The Fundamentals Still Matter Says the 2026 DBIR – Ep 563 

Are healthcare organizations overcomplicating cybersecurity and missing the basics? In this episode, Donna and David break down the newest Verizon Data Breach Investigations Report and what it really means for hospitals, clinics, and business associates. Despite all the AI headlines and talk about new threats, most breaches still come down to old-school problems—missed patches, credential abuse, and human mistakes. The fundamentals aren’t glamorous, but they’re what keep your data safe. If you’ve ever wondered whether all the new risks really change the game for HIPAA compliance, this episode will help you cut through the noise and focus on what actually matters.

In this episode:

The Fundamentals Still Matter Says the 2026 DBIR – Ep 563

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

Episode Roadmap

The Fundamentals Still Matter, Says the 2026 DBIR

This is a massive report, over 100 pages, that is loaded with detailed analysis. We can’t cover all of it even if we wanted to get nerdy with it. We will do our best to point out the important quotes and numbers but you should get your own copy of this report – it will be invaluable to you no matter why you are listening to this podcast.

2026 Data Breach Investigations Report (DBIR) | Verizon

First, note that this is the 19th edition that Verizon has put out. Every year they get more info and analyze more trends. This year they included 31k incidents that involved over 22k confirmed data breaches covering 145 countries. Please note they show there is a difference between incidents and breaches.

Here are some quotes including some of their fun bits of humor which is always delightful in a report like this.

“And even though this report’s dataset covers Oct 2024 through Nov 2025, both the DBIR team and Verizon are keenly aware of the growing impact and capabilities of AI-augmented vulnerability research and weaponization so far in 2026 based on early indicators and trends observed at the time of publication, and will provide some forward-looking commentary in regards to that where applicable.”

“Exploitation of vulnerabilities, discussed in several sections of the report, has now emerged as the most common way attackers gain initial access into an organization’s environment, which underlines the ongoing importance of getting the basics right. Additionally, as the ancient prophecies foretold (And by ancient, we mean predicted in the past two DBIR reports and mentioned a couple paragraphs ago.), threat actors are increasingly relying on GenAI to assist them with various stages of their attacks, such as choosing targets, gaining a foothold within those targets, conducting vulnerability research, and developing malware and other tools to make their efforts more effective and efficient. Meanwhile, Social Engineering, a longtime fan favorite, is evolving, as well, with attackers increasingly using voice and other mobile-centric techniques to catch people off guard in the middle of the workday. “

A surprising amount of this year’s DBIR comes back to identity, access and credentials. Whether the issue is ransomware, third-party breaches, cloud environments, mobile social engineering, pretexting, infostealers or AI-assisted attacks, the same weaknesses keep showing up over and over again. Attackers are still finding success because organizations continue struggling with the fundamentals: patching old systems, managing credentials, controlling privileges, securing remote access and knowing exactly who has access to what.

The technology keeps evolving and AI may be accelerating the speed of attacks, but the report repeatedly shows that most organizations are not losing because criminals invented some futuristic new attack method overnight. They are losing because the basics are still difficult to do consistently at scale. In many ways, this year’s DBIR feels less like a story about brand new threats and more like a story about attackers becoming faster and more efficient at exploiting the same old weaknesses.

Points of interest in overall numbers

So now that we’ve established the cybersecurity apocalypse is still mostly caused by the same old problems, let’s get into the numbers.

