Cyberattacks are going to get a lot worse, former NSA official says

Healthcare tops the list for ‘losing stuff’ and the ratio of incidents to breaches, Joel Brenner said Monday during the HIMSS Privacy & Security Forum in Boston.
By Jessica Davis
12:46 PM
Share
Cyberattacks worse NSA privacy

The face of cybercrime is changing. Healthcare has gone from a declared mission of stealing personal data to much more disruptive issues. In fact, healthcare has seen the largest jump in ransomware attacks than in any other industry.

When Joel Brenner opened the HIMSS Privacy & Security Forum in Boston Monday morning, the Massachusetts Institute of Technology research fellow - who focuses on cybersecurity, privacy and intelligence policy - and former senior counsel at the National Security Agency, didn’t sugarcoat the state of healthcare security.

The government isn’t going to sort out that problem until we suffer some great losses, Brenner said.

“We’re facing industrial espionage on an industrial scale,”  Brenner explained. “If espionage is not the oldest business in the world, it’s the second oldest.”

[Roundup: Here's what happening at the Privacy & Security Forum right now]

“You can steal a terabyte of data remotely; this has really changed who is conducting espionage,” Brenner continued. “There’s a convergence of bioterrorism and cybersecurity … increasing the likelihood of a mass casualty event.”

And while healthcare may not top the list in terms of incidents or breaches, it is number one by percentage of incidents and the number of incidents by stolen assets. It’s also number one in terms of ‘losing stuff.’

Healthcare is very high in terms of the ratio of incidents to breaches. In other words, the number of people trying to get in are succeeding more often than not.

“But this is a management issue, not a technology issue… Most companies, even big ones, don’t know what’s going on in their networks,” Brenner explained. “This should cause some soul-searching.”

There are some very tangible areas organizations can look to reduce vulnerabilities, including privilege misuse and BYOD, which Brenner called ‘Bring Your Own Disaster.’ And everyone doesn’t need access to everything.

“It’s about training your people - repeatedly,” Brenner said. “You don’t need a big plan; no one opens that manual in times of crisis. You need a simple checklist.”

Further, there’s a need for security round the clock, but most organizations can’t afford it and don’t trust a vendor enough to tackle the problem.

This isn’t just a person-to-person problem, but an issue with connected machines, Brenner stressed.

But the biggest challenge is siloes within an organization, Brenner continued. These high-level executives are part of the problem and the solution.

“Unless someone high level in these siloes comes in with a baseball bat,” Brenner said, “it’s not going to be solved.”