In its third annual healthcare data breach report, Stern Security has critically analyzed over 5,900 data breaches since the Department of Health and Human Services (HHS) began tracking the information in 2009. Stern Security utilized data from their HealthcareBreaches.com website as well as published information from HHS to create this comprehensive 2024 Velocity Healthcare Data Breach Report. Stern Security augmented the HHS data by investigating every breach in 2023 to fully understand the cause of the incident.
This report shows critical insights into healthcare breach trends over the past 14 years. It covers everything from the number of breaches attributed to ransomware to the number attributed to third-parties (business associates). This year, Stern Security has added a new breach categorization – the number of breaches due to the MOVEit file transfer software vulnerability. Review the report to see the significant impact that the MOVEit 0-day had on the healthcare industry. Once again, multiple breach milestones were set with more healthcare breaches occurring and more records exposed in 2023 than any previous year. This report puts forth the detailed analysis.
We sincerely thank our sponsors, Trend Micro and the Raleigh ISSA Chapter, whose contributions enable the ongoing pursuit of this important research and the free sharing of our findings.
Report
The full 2024 Velocity Healthcare Data Breach Report can be downloaded below.
If you enjoy the report below and would like to be informed of future reports and research, please fill out the mailing list info below. Don’t worry – we don’t send many emails.
System and Organization Control (SOC) report reviews are a common part of the third-party due diligence function. These reports can be lengthy, contain elements that you really need to understand and agree to, different reviewers may produce different results, and one must understand how to properly review them.  It is not sufficient enough to only search to see if there are any exceptions noted in the report. Your team members have better things to do than read through SOC 2 reports all day. So, how can you automate SOC 2 Report Reviews? Velocity automates this for you!
Details
Velocity automates all the items necessary to properly review a SOC 2 report including, but not limited to, exceptions, management responses, trust criteria, ensuring the vendor and product match the expected solution, and more. The platform also extracts the “Complementary User Entity Controls” or CUECs and creates an “Acceptance” column so customers can formally agree to each control that they are responsible for. Velocity creates an executive report that customers can read instead of having to read a lengthy SOC 2 report. Customers can include details in the report such as listing the type of data that the vendor has access to.
Benefits
Speed – Velocity will give you time back in your day by automating the SOC 2 report review process.
Consistency – A company may have multiple employees that analyze a SOC 2 report differently. Velocity’s automation gives consistent results every time.
Accuracy – An employee may miss something when reviewing a SOC 2 report. Missed details can be costly for a company as this is the process used to identify risks within a third-party. Velocity is not only fast and consistent, but also accurate with the reviews. Velocity knows how to properly review a SOC report as it was built by practitioners.
Documenting Third-Party Due Diligence – Collecting a SOC 2 report is not enough. Companies need to document that they reviewed the SOC 2 report and Velocity provides a simple way to do that.
Full Assessment
Even after leveraging the automation within Velocity to review the vendor SOC 2 report, customers can still launch a full assessment on the vendor. For example, let’s say a customer receives a vendor SOC 2 report and uploads it into Velocity. The executive report that Velocity generates may contain concerning information about the vendor’s security posture. The customer can then choose to launch a full velocity assessment on the vendor to fully address the concerns and determine when the vendor will resolve the issues.
Conclusion
There is limited time in the day and Velocity is your go-to platform for automating SOC 2 reviews. Velocity has the benefits of speed, consistency, accuracy, and provides a way for customers to document their third-party review process.
System and Organization Control (SOC) reports have quickly become a standard request for SaaS application providers in order for customers to perform a security due diligence review. So, are all SOC reports the same? No! Should you read the SOC report? Absolutely! How should you properly review a SOC report? Read on 🙂
Background
SOC audits are only performed by a Certified Public Accountant (CPA) firm in accordance with the American Institute of Certified Public Accountants (AICPA) guidelines. The point of the examination is to measure the effectiveness of an organization’s controls and safeguards by an independent third party.
SOC Report Types
There are several types of SOC Reports as seen in the table below. The most often requested is the SOC 2 Type II as it covers a range of trust criteria and is an examination of controls over a period of time.
