Cybercriminals are on the hunt for personal information—including protected health information (PHI) in a variety of places. They’re first looking at your logins, passwords, Social Security numbers and other information threatening identity theft (all prime targets for malicious hacking).
Your treasure troves of data are probably a big concern to organizations like yours. Many executives in healthcare have recently been forced to resign or step down from their positions after major ransomware attacks and cyber breaches. The core reason for those attacks: poor management of sensitive data.
The majority of crimes focused on pilfering and stealing protected and sensitive information often go on months to years before anything is identified, leaving you, your patients and your team vulnerable to major identity theft crises. As a steward of data security for your patients and team, how much security preparedness is enough?
2019 has been an incredibly awful year for data loss and cyberattacks. Just focusing on hospital attacks, alone there have been nearly a dozen recent stinging instances of ransomware attacks and breaches that have left millions of patient records at risk.
The startling take home I hope you see throughout this blog is that we haven’t been learning from our mistakes. Most of the common ways criminals are breaking in late in 2019 have been the same exact methods used time and time again years ago.
Here are three super common places criminals are looking for sensitive data today:
Cloud Storage—misconfigured cloud data storage is one of the easiest ways cybercriminals have found to get their sticky fingers on protected and sensitive data. Cloud security as a whole has become one of the greatest security concerns in 2019, accounting for nearly half of cyberattacks this year (compared to those just a couple of years ago).
The problem with cloud? Most healthcare leaders perceive cloud as being secure. It’s not onsite and is out of sight to many of us. What many do not realize is that cloud storage is simply taking a server—similar to one that you’d have to maintain in your office—to a data center somewhere to get similar maintenance and updates applied to it as it would if it were in your server closet.
Now, I am an advocate for cloud solutions, as they can save you resources, time and money, but realize that simply putting your data in the cloud does not automatically mean it’s secure. For example, over half of organizations that store data in the cloud fail to encrypt sensitive information, leaving it even more accessible to attackers if that server or data center were breached.
Even more, cyber criminals are focusing their eyes on data centers because they store treasure troves of data, more bang for their buck than simply attacking one single network’s worth of data. Accessing the information through employee credentials, insecure infrastructures, or even data centers that are not complying with basic cybersecurity hygiene are leaving organizations less secure in the cloud than they’d hoped.
Negligent and careless third party cloud vendors have left the likes of Facebook, Microsoft and Toyota to massive data breaches, leaving millions of customers with released records. And despite these alarming incidents, many still remain convinced that cloud storage is the safer alternative. [Note: if you are concerned about your data being secure, most experts recommend a cybersecurity assessment to find out where your real vulnerabilities lie—vulnerabilities typically not discovered in a HIPAA Risk Assessment].
The Dark Web—information on the Dark Web is only growing and the bulk of it is related to sensitive data from your users and clients. As of earlier this year 2,692,818,238 passwords were completely exposed in plaintext on Dark Web pages. The likelihood of you or someone you know having exposed data is no longer miniscule. As your organization or someone you work with undergoes a data breach or cyber event recovery effort, the likelihood that information from sensitive databases being exposed is entirely possible.
Targeted password re-use attacks—where criminals take exposed credentials and reuse them on your organization’s network or attempts on other accounts is one of the easiest ways for criminals to steal and breach networks today. While one exposed password may seem trivial, re-use attacks are strikingly efficient at getting attackers into new depths of your and your team’s personal and work accounts (over 60 percent of users admit to reusing passwords across personal and work accounts!).
How can you deal with this growing problem?
Make sure that your digital assets and accounts are visible and tracked. Get your employees to do the same with their personal accounts—ranging from social media to banks. Have an enforced password policy in place and get your team to understand the importance of choosing and maintaining their passwords wisely. And continuously monitor the Dark Web for any leaks and share any potential weaknesses with those within your organization that are involved.
There are a ton of vulnerabilities out there and not all may apply to your network or organization. Keeping an eye on where attackers are focusing will give you a better understanding on where to best allocate your budget line items to get the most bang for your security bucks.
The first place to start if you’re not sure how to approach your cybersecurity efforts? Experts recommend first evaluating your network through a network security assessment and then prioritizing issues that will lead to a securer environment for your team and your clients.