• Exploitation of vulnerabilities is now the most prominent initial access vector up 11% over last year.
  • If they included every time credential abuse was used at any point it is still the number 1 at 39%
• Median time for full resolution of an attack jumped from 32 days to 43 days
• Median amount paid by ransom victims was down from last year’s $150k to $139,875

Patching stats were evaluated in a lot of detail since vulnerabilities are now the name of the game and that will likely continue based on what we see happening with AI

• Data goes back to 2022 so they can see more clearly now some trends.
  • The first week a vuln is listed in the CISA KEV only 30-40% are fixed in organizations.
  • There is a lot of data and charts to review in the discussion but the most important part to know is this statement: “…, if faced with the choice of patching a vulnerability that is less than a year old in the KEV but that hasn’t been exploited recently or one that isn’t on the KEV (yet) that your threat intelligence indicates does show recent exploitation history, focusing on the one with recent activity could be a smarter bet. ”
  • That advice is backed by a lot of information in the report that we will leave to those who want to do that deep dive.
  • The report basically says organizations are not necessarily getting lazier or worse at patching. They are drowning in volume.
  • Maybe humans physically cannot keep up anymore. This is an area where AI may make a huge difference – unfortunately it will make it on both sides of the equation.
• Human element is present in 62% of breaches up slightly from 60% last year not a big difference
• Mobile is becoming the new favorite target for social engineering
  • In phishing simulations, the median rate of successful “click” rates in mobile-centric vectors… is 40% higher than via email.
• The team made a point of explaining why pretexting is something they are watching in addition to phishing.
  • A significant number of high-profile ransomware breaches used pretexting
  • The mitigation is not necessarily the same
  • So, what they are saying means that we need to add this into our training programs to help people understand the difference especially since mobile devices are being targeted more often.
  • “Training IT help desks and customer support agents to not be helpful and supportive in cases when a threat actor is trying to manipulate them is not as simple as “check if the email is external, from a source you trust and if it uses proper language.” “
• They also did further analysis of the third party breach stats since breaches involving a 3rd party (which does include software vulns btw) went up 18% over last year. As they pointed out:
  • “This sustained growth has proven impossible to ignore, as many of the year’s most high-profile and well-publicized breaches involved multiple third parties. In several of the more notable campaigns, attackers compromised more than one third-party provider at the same time. “
  • They see 3rd party breaches involve data that was breached using one of the following:
    • Vendor in an organization’s software supply chain
    • Vendor hosting an organization’s data in its environment
    • Vendor with connection to an organization’s environment
  • “The bad news is that we increasingly see a combination of two of those—or even all three—contributing to a breach. ”
  • “Excessive privileges in cloud environments—be they Infrastructure, Platform or Software as a Service (IaaS, PaaS and SaaS, respectively)— is a pervasive issue. In fact, any considerations on authentication, secret management and obviously MFA are strong points of attention for any cloud environment ”
  • Credential management is key for vendors no matter how savvy they think they are.

Internal actors were discussed as always. Healthcare is known often as the number one sector for insider issues, and still is today, so we don’t want to skip this point. They included the following discussion about that drop not meaning you are safe.

“Internal actors may only account for 12% of breaches overall (both unintentional errors and deliberate actions), but when an employee acts maliciously, the blast radius can occasionally rival—or even exceed—that of an External attack. This is especially true when privileged access or sensitive systems are involved. ”

The most likely insider issue is still your end users. Don’t let that get lost in all the other data.

Let’s touch on AI and how it is being used:

“The takeaway from our dataset is that AI’s primary impact is currently operational: automating and scaling techniques defenders already know how to detect, not yet unlocking these novel or rare attack surfaces—which means defensive postures don’t need to be reinvented today, but they do need to keep pace with faster, more adaptive execution. But who knows? Given the rate of change in AI capabilities, this assessment might be obsolete by the time this report is finally published. ”

We just discussed in the last episode that the first known case of zero days being found and used for an attack method via AI has happened. So, yeah, it may be obsolete info already. They noted that GenAI is increasingly used to help at different stages of attack with threat actors using AI for research or actual help being as much as 40 or 50 different techniques.

Healthcare specifics

“Breaches take many forms, but in the Healthcare sector, one pattern stands out: Miscellaneous Errors. DBIRs from 2014 through 2026 have shown that Healthcare has been among the most affected by staff mistakes. Miscellaneous Errors has been among the top three patterns each year. The ranking may vary from year to year, but it remains a chronic problem that needs a cure.