Type
Time Period
Details
SOC 1 Type I
Point in Time examination
Examines internal controls for financial reporting.
SOC 1 Type II
Examination over a period of time
Examines internal controls for financial reporting.
SOC 2 Type I
Point in Time examination
Examines internal controls for compliance. Covers some or all of the following trust criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
SOC 2 Type II
Examination over a period of time
Examines internal controls for compliance. Covers some or all of the following trust criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
SOC 3
Public facing report that is much less detailed and is used for marketing or public distribution. Less detailed version of a SOC 2 Type II.
Reviewing the SOC 2 Report
While all SOC reports generally have the same format, they vary in thoroughness depending on the auditing firm. Additionally, these examinations are not pass/fail and should be reviewed to fully understand the controls in place within an organization. The examinations cover controls that are in place for the trust criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy) that the customer chooses to be examined on. The auditor chooses a list of controls within audit categories to include for the examination. SOC reports can be over 100 pages long and the following are some areas that a reviewer should focus on.
Company and Scope
It may sound obvious, but a reviewer must ensure that the SOC 2 Type II report is for the solution’s company and solution. There are many times where Software as a Service (SaaS) companies give customers a SOC report for a cloud hosting provider (ex. AWS or Azure) because that’s where the solution is hosted. Unfortunately, the hosting provider SOC reports do not cover these SaaS solutions. Instead, the SaaS solutions should have their own SOC reports.
SOC Report Type
As explained above, there are different types of SOC reports. The SOC 2 Type II is the strongest and is frequently requested.
Trust Criteria
Companies select which trust criteria they want the examination to cover. The options are the following: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Most examinations include at least the Security trust criteria. It is important that the reviewer knows which trust criteria is included and if the auditor states that the trust criteria is met.
Audit Period
SOC 2 Type II reports are examinations of controls over a specific audit period. A reviewer should ensure that the audit period is recent.
Complementary User Entity Controls (CUECs)
SOC reports have a section titled “Complementary User Entity Controls” or CUECs. These are controls that the company states that the customer is responsible for. It is incredibly important that the customer understands what responsibilities the solution provider is putting back on them.
Audit Exceptions & Managers Response
While the audit is not pass/fail, the auditor does state whether certain controls were not present. These are usually listed as “exceptions” in a large table of controls that were reviewed during the examination. If there are any exceptions, the company can provide their explanation in a “Manager’s Response” section at the end of the report. For example, if an audit discovers that an employee’s access was not terminated immediately after dismissal, the company can respond by saying they now have procedures in place to immediately disable access upon any termination.
Audit Detail
Every audit firm is different, and some may perform more comprehensive audits than others. While it can be tough to determine the strength of an audit, a reviewer should read the entire report to understand the level of scrutiny that was performed. For example, a reviewer could see if the auditor reviewed penetration testing reports and see any details that the auditor provided around that control. A company can obtain a SOC report without having great security in place. The auditors should have the expert knowledge to conduct the examination per the specified trust criteria, but unfortunately this is not always the case.
How Can I Automate the Review of a SOC Report?
We get it, you’re busy and often do not have time to thoroughly review a SOC report. While Security professionals are often the individuals responsible for reviewing these reports, this process is not what they were trained for, nor should they have to prioritize these reviews over more pressing cybersecurity tasks. Thankfully there is a solution for this. Stern Security’s Velocity product has automated this entire SOC review process. Instead of spending an hour reviewing the 100+ page report, Velocity analyzes it for you, outputs a summary, and highlights any areas of concern. This is why Velocity is often called “A CISOs Best Friend”. Velocity helps security professionals utilize their time much more efficiently. Sign up for Velocity and start automating these SOC report reviews today.
Conclusion
All SOC reports are different, and each should be thoroughly reviewed to understand coverage, compliance, and areas of concern. Companies can obtain a SOC report without having great security in place. Velocity can automate the SOC report review process in order to make teams more efficient and effective.
