3 Health InfoSec Lessons from Sony HackExperian's Michael Bruemmer Offers Insights
The healthcare sector can learn three important lessons from the recent hack attack on Sony Pictures Entertainment, which compromised employee healthcare data other personal information, says Michael Bruemmer of Experian Data Breach Resolution.
The first lesson is that any organization that handles health information is vulnerable to hacking, regardless of whether it's a healthcare provider, a business associate that processes the data, or an employer, such as Sony, that communicates about workers' healthcare, Bruemmer says in an interview with Information Security Media Group.
The second lesson is that because so many organizations use distributed networks, "they sometimes don't know where all that data is and how much of it falls under the category of 'protected health information.'" Knowing where PHI lurks within an organization's many departments is essential to safeguarding that data, he says.
Third, because there is so much movement of information in the healthcare ecosystem, whether via e-mail, health information exchanges or other methods, "that creates an opportunity for breaches," he says. In the case of the Sony breach, unencrypted e-mailed messages containing sensitive health information were compromised by the hackers, pointing to the need for more secure methods of communication.
Despite the risks posed by hackers, however, employee mistakes will continue to be the No. 1 cause of breaches for most organizations in 2015, Bruemmer predicts.
"Of all the incidents we service, regardless of the vertical [market], 80 percent of the root cause is employee negligence," he says. That includes such mistakes as losing laptops or clicking on a phishing e-mails. "Employees are still the weakest link," he says, calling for the ramping up job-specific privacy and security training.
In the interview, Bruemmer also discusses:
- Predictions in Experian's 2015 Data Breach Industry Forecast, which cites risks posed by the cloud, and also consumer wearable health devices and other gadgets under the umbrella of the Internet of Things;
- Why organizations need to be more vigilant in safeguarding administrative credentials and passwords;
- Why healthcare organizations need to do a better job of testing their breach preparedness plans.
Bruemmer is a vice president with the Experian Data Breach Resolution group, which offers incident management, notification, call center support and fraud resolution services while also serving affected consumers with credit and identity protection products. With more than 25 years of industry experience, Bruemmer also serves on the Medical Identity Fraud Alliance Steering Committee, Ponemon Responsible Information Management Board, and the International Association of Privacy Professionals Certification Advisory Board.