Not a matter of if, but when
The Institute for Critical Infrastructure Technology has determined that ransomware will wreak havoc this year. Cybersecurity experts agree that it's not a matter of if or when your data will be hacked, but whether you'll know your data was hacked.
Instead of focusing only on hardening perimeter defenses such as firewalls and using rules to block outside PDFs or other documents, Kennedy and other experts believe detection and data encryption are the best cybersecurity techniques.
"Assume data will be taken, but make it useless," said Kaveh Safavi, senior managing director for Accenture's global healthcare business.
The greatest threat to the healthcare industry today, Safavi said, is not from one-off hackers seeking quick paydays, but from foreign governments that can store intimate personal health data for future use against individuals.
For example, hackers last year stole the records of about 80 million customers of Anthem Inc., the second largest U.S. health insurer.
"The presumption was that they were state actors," Safavi said. "The purpose of the state actor was to harvest the database in order to create a dossier of individuals that they could use for social engineering for future attacks."
Foreign governments could use healthcare information to target government employees with emails containing notices related to medical conditions they may have. When a targeted individual opens one of those emails, malware infects his or her desktop computer.
"There's nothing in a bank's data that will give [hackers] the answer to that question, but it is in your health records and [insurance] claims data," Safavi said. "They're trying to build a big database of Americans for some future purpose."
Is the cloud safer?
Healthcare organizations, Safavi said, can better protect data by first recognizing that they're not in the cybersecurity business. For example, a cloud storage provider is better qualified to handle security, he said.
"There's a discussion going on right now about whether or not the public cloud is more or less secure than private. The traditional thinking was... 'If I have control over data in my own private data center that'd be more secure.' The thinking is beginning to pivot," Safavi said.
"The argument is no individual company will ever have the level of security and keep up with the arms race the way Amazon or Microsoft can, for example," he added.
Never was that shift in thinking more evident than two years ago, when the CIA awarded Amazon Web Services a $600 million contract to develop a cloud service for the 17 agencies that make up the intelligence community.
Sign up for CIO Asia eNewsletters.