healthcare. They should be looking for Phi. They should be identifying it. They should be protecting it. It is just, I think, standard operating procedure. And again, , there's a lot of other things I could have talked and talked about. I could have talked to talked about, and I've been talking about AI a lot lately. Yes, there are some great AI tools. There's some great automation that's coming into place. There are, , you know, there are security operation centers that are top-notch. There are, , tools from our partners that are top-notch or on biomed devices. And those kinds of things. So there's, there's a lot of tools and things we can put in place, but this is one of those things that's just basic blocking and tackling. Find it, if you need a tool to find it use towel site, if you, , have the ability wherewithal to find it yourself, and as you are finding it, To remediate it. Then by all means do that. This has to be a standard operating procedure. And that's, that's my takeaway from this article act as if they're already on your network, because they probably are. All right. That's all for today. If you know someone that might benefit from our channel, this really helps us. Let them know you're listening to the show. They can subscribe wherever they listen to podcasts. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health leaders. Short tests are decide 📍 par lands and service. Now check them out. If this week health. Dot com slash today. Thanks for listening. That's all for now.