Kroll released its third annual Cyber Security Trends.
94% of healthcare organizations had at least one data breach in the last two years with the average economic impact of a data breach at $2.4 million, according to the Ponemon Institute. As the healthcare industry increases their EHR adoption, mobile health access and BYOD demands, healthcare organizations must ensure the safety of patient data.
This week, Kroll, the global leader in risk mitigation and response solutions released its third annual Cyber Security Trends, a prediction of the most significant cyber issues healthcare organizations will confront in 2014. The forecast highlights seven security trends identified by Kroll that organizations will confront in 2014:
1. As Cloud and BYOD adoption continues to accelerate, greater accountability will be required for implementing policies and managing technologies.
The development and evolution of Cloud services and BYOD has moved at a whirlwind pace, leaving IT departments scrambling to get out in front of the technologies and employee usage. In 2014, IT leaders will need to work closely with senior leadership and legal counsel to adapt corporate policies in a way that addresses changing legal risks, while effectively meeting the need of the organization.
“Up until now, cloud and BYOD adoption has been like the Wild West – uncharted, unregulated, and few restrictions. However, we’re seeing courts issue rulings that include significant penalties where discovery, disclosure and other legal obligations aren’t being met because of the use of these technologies,” said Brill.
“While it’s implausible to anticipate every possible risk presented by the use of the cloud and BYOD, companies that have integrated these technologies into their corporate policies, IT security, and risk management plans will be much better prepared to fulfill their legal obligations. Organizations must realize that even if they don’t want to deal with this, they’re not going to have much choice.”
2. The malicious insider remains a serious threat, but will become more visible.
In 2014, a significant number – if not almost half – of data breaches will come at the hands of people on the inside. However, as the federal government and individual states add muscle to privacy breach notification laws and enforcement regimes, the hidden nature of insider attacks will become more widely known.
“There’s a tremendous amount of data compromised today where the act is never discovered or disclosed. People discount the insider threat because it doesn’t make the news. The insider threat is insidious and complex. Thwarting it requires collaboration by general counsel, information security, and human resources,” said Ryan.
3. Sophisticated tools will enable smart companies to quickly uncover data breach details and react faster.
Companies realize that even the best firewalls and intrusion detection systems cannot stop all attacks; the most secure firms experience computer security incidents. But technological progress over the last 12 months will enable companies to unravel events and see with near-real-time clarity what’s happened to their data and how much damage has been done. That is, if companies choose to change.
“Most organizations have invested in preventative security technologies, but remain unprepared to launch an effective response to a leak or intrusion. Without the right tools and policies in place beforehand, they find themselves suddenly under intense pressure to investigate, track, and analyze events,” said Ryan. “It takes more money and time to scramble at the last minute. We’ve seen a dramatic improvement in response technology over the last year. Companies have never had a better opportunity to enhance their existing protocols with a methodology that can mean an informed and timely response. There’s no reason not to be prepared.”
4. New standards related to breach remediation are gaining traction and will have a greater impact on corporate data breach response.
“Companies will need to gain a better understanding of their actual breach risks, how the breach could actually affect their customers, and the best way to remedy those specific risks and provide better protection to the affected consumers,” said Alan Brill.
5. The data supply chain will pose continuing challenges to even the most sophisticated enterprises.
It is not unusual for healthcare organiatons to store or process the data they collect by using third parties. However the security that these third parties use to safeguard their client’s data is frequently not understood until there is a breach. Additionally, companies may believe that their subcontractors will notify and assist them in the event of a breach.
Unfortunately, this is often not the case. Healthcare organizations will need to vet their subcontractors closely and get specific as to the technical and legal roles and responsibilities of their subcontractors in the event of a breach. “Kroll has responded to breaches where subcontractors not only failed to provide timely notice that they were breached, but also refused to cooperate with the investigation. Companies should know who they are giving their data to and how it is being protected,” said Tim Ryan, managing director and Cyber Investigations practice leader. “This requires technical, procedural, and legal reviews.”
6. Corporate board audit committees will take a greater interest in cyber security risks and the organization’s plans for addressing them.
With more and more security data breaches in the headlines, healthcare audit committees are beginning to focus on the connection between cyber security and an healthcare organization’s financial well-being. As such, they will expand their attention beyond the financial audit process to the organization’s strategic plans for protecting non-public information and risk mitigation plans for responding to a possible breach. CIOs and IT leadership should prepare accordingly.
“Organizations recognize that it’s their duty to protect against the loss of information and its associated risks,” said Brill. “As corporate boards carry out their fiduciary responsibilities, they must also protect the company from possible shareholder lawsuits that allege the company’s cyber security wasn’t at a level that could be reasonably viewed to be ‘commercially reasonable’ and that incident response plans weren’t in place to mitigate the risk.
The challenge they face is determining what is a reasonable level of security and response, and who should make that call – is it their IT team, an industry expert, an independent third party?”
7. NIST and similar security frameworks will become the de facto standards of best practices for all companies.
“This trend will move the U.S. in the direction of the EU, where there is a greater recognition of privacy as a right. As new laws evolve that reflect the NIST guidelines and look more like the EU privacy directive, some U.S. companies will find themselves ill-prepared to effectively respond to the regulations. To minimize their risk, organizations will have to get smart on these standards and make strategic business decisions that give clients and customers confidence that their information is protected,” said Alan Brill, senior managing director at Kroll.