A well-run cybersecurity team operates like a beautiful orchestra, each individual knowing their part and contributing to the same goal. A cybersecurity team may consist of team members wearing numerous hats ranging from management, to defensive, and offensive security. The offensive team members will attack their own organization to find vulnerabilities so the other teams can resolve the issues. The defenders will deploy security software and hardware to shield the organization from attack. Cybersecurity professionals have given color codes to roles within the security orchestra including “Red Team”, “Blue Team”, and “Purple Team”. So what is the difference between a Red Team, a Blue Team, and a Purple Team in cybersecurity? At a high level, the Red Team focuses on offensive security (attacking), the Blue Team works on defending the organization, and the Purple Team is a collaborative effort between the Red Team and Blue Team.
Red Team Details
The Red Team performs the offensive security functions within the organization. In other words, the Red Team mimics Tools Tactics and Procedures (TTPs) of real attackers to discover vulnerabilities, exploit them, and gain access to data. The Red Team is comprised of penetration testers (ethical hackers). The Red Team will provide the organization with reports of the discovered vulnerabilities. Members of the Red Team often have cybersecurity certifications geared towards penetration testing. Some of the common certifications for Red Teamers include:
OSCP (Offensive Security Certified Professional)
GPEN (SANS GIAC Penetration Tester)
PenTest+ (from CompTIA)
GXPN (GIAC Exploit Researcher and Advanced Penetration Tester)
Offensive Security Wireless Professional (OSWP)
Burp Suite Certified Practitioner (BSCP)
Blue Team Details
The Blue Team performs the defensive security measures within the organization. They utilize tools and strategies such as SIEMs (Security Information Event Management systems), IPS/IDS (Intrusion Prevention System / Intrusion Detection System), Firewalls, NAC (Network Access Control), Endpoint Protection, File Permissions Restrictions, DLP (Data Loss Prevention), Email Protection, Security Awareness Training, and more. Blue Team members have a wide area of knowledge in order to defend the organization from attack.
Some common certifications on the Blue Team side include, but are not limited to:
Certified Information Systems Security Professional (CISSP)
Various product-specific certifications
Purple Team Details
The Purple Team is generally a collaborative effort between the Blue Team and the Red Team. The Red Team may walk through various stages of an attack using a framework such as MITRE ATT&CK. At the same time, the Blue Team will see which attacks are discovered or blocked and make changes as appropriate. This collaborative effort between teams helps streamline improvements to the security posture. Another positive outcome from the teams working together, is that instead of feeling bad when an attack succeeds or fails, both teams are learning from each other and understand that they are working towards the same goal.
How Can Stern Security Help?
Stern Security has extensive experience working with organizations on Purple Team engagements. The company emulates known threat actors using their Tools Tactics and Procedures (TTPs) to work through the various stages of an attack as charted within the MITRE ATT&CK Framework. Stern Security works with an organization’s Blue Team to see which attacks are discovered, blocked, and which attacks bypass defenses. Our team also helps Blue Teams design defenses to block similar attacks in the future. To top it off, Stern Security gives the Blue Team kudos for all mitigated attacks. Expert penetration testing services are a popular service offering by our organization. Stern Security’s Velocity application can be used to perform internal risk assessments, identify gaps, and view actionable recommendations to improve security.
Conclusion
Within a cybersecurity team, Blue Teams are defensive, Red Teams are offensive, and Purple Teams are a collaborative effort between the Blue and Red Teams. Individuals within these groups may have different skillsets and certifications, but they are all working towards reducing risk within the organization.
Technology has dramatically changed almost all aspects of human life, giving us amazing communication ability, a healthcare revolution, financial opportunities, and safe energy, all growing at exponential rates. These benefits become risks if the technology is not made secure. At Stern Security, our mission is to secure the planet, business by business, industry by industry. Everyone can play a part and make a difference. You can start today by educating your loved ones about securing their data and identities. Businesses have a critical role to play and can join us in this battle to safeguard the planet. Review the top 10 online safety tips below to protect yourself and your family.
