While cyberattacks will continue to menace healthcare and other business sectors next year, organizations can't afford to overlook addressing risks tied to insiders, who are responsible for most data breaches, says Michael Bruemmer of Experian Data Breach Resolution.
Experian's just released third annual Data Breach Industry Forecast report for 2016 predicts that big hacks will continue to grab the headlines but small breaches will cause "a lot more damage," he says.
"Whether it's a true malicious insider, or just employee negligence, 80 percent of the breaches we've worked so far in 2015 have been [caused by] employees ... and I don't think that's going to change in the healthcare field and other fields," Bruemmer says in an interview with Information Security Media Group.
"Unfortunately people doing stupid stuff is the largest cause - it's as simple as putting a non-production server into production, not turning on a malware or firewall protection, or as simple as the lost [unencrypted] laptop or USB key," he says.
The Department of Health and Human Services' "wall of shame" tally indicates that about half of major health data breaches have involved lost or stolen unencrypted computing or storage devices.
To help reduce incidents involving negligence by insiders, Bruemmer strongly recommends organizations bolster their "job specific" privacy and security training. Those efforts "start of the board level," he says. "It has to be a priority and it has to cascade down not only through the covered entity organizations but also through the business associates."
Continued Attack Risks
Despite the persistent threats posed by insiders, organizations will need to stay on guard for continued cyberattacks by nation states and hacktivists next year, Bruemmer warns.
"In healthcare, you not only have the treasure trove of personally identifiable information, but also medical records, insurance records," he notes. Those records can be used in medical identity theft by cybercriminals as well as by nation states, including China, that are interested in collecting personal information for extortion or to create "synthetic identities," he says.
One of the biggest breach prevention shortcomings among healthcare organizations and their business associates, Bruemmer says, is "not knowing where their data is within their own networks," he notes. "There are so many interconnected systems. ... In the healthcare field, you have so many connected devices that carry protected health information - that's a real problem."
In the interview Bruemmer also discusses:
- Other findings from Experian's Data Breach Industry Forecast report for 2016;
- Why payment-related breaches will continue to rise because of the incomplete transition to EMV transactions in the retail and healthcare sectors;
- What healthcare entities and business associates should be doing to better address breach trends in 2016.
Bruemmer is a vice president at Experian Data Breach Resolution, which offers incident management, notification, call center support and fraud resolution services while also serving affected consumers with credit and identity protection products. With more than 25 years of industry experience, Bruemmer also serves on the Medical Identity Fraud Alliance Steering Committee, Ponemon Responsible Information Management Board and the International Association of Privacy Professionals Certification Advisory Board.