New research sheds light on internal errors in healthcare 

By Chris Morales

The technology used in patient treatment for the betterment of health has been undergoing a huge transformation for some time. And this transformation has helped improve the delivery of care in many ways—enabling advancements in mobile technologies, facilitating the development of smaller and more portable medical devices, and providing greater portability and accessibility of digitized patient records.

The widespread deployment of new, innovative medical technologies has also prompted the healthcare industry to become one of the fastest adopters of Internet-of-Medical-Things (IoMT) devices. But there’s a downside to fast expansion of a digital footprint. The rapid growth of medical devices is fueling an unprecedented volume of healthcare data about all of us—and most people are unaware of what or where those devices are.

This vast amount of data, coupled with the need for fast, easy access to ensure 24/7 healthcare delivery, has created an ever-expanding attack surface that can be exploited by cybercriminals. In fact, a Vectra 2019 Spotlight Report on Healthcare, based on anonymized customer metadata, identified an important trend in internal user error. Lapses in the proper implementation of a security plan or gaps in policies and procedures were a common problem, which could result in errors by staff members, leaving healthcare organizations exposed to theft or data loss.

Identifying a Pattern of Incidents

Echoing what Vectra observed from its own healthcare customers, the Verizon 2018 Data Breach Investigations Report indicated that a key security risk for the healthcare industry is its susceptibility to internal errors and misuse. The report illustrates that the healthcare industry faces the highest risk from accidental or intentional insider threats—not external threats. While the Vectra Spotlight Report on Healthcare was based on 2018 anonymized customer metadata, the 2018 Verizon report was from 2017 breach disclosure research, which indicates that there was a year of discrepancy in observed behaviors.

Since Verizon released its new 2019 Data Breach Investigation Report, I was interested in understanding what had changed in healthcare since the 2018 report. The new Verizon report covers the same period as the 2019 Vectra Spotlight Report on Healthcare. Unsurprisingly, not much changed in the Verizon report from 2018 to 2019. The findings for healthcare appear to be nearly identical. The variances are broken down in the following table:

2018 2019
Frequency 750 incidents, 536 with confirmed data disclosure 466 incidents, 304 with  confirmed data disclosure
Top 3 patterns Miscellaneous errors, crimeware, and privilege misuse represent 63% of incidents in healthcare. Miscellaneous errors,  privilege misuse, and web applications represent 81% of incidents in healthcare.
Threat actors 56% internal, 43% external, 4% partner, and 2% multiple parties 59% internal, 42% external, 4% partner, and 3% multiple parties
Actor motives 75% financial, 13% fun, 5% convenience, 5% espionage 83% financial, 6% fun, 3% convenience, 3% grudge, and 2% espionage
Data compromised 79% medical, 37% personal, 4% payment 72% medical, 34% personal,  25% credentials


The obvious difference is the frequency of breaches, with 750 incidents reported in 2018, compared to 466 reported incidents in 2019. This downward trend is clearly reassuring, as is the lower number of confirmed data disclosures. While examining the rest of the data, I also found the same patterns of miscellaneous errors along with the same threat actors, motives, and types of data compromised.

Verizon also disclosed the total count and percentages of the type of actions taken in incidents. When comparing those metrics from a raw-numbers view, 2019 had far less incidents as the total number of incidents across the year trended downward. But when I compared the actions taken based on percentages, the numbers were very consistent year over year, with only a few percentage points difference between most of them.

Actions (incidents) 2018 count 2019 count
Error 203 (27%) 79 (25%)
Hacking 139 (19%) 58 (19%)
Misuse 138 (18%) 51 (17%)
Social 105 (14%) 48 (16%)
Physical 87 (12%) 14 (5%)


The takeaway from comparing research from Vectra and Verizon? The problem of internal errors in healthcare is very real and, most importantly, an issue that impacts us all. Moreover, healthcare is constantly challenged to balance security and policy enforcement with usability and efficiency. This is because healthcare organizations are struggling with managing legacy systems and medical devices that, for many reasons, don’t always have the best security controls.

Risk and Exposure

Healthcare IT security teams are often kept in the dark and behind the curve when it comes to changes in infrastructure. For example, new IoMT devices are often connected to the network without informing IT security teams. Furthermore, gaps in IT security policies and procedures make it easier for healthcare staff to make unintentional errors that result in exposure and increased security risk. This can take the form of improper handling and storage of patient files, which is a soft spot for cybercriminals looking for weaknesses to exploit.

Attackers intent on stealing personally identifiable information and protected health information can easily exploit this vulnerable attack surface and disrupt critical healthcare delivery processes. As a result, vulnerable processes persist, and weak trust models often stay implemented.

Reducing Discovery Time

When you factor in the time it takes lean security teams to discover a data breach, it becomes apparent that healthcare organizations must be more vigilant about what happens inside their networks. It’s critically important to know the difference between an attack-in-progress versus network traffic that is associated with business as usual. It’s unacceptable—and embarrassing—to find out weeks, months, or years later that a breach occurred.

I believe that the answer lies in 360-degree visibility inside the network, real-time attacker detection, and the prioritization of all detected threats—from cloud and data center workloads to user and IoT devices. However, that answer must address the challenges I mentioned earlier. Here are four ways we can get there:

  1. Eliminate the manual, time-consuming work of security analysts.
  2. Consider that everything is connected, which makes it an easy target.
  3. Provide visibility inside the network to see connected devices and know what they are doing.
  4. Work with medical device manufacturers to provide minimum security baselines to any connected devices.

This is the fundamental approach advocated by a growing number of healthcare organizations. In addition to working with medical device manufacturers to improve device security, many healthcare providers are augmenting their security teams with artificial intelligence to automate the detection and triage of cyberattacks in the network while speeding-up incident response. It’s a battle that’s been won by many healthcare organizations.

2019 Spotlight Report on Healthcare

To share our own observations, we published the 2019 Spotlight Report on Healthcare, which reveals behaviors and trends in networks from a sample of 354 opt-in enterprise organizations in healthcare and eight other industries.

Further, the 2019 RSA Conference Edition of the Attacker Behavior Industry Report from Vectra provides a breakdown of behavior-detection statistics by industry. It shows network behaviors that are consistent with threats across the attack lifecycle, including botnet monetization, command and control, internal reconnaissance, lateral movement, and data exfiltration.

Christopher Morales is the head of security analytics at San Jose, Calif.-based Vectra. Questions and comments can be directed to chief editor Keri Forsythe-Stephens at [email protected].