Defenders of privacy and security found 2015 a most challenging year. For the first time, cyber-attacks became the leading cause of data breaches, as indicated by several annual data breach studies, including the Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data. At the beginning of the year, multiple experts also predicted that 2015 would be “the year of the healthcare data hack,” and so it has been, with Anthem, Premera, and other big breaches.
With no obvious end in sight, these trends are likely to continue, but 2016 will present some new challenges across all industries, including healthcare. I have spoken with a number of experts in information privacy and security what they think will be the most significant threats and trends in the coming year.
1. Cyber-crime Will Continue to Grow
Karen Barney, program director at the Identity Theft Resource Center (ITRC), predicts that the threat of cyber-attacks and cyber-crime will continue to grow: “We track data breaches daily, and we’re seeing from our data breach report that hacking and skimming has definitely increased significantly over last year. In 2014, hacking, skimming, phishing and other cyber-threats accounted for 29 percent of breaches. So far this year, they account for 38 percent, and I expect that trend to continue into 2016.” But she is also seeing a positive, though unexplained trend: “There is a decrease in breaches caused by sub-contractor and third parties: in 2014, third-party breaches were at 15 percent, whereas in 2015 so far, they’re only at nine percent. We don’t know what’s behind that trend, but it’s a point of interest.”
2. Beware the IoT
We need to keep a close eye on the “Internet of things” for signs that cyber-thieves are turning their sights to the billions of devices that are fast becoming part of our everyday computing environment.
One concern I have is that the hacking of connected devices is fast moving from a theoretical vulnerability to a significant threat. Right now, it makes the news when researchers are able to change the operation of a heart pump or take control of a Jeep via its Internet-connected entertainment system. These reports are great news bytes, but these researchers are showing us the next step in a problem that’s already happening. Our power, water, and manufacturing plants are being attacked every day, and hostile or activist hackers have been able to take over everything from a ship at sea to centrifuges at nuclear plants, steel mills, and even smart appliances. Not only are all these devices vulnerable endpoints that can let hackers into our business systems, it is only a matter of time before we see successful large-scale attacks on our infrastructure. If hackers will use ransomware to get a few hundred or thousand dollars by holding a home computer or small business computer hostage, how long can it be before they are ransoming a power plant, a water supply, or critical medical devices?
“All of this disruptive technology will create all sorts of new potential security issues,” says Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “We may soon be looking at insertables—implants, pacemakers, insulin pumps—becoming targets of cyber-terrorists. And this is not science fiction. It’s already been demonstrated.”
My co-worker, Doug Pollack, chief strategy officer at ID Experts, worries about the privacy risks of personal devices. “I see the explosion of wearable devices as a likely new area for potential privacy concerns,” he says. “Just as with mobile devices, wearables are likely to expose new security threats, while getting real-time access to new types of data about individuals that has not been captured before. Especially as new applications are deployed on these devices, there will be unintended consequences when it comes to the protection and privacy of the user’s personal data.”
3. Security vs. Privacy Face-Off
Dr. Larry Ponemon expects that 2016 will see a growing tension between security and privacy. “I think we’re already seeing the beginnings of this struggle in the disagreements between Apple and the federal government and EU Safe Harbor ruling. With all the international tensions, we are going to see more cyber-terrorism and general terrorism, at the same time individuals are looking for greater privacy protection. For example, people might want phone encryption to protect their personal privacy but bad guys could use that to hide, so it’s a tension. If you’re worried about going to a restaurant without getting shot, that’s more important than encryption on your phone. With worries about physical security, there may be a backlash that could prevent companies from implementing stronger digital security.”
4. Threat Intelligence Will Increase
Dr. Ponemon also predicts that threat intelligence and tracking will evolve in 2016: “We will continue to improve our ability to use advanced analytics to identify anomalies. Threat intelligence, network intelligence, and intelligence feeds will continue to grow at a good clip. The caution on any kind of surveillance is that many of the surveillance tools being used by hackers today start with government, but they get out the back door and backfire when they get in hands of bad guys.”
Meeting 2016 with New Resolve
The Securing Our eCity Foundation works with individuals and businesses to help prepare for privacy and security threats. Based on the experiences of businesses she works with, Liz Fraumann, executive director of the foundation, has some recommended New Year’s resolutions for organizations and businesses of all kinds and sizes:
- Educate your staff. Especially with the pace at which everyone is working, we are set up to make mistakes that can cause data breaches.
- Put a social media policy in place. Make it clear what people are allowed to access on work equipment and networks and when, and what should they never do.
- Have a response plan in place before you are breached.
- Segment your networks to make it harder for attackers to get to sensitive information. Don’t have the accounting department on the same network as research or human resources. Subnets also make it easier to set different access privileges for different employees, so, for example, stolen credentials from a marketing intern don’t lead to a breach of all your employees’ or customers’ personal information.
Privacy and security threats will continue to evolve, but all of these basic measures will help you to be more successful in meeting the privacy and security challenges that come your way.
Rick Kam is president and co-founder of ID Experts.