Healthcare companies will continue to be one of the most targeted sectors by cybercriminals in 2016 due to the high value of compromised data and the ongoing digitization of medical records, according to an Experian report.
The 2016 Data Breach Industry Forecast by Experian Data Breach Resolution outlines five predictions for what industry leaders can expect in the coming year with regard to data breach trends and issues.
For the healthcare industry in particular, researchers predict that big healthcare hacks will make headlines, but small breaches will cause the most damage.
“While large breaches may be compromising millions of people’s records in one fell swoop, smaller incidents caused by employee negligence will also continue to compromise millions of records each year. These incidents are often due to employees mishandling paper records or losing physical back-up of information,” the researchers state.
Given the high value compromised data can command on the black market along with the continued digitization and sharing of medical records, researchers predict that healthcare companies will remain one of the most targeted sectors by attackers.
“In 2016, sophisticated attackers will continue to focus on insurers and large hospital networks where they have the opportunity for the largest payoff. With the move to electronic health records (EHRs) continuing to gain momentum and becoming more widely accessible through mobile applications, the attack surface continues to grow,” the researchers state.
The researchers note that it’s important for healthcare organizations to not only continue to invest in up-to-date security technologies, but also focus on training employees on proper data handling practices on a regular basis.
The report also highlights the rise in cybercriminals using data for corporate extortion or other scams. According to cybersecurity experts, medical records are worth up to 10 times more than credit card numbers on the black market, and this might drive hackers to look at medical records data as a mean for financial gain. According to the researchers, 38 percent of organizations report they have already been targeted by cyber-extortion.
“Moving forward, it is anticipated that businesses will begin to account for the potential of extortion in their data breach planning, including having cyber insurance policies in place that incorporate protocols for how to negotiate with cybercriminals,” the researchers state.
Among the other predictions, researchers also anticipate that the EMV Chip and PIN liability shift will not stop payment breaches.
“Given the value of payments data, attackers may also look to other methods to steal this information that don’t involve point of sale systems. Similar to what’s happened in the European Union – where EMV has been adopted for some time – attacks may shift to focus on online transactions where cards don’t need to be present,” the researchers state.
And, it is anticipated that cyber conflicts between countries will leave consumers and businesses as collateral damage and that the 2016 U.S. presidential candidates and campaigns will be attractive hacking targets.
Researchers also predict a resurgence in hacktivist activities, motivated by groups looking to inflict reputational damage to a company or cause.
The report authors note that while traditional data breach threats remain, business leaders also should take note of emerging trends and update their data breach response plans accordingly.
Experian researchers also graded their 2015 data breach predictions, with mixed results, as four out of six predictions for 2015 rang true by end of this year. For 2015, researchers predicted that healthcare breaches would be a persistent and growing threat, which unfortunately has proven to be the case, and that employees would be companies’ biggest breach threat, which also was accurate according to a Ponemon Institute report. That report indicated that non-malicious employee error is the No. 1 leading cause of data security breaches.
Two other predictions that were accurate were the shifting accountability to corporate leadership following a security breach and the growing concern about the Internet of Things (IoT) as a security breach threat.
