A data breach can be the biggest kind of crisis an IT leader will have to face. And when an incident occurs, it’s an emergency situation – typically an all-hands-on-deck moment.
After the dust settles, however, it’s time to determine what lessons were learned from the experience. Your organization may have escaped 2015 without a data breach. But that’s no guarantee that hackers, cybercriminals and others won’t turn their attention to your business soon.
2015 by the numbers
According to the Identity Theft Resource Center (ITRC), organizations around the world suffered over 700 data breaches in 2015. The attacks covered every sector and records were lost in many sectors. For 2015, the ITRC reports the following findings:
- 781: total data breaches reported for 2015 (a slight decrease from 783 in 2014)
- 312: data breaches suffered in the business category
- 277: data breaches suffered in the medical/healthcare sector (35 percent of reported breaches)
Several conclusions can be drawn the ITRC’s reports. First, the total number of attacks continues to hold steady (albeit this data may be influenced by the willingness of organizations to report incidents). Second, the medical sector has been a top category for attacks for several years. Effective security in healthcare impacts all of us, so let’s consider that area first.
Increasing security maturity to respond to threats in the healthcare sector
Healthcare organizations suffered several high-profile attacks in 2015. The highly sensitive personal records held by these organizations include medication information, medical expenses and personal data such as physical addresses and dates of birth. With health information, fraud is only one possible loss scenario. Lost trust, embarrassment and damaged reputations are other consequences from health attacks.
“In the health sector, we have seen acceptance of the problem at the board level. This sector is continuing to increase in maturity,” says Christos Dimitriadis, president of ISACA, an international cybersecurity professional organization. In the IT industry, ISACA is well-known for the cybersecurity certification and professional development programs it offers to professionals. ISACA also conducts ongoing research projects to understand new threats and support members.
“The United States and Europe are continuing to develop their cybersecurity policies in response to these attacks. I also see increased interest in protecting privacy and that means more support to the health sector,” says Dimitriadis.
Health organizations targeted in 2015 included large organizations that provide services to a large percentage of the American population.
- UCLA Health System. Personal information for millions of patients was stolen. Unfortunately, the data was not encrypted which suggests a high likelihood of fraud and misuse. The organization announced the incident in July 2015 and notes that suspicious activity was first detected in September 2014. The UCLA Health System has offered identity protection services to impacted individuals. UCLA has described the incident as a criminal attack.
- Community Health Systems. Operating over 200 hospitals across the United States, Community Health Systems announced that 4.5 million records on patients had been accessed in a data breach incident in 2015. Information access in the incident included names, physical addresses and Social Security numbers.
Sign up for CIO Asia eNewsletters.