2020 Vision: Looking Ahead in the New Year

Brian Selfridge: [00:00:09] Hello and welcome to CyberPHIx, your audio resource for information security, privacy, and governance, specifically for the healthcare industry. I'm your host, Brian Selfridge. In each episode, we bring you pertinent information from thought leaders and healthcare, information, security, and privacy. 

 

Brian Selfridge: [00:00:23] In this episode, we have a very special New Year's session for you, where I'll be talking through some of the key trends and perhaps predictions for 2020 heading into the New Year, information security, privacy, and governance. We will take our crystal ball out a little bit, but also rely upon some of the trends that we've seen moving late into 2019 and into 2020. So as you prepare your information security strategic plans or just looking to get a handle on coming back from the holiday and try to figure out the bus that's going to hit you next, we can give you some of the key things that we expect to see playing out this year. So let's dive into it. 

 

Brian Selfridge: [00:01:00] First and foremost, on the macro level, we see trends of cybersecurity moving out of the IT domain and becoming less of an IT and technical focused conversation for organizations and more into an enterprise risk level conversation, where the cybersecurity focus, not only from a reporting standpoint, but also just from a tone and tenor of the conversation, is moving away from tactical information security, malware type events and more into the critical integration that cybersecurity has, and the dependency that organizations have on cybersecurity, on financial outcomes, business impacts, patient safety, reputational damage, all these things that can happen when the bad outcomes happen from a cyber perspective. So we've seen a number of breaches toward the end of last year and into this year that are starting to have a much more broad array of impacts on the organization. So, for example, there was in October of last year and then the news came out in December of 2019, there was an organization, DCH Health in Alabama, that had a ransomware incident, where they had to divert patients from the hospital for over 10 days as the electronic health record was down due to the ransomware infection. So that's noteworthy in and of itself. As a former chief security officer of a health system, I know that any time you divert patients, you are talking very real financial impacts to the entity from a bottom-line perspective and often very difficult to recover from those types of incidents, whether it's cyber-related or otherwise, that require diversions. 

 

Brian Selfridge: [00:02:46] But it's also noteworthy because the community brought a class action lawsuit against DCH Health, noting the lack of available treatment over that course of time that the hospital's stores were shuttered except for emergency care. And patients noted that their prescriptions were unavailable, and they were unable to get the treatment that they needed in a timely fashion, as well as they, know that the inability of the organization to adequately protect and safeguard their PHI, protected health information, sensitive information. So we're starting to see these impacts of breaches be much more than just regulatory oversight and fines and the things that we traditionally talk about, having much more clinical financial business impact, patient safety impacts over the course of the event. And so that's just one example. But I think we'll expect to see that continue to raise the conversation away from just IT-focused to more business-focused conversations. 

 

Brian Selfridge: [00:03:48] Now, we mentioned ransomware, and that's another trend that we'll talk about here, where we're seeing some, what I'll call, disturbing trends, for lack of a better word, where the ransomware attackers have shifted gear a little bit. Not only are they sort of having some success, in their view anyway, on locking up electronic health record data, getting organizations to pay to release that data for those organizations that don't have adequate backups or other circumstances where they do decide to pay them back. But they've also started to threaten to release the patient information to the public or the public domain if they are not paid for the ransom. So that's sort of a double ransom like we'll lock up your data, and if you don't pay us, we'll keep it locked up. And if you don't pay us, we're going to release it out to the public. So the ransomware attackers are getting much more aggressive. And unfortunately, the business models become a lot more viable for malicious actors to continue these types of attacks. And whenever the money starts flowing and organizations are starting to pay more, we expect those incidents to continue and those attacks to continue to ramp up and take more creative ways of exfiltrating data and financial benefits from healthcare entities. So there's a lot that can be done about that, of course, you can check out our blog recently on those latest ransomware attacks and some of the recommendations dealing with that, if you like, on Meditologyservices.com. We got some write-ups there. 

 

Brian Selfridge: [00:05:21] But basically some of the key protection capabilities are making sure to invest in patch management processes to reduce the likelihood of the ransomware infections to begin with. We see a lot of segmentation of critical systems, so the ransomware doesn't spread. Also, just organizations spending more time in improving their incident response capabilities, having specific playbooks for ransomware attacks, running through those simulations and tabletop exercises, and otherwise implementing improvements to business disaster recovery and those types of things. So there's plenty to do around that arena. But check out our blog, where we go into a little bit more detail if you like. 

 

Brian Selfridge: [00:06:01] Another trend that we're seeing heading into 2020 is around the enforcement and regulatory side of things. So OCR has not been quiet heading into the last quarter of 2019 and into 2020 even already with fines for Sentara Health. $2.2 million fine for their incidents, where they had misdirected patient information mailed to the wrong locations, and they failed to report that as reportable breach event as well as failures in their business associate agreement with the entities, where they shared that information. So multiple missed opportunities there and OCR leveraging sort of the larger fines, multimillion-dollar fines against Sentara Health. But also the smaller organizations, like the ambulance company in Georgia, who had a $65,000 fine as well. So I think we'll continue to see OCR active this year, looking at both large, small, midsize organizations. So if you're expecting to be off the hook, and OCR not looking at you because you're too small or unimportant or whatever. I think that they're proving out that they are paying attention across the board, regardless of the size and complexity of the organizations. 

