Forrester predicts breaches as big as Anthem will become commonplace in 2017
Healthcare breaches will become as large and common as retail breaches, and the 2015 breach of Anthem that affected as many as 80 million patients will become commonplace in the future, predicts Forrester Research.
That is one of five predictions in its “Predictions 2017: Cybersecurity Risks Intensify,” which includes warnings about President Trump facing a cyber-crisis, the talent gap in cybersecurity, a Fortune 1000 company failing because of a cyber-breach, and a major Internet of Things devices security crisis.
On the healthcare note, as a result of mergers, acquisitions and other partnership arrangements, large healthcare insurer and provider conglomerates are only increasing in size, as is the critical patient information they store, the report said. 2017 represents a turning point for healthcare providers because the consolidation of providers leaves security fragmented with varying security levels and because patient data carries tremendous unique, permanent information, such as genetic markers, and biometric data, such as fingerprints, Forrester said.
For malicious attackers interested in ransom, blackmail and espionage, this healthcare data will be too tempting not to gain, and as a result, healthcare organizations must increase spending on security now, Forrester said. Healthcare security spending continues to lag other industries. According to Forrester Research surveys, public sector and healthcare firms spend 3 percentage points less (23 percent versus 26 percent of the IT budget) on security compared with all other firms. Until the recent spate of ransomware attacks and the massive Anthem breach, many healthcare CISOs approached security as a means of achieving HIPAA compliance, not as a function to protect patients and the hospital from malicious cyber-criminals and insiders, Forrester contended.
Given the critical nature of the services and the sensitivity of the data at risk, healthcare firms should spend on par with other critical infrastructure industries – utilities and telecommunications spend 35 percent of their IT budgets on security, Forrester said.
Forrester four other cybersecurity predictions for 2017 include:
1. Within the first 100 days of his term, President Trump will face a cyber-crisis. During the U.S. presidential election, many credible sources linked the breach and leak of DNC e-mails to Russia. As a result of the public allegations, an auction of supposed exploit kits used by the NSA emerged online, Forrester said. Ongoing throughout the election, there have been significant concerns that cybercriminals – nation-state or hacktivists – would attempt to undermine the integrity of voting. The momentum of winning an election typically gives new presidents the public sponsorship to follow through on key initiatives of their campaigns. However, the 45th president will lose that momentum coming into office by finding himself facing a cybersecurity incident.
2. The talent gap will force CISOs to allocate 25 percent to external expertise and automation. The complexity curve facing enterprises hasn’t reached its peak yet, which leaves security stuck solving problems of capacity and capability with limited resources already burdened with too many technologies, too many alerts and too much to do, according to the report. With too few internal resources, CISOs will turn to external services and automation tools for relief. Forrester estimates that security services and automation will combine to consume 25% of security budgets in 2017.
3. A Fortune 1000 company will fail because of a cyber-breach. There have been multiple cases of companies shuttering business after a cyberattack. In 2011, Dutch certificate authority DigiNotar filed for bankruptcy after an attacker gained hundreds of fraudulent digital certificates criminals could use to target online customers, Forrester reported as just one example. In 2017, a Fortune 1000 company will disappear – through bankruptcy, acquisition or regulatory enforcement – because of a cyberattack.
4. More than 500,000 Internet of Things devices will suffer a compromise. Today, firms are developing IoT firmware with open source components in a rush to market; unfortunately, many are delivering these IoT solutions without good plans for updates, leaving them open to not only vulnerabilities but vulnerabilities security teams cannot remediate quickly, the report said. When smart thermostats alone exceed more than 1 million devices, it’s not hard to imagine a vulnerability of great scale, the report said.
Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com