Data Breaches Should Be Scored

Data breachForbes author, Dan Munro, discusses how healthcare is a soft target for cyberattacks and how these data breaches should be scored.

“For the second time in three years, a healthcare data breach was announced around the biggest cybersecurity conferences of the year–Black Hat. Two years ago it was the CHS breach affecting about 4.5 million patients, and earlier this month Banner Health–America’s 15th largest hospital system–announced a data breach affecting 3.7 million people.”

Jeff Williams, who has been in the security industry for over 20 years, suggested that, “we need a system for scoring data breaches and corporate response across key variables as a critical and tangible way to change the dynamic quickly after an announcement. Actually applying an independent score to a data breach could be an effective way to accelerate the path to remediation and restoring trust.”

Here is what Williams thinks a possible rubric for scoring data breaches would look like:

“Tone: Is the announcement apologetic and not blaming? Does it acknowledge that there should have been better defenses, that the breach should have been detected and that the organization should have been able to stop the attack?

Timeline: When was the initial break-in? When was it discovered? How long to disclosure?

Scope: What information was stolen and what control was lost?

Size: How many people were affected? How many servers?

Root Cause: What was the underlying vulnerability that was exploited? What defenses are in place and how did the attack bypass the defenses?

Discovery: Who discovered it? Victims? A security firm? Why didn’t you know earlier?

Remedy: Are you really making victims whole? For how long? [Personal health information–PHI–is literally lifelong]

Future: What are going to do to prevent future/similar attacks?

Blame: Did you state or imply that the attack was “sophisticated” or “advanced?” Did you provide any evidence of that?

Oddities: Were there any oddities to the timeline not making sense–or details that stretch credulity?”

When asked how he would score the Banner Health data breach, Williams provided the following answer:

“For fun, I did an abbreviated disclosure scoring.  Overall I give them a C-/D+. There is still an awful lot of missing information. What is there isn’t bad, but we only have a tiny piece of the story of this breach. And they don’t seem too sorry.

 

  1. Tone: [C] I’m not convinced. The only recognition of responsibility is the statement “Banner Health deeply regrets any inconvenience this may have caused.”
  2. Timeline: [C] Good details. Why did it take three weeks to discover the attack? Why another week to discover the attack on patient information and why did they take almost a month to say anything to the public? No details on how long attackers were in the systems before they were discovered?
  3. Scope: [B] Decent details about information types disclosed. No information about the depth of the breach.
  4. Size: [C] The numbers for each different type of information breached is still fuzzy. 3.7M seems to be the total number. No information about what systems were compromised.
  5. Root Cause: [F] No information provided. This certainly seems like SQL injection is a strong possibility.
  6. Discovery: [F] No information provided. Did consumers report unauthorized or suspicious transactions? Did the credit card company let Banner know? Was it discovered during routine security sweeps?
  7. Remedy: [D] No details on any specific fixes for this breach. Credit card monitoring (of little real value) for victims will be provided for a period of time–even though healthcare data is lifelong.
  8. Future: [F] No clarity or visibility on any long-term changes. What are they doing to establish a culture of security that deserves my future trust? No idea.
  9. Blame: [D] Why does the disclosure spend a paragraph warning customer to “remain vigilant” and to monitor statements from payment cards and health providers?
  10. Oddity: [F] The fact that there were two separate breaches indicates a much deeper breach, but no information about this was provided.”

Protected Health Information (PHI) is a lot more valuable to hackers than financial data as it is lifelong, difficult to correct, and can be used for countless fraudulent activities.

Read the full article here.