Join Thousands Who Have Benefitted from the Virtual Event of the Year - WATCH NOW If you’ve ever worn a hospital gown, endured an unwanted trip to the dentist, or made an unwise investment, then you’ll commiserate with this month’s Threat Thursday update.

What is Threat Thursday, you ask? The last Thursday of every month, my colleague Chris Goettl and I get together for 45 minutes of pure, unfiltered security chit-chat. We talk about active cyberattacks and data breaches, how to best defend yourself, security strategy, and more. It’s all lighthearted, loosely formatted, and a lot of fun.

But don’t get us wrong. We understand IT security is a serious business – that’s why we spend most of the time ensuring you have the right measures in place to stay protected and take plenty of time of to answer any questions you might have.

Here’s what we’ve got on tap for Thursday, September 26:

It’s Drafty Down There: Healthcare Exposures

In August, patient data had more exposure than a hospital gown. More than 700,000 records were leaked in 44 separate data breaches. It wasn’t a backdoor attack (sorry, another gown joke), instead threat actors successfully used phishing attacks to target vendors serving healthcare systems and healthcare systems directly.

Why healthcare? Medical records are among the most valuable PHI and PII available on the dark web. According to Experian, individual medical records can be worth up to $1,000 depending on the information they contain. In contrast, the average credit card record usually fetches anywhere from $1 - $10.

It’s About to Get Expensive

Recovering from these breaches is insanely expensive. According to figures from IBM and Ponemon, it costs providers $408 per medical record to recover from a data breach. That’s the highest among verticals and nearly double what it costs for organizations doing business in the financial industry – the next closest group on the list.

Furthermore, organizations can cost themselves more money with misplaced security initiatives. According to IBM and the Ponemon Institute, in their 2019 Cost of a Data Breach report, third-party breaches, compliance failures, and extensive cloud migration all add at least $300,000k on to the average cost of a data breach, which in the US is roughly $3.92 million.

Our Expert Security Recommendations

Chris and I suggest doing the following to combat these attacks:

  • Phishing training – or, if you’re already doing this, perhaps educating your users on how hackers are gaining access to these records
  • Vendor risk management – remember, these attacks normally begin at the vendor level
  • Privilege management – what level of access do you vendors and users have to your system?
  • Email security – we’ve seen a lot of these attacks in the form of an email that looks like it’s from a manager or a boss
  • Two-factor authentication – a second layer of defense is a must
  • Incident response planning – referencing the IBM/Ponemon chart, there’s a lot to be said about how this one initiative can offset the total cost of a data breach

Perhaps the one silver lining to these data breaches is the actual data from the fallout. Risk managers can now more accurately predict what an attack could cost their organization. Something to keep in mind considering that all organizations can expect to suffer a data breach once every ten years.

What’s Worse Than a Root Canal

What’s the best time to go to the dentist? Tooth-hurty. Ok, sorry about that, but I couldn’t resist. What’s worse than that joke? Perhaps a root canal. What’s worse is having the root canal AND learning that you’re the victim of a data breach.

We briefly touched on this in the last Threat Thursday, but we’re continuing to see ransomware attacks targeting dental service providers. This is boutique ransomware, too. Highly customized, not some simple kit you can buy on the dark net.

We know that at least 400 dentist offices nationwide were locked out of their systems and prompted to pay up or risk losing all their data. It’s pretty smart considering that individual attacks on dental offices would take a lot of work. So why not go after the same software used in hundreds of dental offices, on thousands of devices.

Here’s our advice:

  • Don’t pay the ransom – seriously, there’s no guarantee the threat actors are going to free your data
  • Backup and recovery
  • Patch vulnerabilities
  • Restrict admin privileges
  • Vendor risk management

What’s on Our Radar

There are some other newsmakers out there. Check out some of the stories we’re following as we head in October:

Never a slow day in security. Be sure to join us on this week’s Threat Thursday webinar and register for future live episodes.

Also, get more insights from me, Chris and our colleagues at Forrester, Crowdstrike, Kenna Security and Morphisec. Register for the FREE, Cybersecurity Virtual Event on October 23, 2019.