Farewell 2020 and Hello to a New Decade of Healthcare Cyber Risks

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

Join us for a very special episode of The CyberPHIx, where we take a look back at the major themes in healthcare cyber risk in the wild year that was 2020 - and also look forward toward 2021 and the next decade of security, privacy, and risk management challenges for healthcare entities.

Listen in as CyberPHIx host Brian Selfridge explores a Top 10 list of healthcare cybersecurity, privacy and risk themes for 2020-2021, while outlining major trends and predictions for our industry heading into the new year. Highlights of the discussion include:

  • Healthcare shifts its focus toward patient safety and operational impacts of cyber events
  • Remote is the new normal: security and privacy impacts for adoption of telehealth and telework models
  • Class action lawsuits change the playing field for financial impacts related to cyber events
  • Breach trends and the escalation of hacking attacks on healthcare entities
  • New privacy and security regulations and enforcement are steady despite political and social volatility
  • Third-party vendor risk becomes a dominant focus for security programs
  • Cloud security emerges as its own specialized security domain
  • Enterprise risk reporting becomes the “must have” skill set for security leaders and programs
  • Increased automation of security processes and capabilities
  • Staffing shortages for cyber talent and the rise of managed security services


Take a look at our Top 10 Healthcare Cyber Risk Trends for 2021 infographic for a visual representation of these emerging trends as we head into the new year.


Brian Selfridge: [00:00:11] Hello and welcome to CyberPHIx, the audio resource for information security, privacy and governance, specifically for the healthcare industry. I'm your host, Brian Selfridge. Each episode, we bring you pertinent information from thought leaders in healthcare information, security and privacy. We have a very special episode today where we'll be taking a step back to look at the year in review. Four major themes in health care, cyber risk in 2020. We'll also take an informed crystal ball out and make some predictions for trends that we expect to take shape in 2021 as we look to tackle the next decade of security, privacy and risk management challenges in healthcare. We'll be following a top 10 format for the discussion, although all 10 areas are equally weighted. So no need to wait for number one or number 10 to find out where you need to focus your energy this year. As a summary statement, I think it's safe to say that no one is particularly looking forward to any repeats of 2020. What a tough year from a cyber risk perspective in health care. However, I do anticipate many of the themes that cropped up in 2020 to continue to play out into the New Year. So it's worth looking back from that perspective. So let's dive into our top 10 themes from 2020 and look forward to what's likely to come in 2021.

Brian Selfridge: [00:01:23] #1 - All right, topic number one, healthcare cybersecurity is shifting away from a purely compliance driven function into more of a focus on patient safety and operational impacts associated with cyber events. So we would be remiss if we didn't talk about ransomware in a 2020 lookback, right? I know you're all probably tired of hearing about it to some extent. The attacks this year have exposed that to many health systems are just not prepared for a coordinated attack. This results in major infections and losses of money, quality, patient safety and lives in some cases. And we'll talk about that sort of threshold event that we passed this year in a moment. So some of the quick summaries of the attacks that we've seen and the ways in which they've changed and evolved in 2020, specifically from a ransomware perspective, are we've seen an increase in the frequency and scale of attacks. So we had the FBI alert of a credible and imminent threat against the health care ecosystem toward the tail end of this year. And that's just a symptom of a larger trend where more and more bad guys are getting access to ransomware capabilities and are seeing the dollar signs in their eyes and the ability to monetize these attacks specifically in the vulnerable health care industry. So we're seeing more attacks, concurrent attacks happening at the same time, sometimes from the same actors, sometimes from other actors. And most important, we're seeing major impacts to patient safety and clinical operations that are putting ransomware front and center for health care entities in ways that health care, cybersecurity has never really been in the spotlight in that sense.

Brian Selfridge: [00:02:53] We saw the attack in Germany that resulted in a patient death for a patient had to be diverted from the facility. That's a first for us to actually be able to tie back a ransomware event to a specific adverse patient safety outcome. Although I think we all know in this field that the likelihood of such an attack and incident is very high and that we will likely expect to see more patient safety related incidents being reported if they haven't already happened to to a large extent. And attackers are demanding payment in ways that they never did before. It used to be we need payment, if you would like your systems released and available and get those encryption keys back so you can get back to operating capabilities. But for organizations that do have good backups and are able to say no thanks, we're not going to pay the ransom where we're good, the attackers are demanding the payment or else they will release the data which they've stolen and taken as part of the ransomware attack into the public. So you have this sort of confidentiality and privacy issue to deal with in addition to or maybe in place of, in some cases, operational outages related to the attacks. So their attacks are sort of becoming more multithreaded regulators like OCR and in fact, the financial folks (OFAC) are now requiring reporting of ransomware events, which may also lead to fines related to the same.

