Try for Free
Get a Demo

Quantifying the MOVEit 0-day Impact on the Healthcare Industry

Quantifying the MOVEit 0-day Impact on the Healthcare Industry

by | Oct 1, 2024 | Education, Research

Background

In 2023, Progress Software’s MOVEit file transfer application was the source of a dangerous zero-day vulnerability.  Criminals that exploited this vulnerability were able to gain full access to the files on MOVEit servers.  The research from Stern Security’s 2024 healthcare breach report showed that this MOVEit breach was the cause of 25.9% of the protected health information (PHI) lost last year.  Quantifying the MOVEit 0-day’s impact on healthcare is essential to understanding the full extent of this vulnerability.

MOVEit Incident

Progress Software announced the critical vulnerability in their MOVEit software on May 31, 2023.  Unfortunately, there was evidence that this vulnerability was already exploited by at least May 27, 2023.  Eventually the Cl0p ransomware group claimed responsibility for this incident.  The first healthcare breach due to the MOVEit 0-day was announced on June 11, 2023, and the last was on December 8, 2023.  According to the 2024 Ponemon Data Breach report, the average number of days to discover a data breach was 258 days which makes it easier to understand why healthcare MOVEit breaches were still being reported so late in the year (192 days later). 

Quantifying the Impact

By the end of the 2023, there were 42 healthcare breaches attributed to the MOVEit vulnerability.  Thirty-one (31) of these breaches were from third-parties (business associates of the healthcare organization) and eleven (11) occurred at covered entity locations (healthcare organizations).  These 42 breaches resulted in the exposure of 41,380,105 protected health information (PHI) records.  While there were 708 total reported healthcare breaches last year, the 42 MOVEit breaches accounted for 25.9% of the PHI exposed!

25.9% of Protected Health Information (PHI) Lost in 2023 was due to the MOVEit vulnerability

Third-parties have a significant impact on breach costs.  According to the 2024 Ponemon Breach Report, a third-party breach increases the breach cost by an average of $240,599.  In 2023, most (73.8%) of the healthcare MOVEit breaches lost were from a third-party!

73.8% of the Healthcare MOVEit breaches in 2023 involved third-parties

To quantify this impact, we will multiply the average breach cost in healthcare ($9,770,000) and 42 breaches attributed to this incident to get $410,430,000.

42 breaches x 9,770,000 = $410,340,000

The results show us that the MOVEit breach cost an estimated $410 million in losses!  To put this number in prospective, this is roughly the amount that FEMA (Federal Emergency Management Agency) allocated to Puerto Rico’s recovery efforts from Hurricane Maria ($412 million).  While this was a digital disaster as opposed to a natural disaster, the dollars figures were comparable.

$410M - Comparable cost between MOVEit breach on the healthcare industry and FEMA’s response to Hurricane Maria

Solutions to Reduce Risk

There are numerous protective measures that organizations can do to reduce the risk of another “MOVEit” incident.

  1. Risk Analysis – Every organization should perform a thorough risk analysis to understand the organization’s susceptibility to the latest threats.
  2. Patching – Immediately patch critical vulnerabilities, especially if the assets are exposed or contain sensitive information.  In the case of MOVEit systems, these file transfer servers are generally exposed to the internet so immediately patching a critical flaw is essential.
  3. Minimize Data – Organizations should only store the data necessary to complete their tasks.  Once the data is no longer needed, secure store or dispose of the data.  On file transfer servers such as MOVEit, organizations should immediately remove the transferred data after the use.  The MOVEit servers should not be treated similar to file storage systems that permanently store data.
  4. Penetration Testing – Controls should be tested for effectiveness in comprehensive penetration testing engagements. 
  5. Vulnerability Scanning – Vulnerability scanners should discover unpatched systems.  Externally exposed systems such as file transfer servers should be scanned more frequently.
  6. Limit Access – If a server does not need to be accessible to the entire internet, then limit access to the necessary sources and destinations.  Firewall rules can greatly reduce the threat exposure of a system.
  7. Third-Party Risk Management (TPRM) – Most of the MOVEit breaches involved third parties.  It is critical to perform accurate third-party risk management especially if your third-parties have access to sensitive data such as Protected Health Information (PHI).

Conclusion

The MOVEit 0-day vulnerability was one of the most impactful vulnerabilities of all time.  It cost the healthcare industry an estimated $410 million and exposed 41,380,105 protected health information (PHI) records.  The financial impact is similar to the amount that FEMA allocated to Puerto Rico’s recovery efforts from Hurricane Maria.  Performing cyber risk quantification on incidents provides the opportunity to show business impact in financial terms which is of the upmost importance to leadership.  Utilizing quantifiable data can help organizations obtain the resources needed to protect their organizations.

Bibliography

Cost of a Data Breach Report 2024. (2024). Retrieved from IBM.com: https://www.ibm.com/reports/data-breach

FEMA Awards More than $412 Million in Additional Federal Grants for Puerto Rico. (2018, September 12). Retrieved from FEMA.gov: https://www.fema.gov/press-release/20230502/fema-awards-more-412-million-additional-federal-grants-puerto-rico

Recent Posts