Security risks on the rise for 2014
Whether it's guarding against "malicious insiders" or ensuring C-suite execs are scared straight about the risks and regs they face, the coming year poses big challenges to healthcare according to Kroll's annual Cyber Security Forecast.
The newest report takes a look at a shifting social and legal environment and spotlights seven trends all industries should pay attention to as they guard against legal, monetary and reputational risk.
Those are outlined below, followed by a Q&A with Kroll's Senior Managing Director Alan Brill, who answered some questions from Healthcare IT News about the industry's preparedness for a new year filled with new security threats.
[See also: Data security still a risky business.]
- NIST and similar security frameworks will necessarily become more common. These standards should start to drive organizational decision-making, according to Brill, who notes in a press statement that the trend "will move the U.S. in the direction of the EU, where there is a greater recognition of privacy as a right. As new laws evolve that reflect the NIST guidelines and look more like the EU privacy directive, some U.S. companies will find themselves ill-prepared to effectively respond to the regulations."
- The data supply chain will pose continuing challenges. While it's increasingly common to store data with third parties, those vendors' security preparedness (or lack thereof) is often little understood until there's a breach, according to Tim Ryan, Kroll's managing director and cyber investigations practice leader. "Companies should know who they are giving their data to and how it is being protected," he said in a statement. "This requires technical, procedural and legal reviews."
- Malicious insiders remain a serious threat – but will become more visible. Information technology may make it easier to access unauthorized data, but it also means that, as the federal government and individual states add muscle to privacy breach notification laws and enforcement regimes, the hidden nature of insider attacks will become more widely known. "The insider threat is insidious and complex," said Ryan. "Thwarting it requires collaboration by general counsel, information security and human resources."
- Corporate boards and C-suites will take more interest in security preparedness. With more data breaches splashed across the headlines, higher-ups are taking seriously the connection between cyber security and an organization's reputational and financial well being. "Organizations recognize that it's their duty to protect against the loss of information and its associated risks," said Brill in a statement. "The challenge they face is determining what is a reasonable level of security and response, and who should make that call – is it their IT team, an industry expert, an independent third party?"
- IT will help uncover data breach details and make for faster reactions. Even the best firewalls can't stop all attacks, but technology can help organizations see with near-real-time clarity what's happened to their data and how much damage has been done. "Most organizations have invested in preventative security technologies, but remain unprepared to launch an effective response to a leak or intrusion," said Ryan. "We've seen a dramatic improvement in response technology over the last year...There's no reason not to be prepared."
- New standards for breach remediation are finding favor as threats evolve. "The notion that credit monitoring is a panacea for all data breaches is misguided," said Brill. "When you couple the myriad types of sensitive information with the multitude of ways an identity can be stolen and used fraudulently, there are many instances where credit monitoring will not be helpful to a breach victim at all, including medical identity theft, criminal impersonation, employment and tax fraud, etc."
- With the cloud and BYOD on the rise, smart policies must follow. IT departments are "scrambling" to deal with these technologies, which are developing at a "whirlwind" pace, according to Kroll. In 2014, IT leaders will need to work closely with senior leadership and legal counsel on strong and clearly stated policies. "Up until now, cloud and BYOD adoption has been like the Wild West – uncharted, unregulated and few restrictions," said Brill in a statement. "Companies that have integrated these technologies into their corporate policies, IT security and risk management plans will be much better prepared to fulfill their legal obligations."