Brian Selfridge: [00:04:12] We also have class action lawsuits for ransomware (and hold your thoughts on that, that's going to be another one of our themes in a moment) that is resulting not just worrying about OCR, but also worrying about the community and legal repercussions from states and local communities that are issuing these lawsuits. And the final thought on ransomware, particularly, is that ransomware has become more of a commodity for the bad guys. There's software as a service models out there. You don't need as much technology, knowledge or sophisticated hackers to be able to launch a software as a service based ransomware attack. You can buy these for about three hundred dollars. They work really well, extremely powerful. I'm not suggesting that you do that, but the bad guys are. And we need to be aware of that as we head into the rest of this year and next year. And on this theme of patient safety and operational impacts, we still have right up front and center our medical device and IoT security concerns where this remains a critical weakness for the industry. We have legacy devices. They aren't patched frequently. Even the new stuff that's being built, while there are improvements being made in the medical device manufacturing space, we still aren't at a place where we are consistently releasing secure products to the market from a medical device and IoT perspective and or cleaning up the old ones that we have.

Brian Selfridge: [00:05:28] And so medical devices continue to be a weak point, an entry point for the bad guys in many cases, and also the potential for patient safety impacts as these devices become unavailable or begin to behave in ways that they weren't designed to do. And so we could do a whole podcast on that. But that theme and our ability to understand what we have in the environment, the inventory, what's in use, what medical devices we have, what vulnerabilities they exposed to us, and be able to prioritize which devices we go out and remediate and fix, because fixing them all at a drop of a hat is is a costly, difficult, if not impossible undertaking. So we have to prioritize. And that's going to continue to be a major theme this year as we figure out how to take that forward with a combination of technology and emerging technologies, as well as classic good old people and process, which we need to figure this out and coordinating all the parties involved. So what's next for the attacks and the patient safety and operational impacts? Well, there's some silver lining in that. The ransomware attacks in particular have raised the awareness of the vulnerability of the health care ecosystem to a large degree for these cyber attacks. We're now getting not only board level visibility, executive level visibility, but also the layperson and the public at large is becoming more aware of these attacks and what they do and how they work, maybe not necessarily how to stop them, but that's our job.

Brian Selfridge: [00:06:52] So we're seeing some short term focus and increased awareness on phishing attacks and protections. For example, incident response is getting more attention. Expect to see more tabletop simulation exercises this year into next year. Now, we still are a bit too reactive with these types of moments when we see big, large scale ransomware attacks and other things hitting the industry, there's a big flurry of activity. And then we fall back into our old ways of just waiting for the bad thing to happen and then trying to clean it up, which I think we all know is a much more costly endeavor than a little bit of prevention goes a long way toward curing what ails you. So another theme that we look into next year on this front is that, you know, cash is still very tight on the health care delivery side in particular, we've had Covid to deal with. How have I gotten this far into a 2020 recap and didn't mention Coronavirus? Well, we have a major fiscal challenge associated with having to divert funds, attention and energy toward a global pandemic.

Brian Selfridge: [00:07:52] And while we still are seeing sustained investment in cybersecurity in 2019 2020, pretty consistently the uptick and the investment that's needed to really keep pace with these ransomware actors and other bad guys and other threats is going to require some additional funding. And it's not yet clear if health systems are going to be able or willing to make that investment to ramp up in cyber protections, to be able to reduce the likelihood and impact of these types of events.