 

Brian Selfridge: [00:07:18] We're also seeing a lot of ramped-up attention, activity, and investments made for some of the state regulations. So The California Privacy Act being one of the more prominent ones that are getting a lot of attention. So anyone that has scope for the California Act and either operates out of California or is dealing with California-based organizations, will have to spend some time on that in 2020. New York has a regulation out that's driving a lot of cybersecurity attention last year into this year. So same story there. Of course, GDPR for the European Union-based entities or those that deal with your business or have EU member data is also going to be a big focus area continued for this year. So we expect to see more US federal compliance activity with those Office for Civil Rights fines, resolutions agreements. We expect those activities to be ramping up. And for those that haven't gone through those, I hope you don't have to. But it's not just the fines and the incident, and then the issue goes away. OCR sticks around and the multi-year resolution agreements and oversight investments and costs become much more than the fight itself. So we expect to see that continuing. We expect to see more focus on the state regs and the global regulations on both privacy and security heading into this year. And so make sure you've got your game plan for how you're going to handle those for your own organizations. 

 

Brian Selfridge: [00:08:49] Another big area of focus this year is, not surprisingly, third-party security risk management. So the data continues to proliferate across the ecosystem and healthcare, continuity of care. Continuum of care is the word I was looking for. And we are sharing information with more and more entities across providers, business associates, payers, and the accountability for that data is getting increased attention, whether it's increased volume of assessments and audits and compliance tracking for organizations, we're seeing more and more contractual obligations to get HITRUST or SOC 2 certifications, for example, for business associates. And that attention we expect to continue as being a major focus area as that data continues to expand outside the four walls of the healthcare entity, as well as in larger volumes of data. That means more breaches with third parties we can expect. That means more regulatory enforcement of those entities and means more negative outcomes, as that data gets used and misused and abused in various ways. 

 

Brian Selfridge: [00:10:01] We'll also see organizations investing more time and energy and money in the tools and services to handle third-party vendor risks. So a big uptick in focus on the cybersecurity scoring vendors. So these are your risk-free cons, bit sites, cybersecurity scorecard types of companies that are providing visibility into third-party risk. We see more investments in governance, risk and compliance tools, your GRC platforms, for tracking and managing audits, and the results and risks associated with third parties. We see a lot more focus on getting them services help, as there's just not enough resources on the typical internal information security program teams to keep up with the volume and scale of assessing third- parties and then keeping up with them over time and making sure they've done remediation they promised to do and keeping up with contractual obligations and those types of things. So we're also starting to see third-party privacy get attention in addition to security. While that's sort of a little bit more of an emerging area, the security has a long way to go in terms of scaling up and getting attention to all the vendors or PHIs being shared for each organization, as well as starting to focus on the privacy controls as well. So we expect to see more breaches, expect to see more investments on the third-party fund as a major theme for 2020. 

 

Brian Selfridge: [00:11:25] Another major theme for 2020 is getting a handle on unmanaged assets, and this typically plays out in the Internet of Things, IoT, or Internet of Medical Things, IOMT, or medical device arena, where entities are starting to move from raising awareness of the topic of medical device security, IoT security, and gaps in our controls and inventory management, everything else, into actually starting to make tangible investments and tools and processes to start addressing the asset management of understanding where we have IoT and medical devices, which of those devices poses higher risk and others, starting to put plans in place for segmenting those devices for providing governance around which controls are going to be put in place for these devices that would be different from your other assets, your typical workstation servers, network devices and all that good stuff, and mobile devices, of course, which still will get attention and require attention and maturity in those areas. 

 

Brian Selfridge: [00:12:34] But what we're seeing generally from the industry is that folks are starting to invest in those tools that provide inventory visibility for which devices are on the network, where they are, what specific information about those devices will allow us to help patch them like serial numbers, IP addresses, network locations, those types of things. The traditional asset inventories are just not built or adequately reflecting from what we see in 2019 and prior. So we expect to see more tangible investments in medical device security along those lines, in patching those devices, building formal medical device security programs, building more asset management programs, for IoT and IOMT, and putting people and processes around those to make those sustainable for 2020 and beyond, as opposed to just sort of a bandaid solution in the near term. 

 

Brian Selfridge: [00:13:30] From a hacker perspective, we're seeing a lot more targeted attacks of healthcare entities and those attacks are getting more informed. So we've seen a lot of more targeted spearfishing, attacks, and attacks that put some more homework and research into the entity that's being attacked, whether it's sending spearfishing emails from leadership to staff level and making things look more convincing and more specific to the organization. So there's that second-guessing that maybe this is legitimate. This does look legitimate. I know they're asking for credentials or whatever, but the attackers are realizing that they really only need one or two footholds in the environment in order to land and then expand their ransomware attacks, their hacking attacks, their exfiltration data, or whatever other attacks may be going on. So we've seen an uptick in the volume of attacks and the sophistication of those attacks, which is also driving an increased focus on education training and awareness for many organizations that we would expect to see continue this year into 2020. So that means more spearfishing, more phishing tests and engagements where we're simulating real-world attacks in order to allow staff and the employee base workforce to see what these attacks would look like, get on the spot training, and avoid these and be able to be a little bit more resilient to these types of attacks going on, which is becoming now just the required hygiene and ongoing maintenance thing for most organizations to continue that education training and awareness above and beyond just traditional annual educations or quarterly educations or online Web-based training type things. So expect to see those trends continue. More specific training for different business units and departments that is more specific for finance or clinical folks or whatever business units are in place for your organization. 

