Incidents relating to phishing, hacking and malware were the cause of 31 percent of data security incidents during 2015, revealing a shift from 2014 when human error was the leading cause, according to a new report.
Produced by the privacy and data protection team at BakerHostetler, the report analyzes data from more than 300 incidents on which the firm advised in 2015.
The report looks at causes of incidents, industries most affected, and what happens after a security incident is detected--from containment, to notification, to regulatory investigations and even lawsuits.
"The most concerning finding was to see that hacking/phishing/malware was the leading cause of incidents last year, especially the increase we saw in health care incidents," Lynn Sessions, partner with BakerHostetler’s privacy and data protection, told eWEEK. "We could feel the tide begin to turn in 2014, which continued into 2015. However, with the number of incidents we handle, it was surprising to see that was the leading cause."
The health care industry (23 percent) was affected more than any other. Rounding out the top three are financial services (18 percent) and education (16 percent).
"Health care organizations are in the business of taking care of patients or supporting patient care in some fashion," Sessions explained. "They have not traditionally needed the level of data security that is required today. You also hear about more health care breaches because HIPAA requires notification, and media release with a low threshold."
She explained that with the advent of electronic health records and more and more patient information being stored electronically, health care organizations have become targets just as the need for more stringent and sophisticated data security becomes apparent.
"Health care providers and health plans have a gold mine of information that criminals can monetize – such as SSNs, health insurance information, and general health information," she noted. "There has been a lag with the implementation of the HIPAA security rule in 2005 and the enforcement that came along with HITECH in 2009."
For incidents in 2015 where notification was made, the average number of individuals notified was 269,609 and the median was 190,000, the report found.
The time from when an incident first began until it was detected – ranged from zero days to more than 400 days, and the average amount of time from incident to discovery for all industries was 69 days, with health care taking nearly twice as long as other industries. The average amount of time from discovery to containment was seven days.