Consultant Rebecca Herold Offers Predictions for the Coming Year
This was an eventful year for healthcare cybersecurity and privacy incidents and developments. But what’s ahead for 2019? Here are eight predictions.
1. The Department of Health and Human Services’ Office for Civil Rights will release proposed updates for the HIPAA security and privacy rules. Based on continued pressure from local, state and federal government agencies, law enforcement, researchers and others to ease the sharing of patient and mental health data by removing the need to obtain patient consent, I expect to see OCR issue proposed HIPAA updates. That will result in significant backlash from privacy rights organizations, many technology businesses as well as significant portions of the general public.
2. The types of ransomware – and size of ransoms demanded – will grow. Just because there were fewer reported ransomware incidents in 2018 than in 2017 doesn’t mean there actually were fewer ransomware incidents. Organizations are increasingly simply paying the ransoms and not reporting the ransomware attacks.
Cybercrooks are getting rich from the ransoms that organizations are paying. Too many healthcare executives are paying ransoms because they see this as the quickest way to get back to normal processing – largely because they lack a good business continuity plan.
The ransomware attacks will evolve to target individuals, such as top executives, along with the many new types of IoT devices. Ransomware will also disable medical devices and surgical devices, impacting patients’ safety and health. And as more cybercrooks take copies of the patient data, they’ll cause additional significant harm.
3. Unsecured medical devices will lead to patient harm.The security of medical devices has gotten worse, not better, throughout 2018. And now, with more remote access – including through mobile devices – those whose lives depend upon the medical devices are at greater risk. As a result, 2019 may be the year that the first death occurs through exploitation of medical device security vulnerabilities.
4. Increased use of IoT devices will lead to more security incidents and breaches. I’ve been surprised to see the quick adoption of IoT devices, such as digital assistants, by physicians and nurses in the provisioning of patient care. In addition to these, patients are using fitness trackers and many other types of devices. IoT devices, which generally lack security, often attach to Wi-Fi access points throughout healthcare facilities, creating pathways to internal networks and sensitive data. They also can become repositories for malware and potential homes for bots used to launch a coordinated botnet attack
All this could result in significant harm to patients, in addition to security incidents within healthcare provider organizations.
5. Insider incidents will increase. More insiders – not only employees but also business associates and other contracted third parties – will take advantage of their access to valuable data and healthcare systems and applications because they know there are few logs of their access to catch them or they see no one is reviewing the logs that do exist. Others will find situations where they are presented with large amounts of patient data and decide to use it for financial gain.
In addition to malicious actions, insiders will make mistakes or take actions that result in privacy breaches because they simply didn’t get enough information security training.
6. Risks from legacy systems will widen. Legacy systems, often left unpatched and vulnerable, increasingly will be the targets of hacker attacks. Longstanding systems vulnerabilities will be exploited. And as the use of artificial intelligence tools that automatically leverage data from legacy systems grows, the risk of security and patient safety incidents will dramatically increase.
7. The inappropriate sale of patient data will continue lead to privacy violations. But more healthcare organizations that inappropriately sell or use patient data without obtaining the legally required patient consents and approvals will be caught in 2019. The push from marketers and executives to use patient data for more purposes is strong.
8. Privacy enforcement actions by state attorneys general offices will increase. Security incidents will result in huge – possibly business-ending – penalties, not only for HIPAA violations but also for violations of other laws, regulations, standards and contractual requirements. Some state AGs, including those in New York and New Jersey, took action in 2018. Expect even more state AG enforcement actions in the year ahead.
Date: January 8, 2019