Privacy and security issues for healthcare organizations may pop up in some unexpected places this year, according to the 2013 Cyber Security Forecast, recently released by Kroll Advisory Solutions.
While last year’s vulnerabilities will continue to challenge organizations that have yet to evolve their policies and procedures – from encrypting data to regularly changing passwords – there are many threats waiting in the wings, according to Kroll. Here are four key areas to keep in mind during 2013.
1. "Vampire" data: Don't get bitten by data you didn't know you had. Data exists in countless locations and formats within an organization, and many providers might not even realize that data exists until a cyber attack or breach, according to Kroll, which refers to that situation as vampire data – it comes back out of nowhere to "drain the life" out of the organization. Examples include backup tapes and archives that go back decades (even though they were scheduled to be destroyed); emails that should be destroyed after 90 days but exist indefinitely on employees’ desktops; and material that has been copied to portable or cloud storage without the organization’s consent or knowledge. Kroll officials suggest taking a data inventory, classifying it by confidentiality or sensitivity level, and then handling it accordingly; only allow users to access the data they need and provide employees with regular data-handling training to avoid unnecessary data propagation or transmission.
2. Forensics: More important than ever in the wake of a breach. During its forensics investigations, Kroll sometimes has limited resources at its disposal, because many organizations aren’t properly logging or documenting their activities, officials said. That means providers could spend more money to discover whether the breach occurred and what was lost, and may wind up sending notifications based on reasonable assumption rather than concrete evidence of exposure. However, Kroll sees attitudes toward documentation shifting as organizations come to understand the reputational and financial importance of forensics investigations. In the meantime, organizations should turn on their logs and make sure they are retained long enough to be useful, officials recommended. It's also helpful to perform a security assessment and train key employees in the basics of immediate breach response. Those employees who are most likely to be first responders following a breach should know how to react without wiping out vital evidence needed to understand the incident, or if applicable, meet the requirements set by the cyber insurance policy carrier, according to Kroll.
3. Hackers: They don't just want to steal data anymore. In years past, insider attacks were perceived as the most malicious threats, according to Kroll officials: One perpetrated by a practice employee, say, with an axe to grind and easy access to sensitive information, could obviously be bad news for the practice and its patients. But a new generation of computer-savvy crooks are delving deeper into the cyber warfare and cyber terrorism space, officials noted. They have a rapidly evolving ideology and agenda – namely, they are coming to destroy the secure network, erase pertinent data, wreak havoc with physical equipment, and ultimately take an organization down. Kroll suggests that organizations of all sizes and in all industries prepare for this threat. Cyber criminals may be looking for profit, perhaps holding data for ransom, but the end result is still the same, and the stakes are high, officials explained. Don’t assume that backup tapes are the same as a plan for restoration. If outsourcing IT functions, make sure third parties understand their role in getting you back up and running – and test their ability to do so.
4. Nondisclosure: A "luxury" that's now a thing of the past. The academic debate on this issue will continue in 2013, according to Kroll. In the meantime, more and more organizations are speaking up about breaches – even when the loss doesn't involve protected health information. In some cases, nondisclosure will simply not be an option, officials said: In a data-destruction attack, for example, everyone will know once your systems are down. In other instances, the stakes will be too high to keep quiet: The threat will be insurmountable without help from security consultants and government entities. Kroll noted that it has seen an increase in the number of breaches where clients have been notified by a government entity or security firm that they’ve lost sensitive data; Kroll said it expects to see that trend accelerate in 2013. It's increasingly important to contract with outside resources such as an investigation and forensics partner, a privacy law firm, and/or a breach notification partner, explained Kroll. When a security incident occurs, having those resources in place to assist with the investigation, advise on current legal requirements and prepare a response should a health organization experience a PHI breach will save money.
“If we’ve learned one thing from the changing climate of data security in 2012, it is that 2013 will definitely not be a time to employ the same old tactics,” said Tim Ryan, managing director at Kroll Advisory. “Boards of directors are becoming more engaged on this subject, in part because it deals with corporate risk and also because the regulators are on the lookout. 2013 will require a review of information security governance, identification of information risk and controls, and preparation for the inevitable -- a breach of sensitive data, a looming threat for every organization.”