3. Hackers: They don't just want to steal data anymore. Once upon a time, insider attacks were perceived as the most malicious threats, say Kroll officials: One perpetrated by a hospital employee, say, with an axe to grind and easy access to sensitive information, could obviously be bad news for the hospital and its patients. But a new generation of computer-savvy crooks are delving deeper into the cyber warfare and cyber terrorism space, officials say. They have a rapidly evolving ideology and agenda – namely, they are coming to destroy the secure network, erase pertinent data, wreak havoc with physical equipment, and ultimately take an organization down. Kroll suggests that organizations of all sizes and in all industries prepare for this threat. Cyber criminals may be looking for profit, perhaps holding data for ransom, but the end result is still the same, and the stakes are high, officials say. Don’t assume that backup tapes are the same as a plan for restoration. If outsourcing IT functions, make sure third parties understand their role in getting you back up and running – and test their ability to do so.

4. Nondisclosure: A "luxury" that's now a thing of the past. The academic debate on this issue will continue in 2013, according to Kroll. In the meantime, more and more organizations are speaking up about breaches – even when the loss doesn't involve protected health information. In some cases, nondisclosure will simply not be an option, officials say: In a data destruction attack, for example, everyone will know once your systems are down. In other instances, the stakes will just be too high to keep quiet: The threat will be insurmountable without help from security consultants and government entities. Kroll notes that it has seen an increase in the number of breaches where clients have been notified by a government entity or security firm that they’ve lost sensitive data, and says it expects to see that trend accelerate in 2013. It's increasingly important to contract with outside resources such as an investigation and forensics partner, a privacy law firm, and/or a breach notification partner, says Kroll. When a security incident occurs, having those resources in place to assist with the investigation, advise on current legal requirements and prepare a response should a health organization experience a PHI breach will save money.

“If we’ve learned one thing from the changing climate of data security in 2012, it is that 2013 will definitely not be a time to employ the same old tactics,” said Tim Ryan, managing director at Kroll Advisory. “Boards of Directors are becoming more engaged on this subject, in part because it deals with corporate risk and also because the regulators are on the lookout. 2013 will require a review of information security governance, identification of information risk and controls, and preparation for the inevitable: a breach of sensitive data, a looming threat for every organization.”