 

Brian Selfridge: [00:15:33] Coupling those attacks and attack vectors, we also see on the protection side this year, a continuation of the cybersecurity talent shortage that we saw over the last several years that is becoming increasingly a challenge for many organizations as the market heats up with the demand for cybersecurity talent. We're seeing organizations continue to struggle with turnover, continue to struggle with an increase in the salary expectations and requirements to keep and retain top talent or even solid talent in this arena. And budgets are starting to flex up a little bit for capital spend, meaning traditionally tools, products, processes, discrete projects where investments are needed. I would expect to see 2020 continue that trend, where organizations at the executive level are getting more awareness, putting more investments in cybersecurity on the capital side. However, we haven't necessarily seen the operating expense flex up quite as much, where the investments that are needed to invest in existing team members and salaries and bonuses and training, as well as maintaining competitive salaries for hiring new team members or dealing with turnover that happens. Haven't seen that investment ramp up quite as quickly, although there is more attention in that arena. So we can expect to see budget increases in 2020. But I'm not necessarily convinced that that's going to solve our cybersecurity talent shortage, as we need to continue to focus on bringing in talent from a variety of sources internally, externally, as well as investments in the training of existing team members to continue to build the capabilities that are needed to address these emerging 2020 security threats and protections that we've been talking about here. 

 

Brian Selfridge: [00:17:27] Another big focus area for 2020 we've seen is around privacy and in particular, the privacy of big data as it relates to companies like Google and Ascension Health partnering up for the Project Nightingale, Amazon's throwing in their hat into the healthcare ring, and more and more capacities are starting to take big healthcare data and do more innovative uses with it. But also not just the big organizations, but a lot of business associates, small, medium, and large startups, brand names, and everyone else getting their hands on identified and de-identified patient information for a variety of innovative purposes. But that's also creating concerns, issues, breaches, and attention to the privacy aspects of large data sets going out all over the place. And as that data gets out, it's not coming back once the cat is out of the bag or I guess the toothpaste is on the tube maybe is the better analogy, we're seeing more concern about the privacy and the historical track record, particularly of large organizations of investing in privacy protections and controls over sometimes the financial lucrative potential of selling data is not necessarily trending in the greatest direction. If we look at the news and even into Facebook land and other big organizations where we've seen that responsibility is not necessarily taken to the level arguably it needs to be. So we see the increase in some of the state regulations, California, GDPR, others starting to try to tackle the privacy situation. The HIPAA privacy rule is still in play but perhaps does not have the teeth and the attention that it needs to really solve these 2020 level complex data challenges that we need. So, again, we'll look to expect to see increases in attention to privacy, more privacy scandals, more privacy breaches, and more attention on Capitol Hill and elsewhere around privacy-related topics and regulatory areas going into 2020. 

 

Brian Selfridge: [00:19:47] And the last area we'll talk about here, for now, certainly there are more trends to highlight and we'll be getting to those throughout the year, is a continuation of the industry churn for more consolidation, mergers, acquisitions, affiliations between healthcare entities, business associates, payers, payers getting into the provider space, providers getting into the business associate space and all kinds of M&A activity in between, which is essentially just driving a lot more complexity for the cybersecurity functions. So we have cybersecurity teams getting mushed together. We have cybersecurity programs using different frameworks getting normalized and trying to figure out who is in charge and what processes are going to be put in place and how do we have consistent controls across increasingly complex healthcare ecosystem as the data goes into many different directions, both internally within healthcare entities, but also to third parties, and that complexity is going to continue. We expect to continue to drive challenges in the information security programs and the ability of teams to ensure their security programs and controls with keeping that complexity of mind. And I'm trying to figure out how to prioritize the programs amidst all of that churn. So a lot more to come on that arena and otherwise. 

 

Brian Selfridge: [00:21:08] But we will be issuing several updates per month. Every few weeks, we'll be providing the CyberPHIx Healthcare Security Roundup podcasts that will be short updates to give you a sense of what's going on in the industry, how are things moving and evolving? So please tune into that as well as our standard CyberPHIx interviews that we'll be doing with industry-leading experts on a regular basis as we continue to do. Please check out the sessions we've done in 2019 and prior, and we'll continue to keep those voices in front of you to hear from the security officers and leaders and privacy leaders and what they're seeing in the industry as well. So we're excited about heading into 2020, and from your friends here at Meditology Services, we look forward to continuing the dialogue of how to tackle these issues going forward and help to increase the healthcare security protections for all of our entities into the New Year. So happy New Year to everybody, and we will talk to you on an upcoming CyberPHIx episode soon. Thanks so much.