This year’s top errors in Healthcare were Misdelivery (data is delivered to the wrong recipient, in any format) Loss (often involving unencrypted user devices and portable media) and Misconfiguration (such as exposing a data store to the internet without appropriate controls). These Misconfigurations are frequently discovered by security researchers who typically make an effort to notify the victim organizations rather than simply take the data for their own use.

Figure 86 illustrates that despite repeated recommendations to implement controls to prevent or limit the impact of such mistakes, these Errors have remained persistent over the years. Controls to combat these kinds of mistakes, which appear in our dataset again and again, would be part of those security fundamentals we mentioned. ”

SMB analysis

“Being a small organization, you may mistakenly think that your threat profile and who would be interested in compromising you are significantly different from everyone else. That is, until you find yourself on the wrong side of a ransomware attack. Overall, SMBs face similar types of threats as everyone else, including the same breach patterns that show across many different industries, and this has been the case for many years now. ”

“Of the Ransomware cases where we have information on the organization size, we found that about 96% of Ransomware victims were SMBs. While SMB Ransomware cases may rarely make the news, they certainly make it into our dataset. ”

Ransom payment trends

Apparently ransomware gangs are discovering what the rest of us already know: everything costs more and customers don’t want to pay.

The report shows organizations are paying ransoms less often and in smaller amounts. That could be good news for healthcare and SMBs. The ransomware business model may be weakening because fewer victims are paying and the payouts are shrinking. But…. don’t get super excited.

When even ransomware gangs are struggling to hit revenue targets that doesn’t mean they don’t make changes just like any other business. Now, ransomware gangs are having to attack more organizations because fewer victims are paying and the payouts are getting smaller. Based on the finding that 96% of victims are SMBs this report shows that it is worth considering the protections you have in place now if you aren’t already on top of them.

The one thing we should all take away from this if nothing else

The report findings were that many heavily exploited vulnerabilities were not new at all. Some were years old. The boring old vulnerabilities are still paying criminals’ bills.

The high tech cybersecurity stuff is exciting but right now we know plenty of low tech methods they operate in order to attack more successfully. Keep in mind, once they get in they are able to use software already in place on your computers to do their work. They blend in like other normal IT behavior on your networks. The attackers stopped dressing like burglars in hoodies and started dressing like your help desk (well probably still in a hoodie but a lighter colored one maybe).

Both healthcare and SMB environments often struggle with legacy systems. Worry about getting those old patches cleaned up that weren’t a crisis at the first release but could become one overnight – with or without AI assisting. Definitely, make sure you have all the remote access and management tools accounted for and fully patched.

Actually, in the report they summarized it perfectly in their opening statements:

Amid all this change, one message stays the same: The threat landscape will keep evolving, but the fundamentals still matter most. Organizations that stay grounded in strong cybersecurity basics (clear visibility into assets and third parties, disciplined patch management, and well-practiced response plans along with a culture that supports and enables secure behavior) are better positioned to handle today’s realities and whatever comes next.

We all know the hardest part is often culture and consistency inside organizations. If you aren’t taking this seriously at this point the culture is the core reason. We don’t need to spend massive amounts of money on the latest security technology if we aren’t doing the basics correctly. This is the one quote to post on your wall or computer or mirror:

The threat landscape will keep evolving, but the fundamentals still matter most.

If there’s one thing this year’s breach report makes clear, it’s that skipping the basics isn’t just risky—it’s usually where organizations get tripped up. Healthcare keeps seeing the same issues year after year, from missed patches to those “oops” moments with data. If you want to make real progress, focus on the fundamentals and remember, culture plays a bigger role than a lot of people like to admit. For more on what actually moves the needle (and maybe a reminder or two that you’re not alone in this), check out the full conversation.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

Special thanks to our sponsors Security First IT and Kardon.