Top 10 Online Safety Tips
Enable Two-Factor Authentication – Passwords alone cannot protect your online accounts. Criminals can easily guess or steal passwords to get into your email, social media, or banking sites. Two-factor authentication (2FA), sometimes called “multi-factor authentication (MFA) is an extra layer of security that uses a second item to confirm your identity. This second item may be your phone, fingerprint, or a device plugged into your computer. For example, in addition to your password, a website may send a code to your phone that you need to type in. A criminal would now need to steal your password and gain access to your phone in order to get into your account. Here is a large list of online services with their instructions on how to enable two-factor authentication: https://2fa.directory/
Freeze Your Credit – If your personal information is stolen, a criminal may try to open credit cards or obtain a loan in your name. By freezing your credit, access to your credit report will be restricted which will limit the ability for new loans or credit cards to be opened. Your credit can be unfrozen any time you need to get your credit pulled. Freezing your credit is free and to do this you will need to contact each of the three credit bureaus: Equifax, Experian, and Trans Union. There are many third-party services that will offer to do this for you, but do not use these third-party services. This government website will direct you to each of the three credit bureaus to help set up credit freezes and fraud alerts: https://www.identitytheft.gov/#/CreditBureauContacts
Keep Devices Updated – Your phones, tablets, laptops, and desktops all need to get updated regularly to receive the latest protection. Set your devices and apps to update automatically to receive the latest security patches.
Backup Important Files – It is crucial to back up your important files on your devices. In the case your device is stolen, damaged, or infected with ransomware, you will need a way to get your important files back. There are many services that can help you back up your information such as iCloud on Mac devices, OneDrive on Windows, Google Drive on Android, Dropbox, etc. You can even back up to a USB drive and store it somewhere safe. It is a good idea to have at least one backup that is not always connected to your computer so if your computer gets infected with malware (ex. ransomware), it cannot affect your backup.
Limit Posting Personal Info – Anything that you post online can be used by criminals to get access to your accounts, physical property, or even get access to you. If your banking account is protected by secret questions such as “What was the name of your first pet?”, criminals may read your social media posts to find that information. If you post online that you’re going on vacation, criminals know that no one is at your house. It is important to also speak to kids about speaking to strangers online or posting information that could endanger their safety. You can also make some of your online accounts private if you don’t need many people to see the information.
Use a Password Manager – Passwords can be difficult to remember especially if you need to make complex passwords and if you have many accounts. People tend to use the same or similar password across all of their accounts to make things easy. Unfortunately, criminals know this and if they get into one of your accounts, they can get into all of your accounts if they have the same password or use a similar pattern. Password Managers should be used to create long random passwords for all of your accounts. All you need to do is remember one password – the master password to your password manager. Your master password/passphrase should be long, like a phrase or sentence that is personal to you, so it is not easy to guess. A couple examples of password managers include Apple’s iCloud Keychain and 1Password. Remember to enable 2-factor authentication on your password manager!
Email Cautions – Criminals know they can reach you via email so this is how many attacks start. They will try to send you phishing emails to entice you to click on a link and enter your password. They may try to send malicious attachments or links to infect your device. Even if you recognize the sender, if you’re suspicious about any email, delete it. If you know the sender, you can always call them to see if they really sent the message. When in doubt, throw it out.
Public Wi-Fi Cautions – Wireless internet access in public places like airports and coffee shops is convenient, but can be unsafe. These connections may be unencrypted or criminals may be using them to attack your device. If possible, try using your mobile phone’s cellular connection as a hotspot instead. If you must use public Wi-Fi (wireless), use with a VPN.
Encrypt Your Devices – Devices get lost or stolen. When your laptop goes missing, others can access your files if the device is not encrypted… even if you have a password on your computer. Encrypting your computer is free and easy. Macs have FileVault and PCs have BitLocker, which are both included with your computer (PCs may need a pro version of their operating system). Your mobile phones should have their own built-in solutions to encrypt the device.
Antivirus / Antimalware – Both macs and PCs get infected by malware so it is crucial that you install endpoint protection on these devices.
If you take care of these 10 items, you will be in very good shape to protect yourself and your information. Spread the word by helping your family and friends to do the same. Secure The Planet!
Updated on August 30th, 2023: Added additional information on password managers.
