This has been a supremely active year in the data privacy sector. NSA spying regularly captured headlines as new details emerged about the agency’s dragnet. The British phone hacking scandal continued to unfold as trials marched on and press employees pleaded guilty. And, of course, data breaches hit companies in all industry sectors.
Threat areas covered the spectrum, from external hackers to internal negligence. Bad guys were stealing passwords and other sensitive information any way they could. Some insiders—employees, contractors and the like—purposely exposed data or facilitated hacking activities, while others merely failed to take the necessary precautions to ensure confidential information was protected.
With this banner year nearly behind us, i's time to look at the lessons we can learn from all that transpired in 2013.
One sector that saw considerable breach activity in 2013 was healthcare, and an overarching lesson learned in 2013 is that data risks in the healthcare industry don’t discriminate. Breaches hit large hospital systems and solo practitioners alike. Some breaches involved the compromise of only a handful of records, while other single instances affected 90,000 records or more. Many exposures were caught within a few months, but some breaches discovered in 2013 have actually been going on for several years.
Equipment thefts and losses continue to pose a significant risk in healthcare. Many thousands of patient records—some medical, some financial—were exposed when laptops were lost or stolen. This highly sensitive information was rarely encrypted, despite the technology’s ready availability and low price point.
Malware also posed problems for healthcare organizations in 2013, whether through targeted instances of planting malicious code or the simple, unguarded act of an employee opening an unsafe e-mail. System weaknesses that could have been identified and addressed were exploited for nefarious purposes. Additional protections that could have been implemented were missing.
With all the focus on electronic health records and burgeoning databases, paper records and more conventional exposures also remained an issue for providers. Patient information can be just as easily exposed in paper format, and insiders continue to photograph, copy, and access PHI without authorization. Despite decades of experience, the healthcare industry is still behind when it comes to physical security controls and regulation of access to paper records.
In 2013, the exposures that hit banks and credit unions demonstrated that when a breach event happens, notification may not occur until many months down the line. Statutes vary from one jurisdiction to another, and timelines aren’t always consistent or even regulated. For companies that exercise due diligence, it can be a long time until they determine what happened and which records were compromised. Without experienced investigation resources, notification, recovery, and mitigation efforts continue to be hampered.
Consumers’ online habits have improved, but when large-scale breaches exposed users’ information at Facebook, Google, and Adobe in 2013, it was discovered that many people continue to use weak passwords, and that passwords are often shared between a number of platforms including banking and financial networks. When one password is compromised, many others are likely at risk as well.
Reactive responses, such as credit monitoring services, were popular strategies in 2013. We learned, however, that proactive data protection efforts continue to lag. Consumers increasingly expect financial institutions to catch issues before they blossom into life-affecting problems, and banks need to do a better job of building solid programs around the Red Flags Rule. Policies should be thoroughly documented and the entire framework requires regular reviews to remain effective against an increasingly sophisticated threat landscape.
As a whole, the insurance industry grappled with a range of issues in 2013. Litigation arising from cyberbullying poses a real financial risk to carriers, though it still isn’t on everyone’s radar. Judgments have run into the millions of dollars, and insurers should carefully review policies and coverages to limit their risk.
The breaches in 2013 highlighted that there aren’t many specific privacy regulations directed at insurance companies, even though they manage significant stores of sensitive personal information. For example, unlike the healthcare sector, where vendors must have protections in place as part of a Business Associate agreement, supporting players in the insurance industry aren’t held to the same standard. As a proactive measure, insurance companies should be conducting risk assessments related to privacy and information security, to see where they stand and where their protections need bolstering.
Walter Boyd is senior privacy advisor at CyberScout Consulting.