Brian Selfridge: [00:08:21] #2 - Topic number two, remote is the new normal, and we'll talk about this sort of remote workforce aspect of this, which I think is something at Covid is introduced in 2020 to us all. But I think the most important change this year has been the telehealth adoption skyrocketing. You know, we've been talking about telehealth for a long time and making forays into this and specialized applications, but we've never quite gotten it right. Arguably, we still have a long way to go. But we've seen telehealth adoption not only of of niche tools that that provide these services, but also just basic teleconferencing tools being used for telehealth. And then some of the relaxation in the regulations and enforcement around those have really led to more meaningful use, no pun intended, actually, maybe pun intended of telehealth applications. And as a result, we've seen more scrutiny on the information security of those video conferencing capabilities. We've also seen some breaches this year already of telehealth applications like the provider Babylon Health, who had telehealth appointments that were recorded and then able to be viewed by other patients and all kinds of bad stuff. So we'll expect to see more scrutiny and attention on telehealth as that deployment continues. But I call it sort of a shotgun deployment. We're just we're just going everybody's running fast and hard.

Brian Selfridge: [00:09:41] And that usually means we're going to expose some security risks, privacy risks, and also have to do some clean up after the fact, which is where I see 2021 really becoming a stabilizing, rallying around a handful of solutions to make sure that we're looking at the security configurations and capabilities in those specifically. Now I mentioned the remote workforce a moment ago, and that is definitely another theme that is shifting in 2020 and into 2021. You know, much of the workforce has moved remotely. We've have folks working from home, from all spectrums of the health care community, from providers to administrative staff to it to just about everybody in some way, shape or form has had some sort of remote work capability. Now, this has had some changes and implications for how we secure our networks. And I put that sort of in air quotes because the networks are now extended to things like home routers and systems that folks are using at home, in addition to our sort of Fort Knox secured networks that we try to create on the on the formal IT side of things as well. So our networks are becoming more fragmented and distributed. And any time you have fragmentation, distribution, complexity, your security, you know, graph goes up, the curve goes up on on breaches, events and incidents. So I think we can expect to see if we look into next year. I don't think the remote workforce is a is a temporary phenomenon. I think a large portion of the workforce is going to retain some degree of remote workforce capability, which is good for a lot of reasons, but also lingers on those security issues for some time to come.

Brian Selfridge: [00:11:17] As we sort of live with that is the new normal. I think we can also expect more focus and investments on things like digital identity management and protections that follow the data, so to speak, and follow the user, rather than relying on traditional four to five networks alone and saying, OK, we're just going to lock down the hospital network and we'll be good. It's going to be all about where the systems are going, where the access goes and where the data goes and wrapping protections around those at every step of the way. We'll also talk in a moment about cloud security and some aspects that I think are going to play into this whole remote work thing. So we'll elaborate on this a bit further in a moment.

Brian Selfridge: [00:11:53] #3 - Item number three is one that I think is still largely overlooked in this. This is one if you pay attention to anything else in this whole discussion, pay attention to this one. And that is class action lawsuits. I'll say it again, class action lawsuits. Don't take your eye off of this ball. There are big, big numbers in class action lawsuits this year in 2020 that have been far eclipsing OCR fines and other fiscal penalties related to breaches. We've seen mega fines and legal costs totaling more than two hundred and seventy million dollars just for two breaches alone of health insurers, Premera and Anthem. So looking at those OCR penalties, the state fines, the class action lawsuits, when you add those up, you're getting very, very real numbers very quickly.

Brian Selfridge: [00:12:36] We saw Unity Point Health in Iowa this year have a $2.8 million class action lawsuit related to phishing breaches. In 2018, we saw a $350k class action lawsuit very recently for St. Francis Health Care related to a ransomware attack. We saw an attack on DCH Health in Alabama that led to a ten day downtime. And guess what? Class action lawsuit. So these numbers are getting very big multimillion dollar settlements. And that's in addition to any sort of OCR exposure. It's in addition to operational costs and downtime. It impacts fiscal, you know, sort of turnaround's that you have with outages and all the patient safety stuff we talked about before. So you keep adding these numbers up.

Brian Selfridge: [00:13:20] And you can see that class action lawsuits are really going to be a game changer for us going into 2021 for sure, and it's almost as if the industry is kind of self-regulating a bit as communities and patients come together and say this is not acceptable. These breaches for privacy, security perspective are not acceptable to us as we place that information in the hands of our healthcare ecosystem. It's also forcing some of the HIPAA-centric and compliance programs perspectives to come to come to terms with the need to build programs that do more than just check the box on HIPAA and say, OK, we've got the right policies and procedures, but have to take a hard look and figuring out are we making the right investments or do we need to step up and ramp up that investment to actually mature our security programs in the detection, prevention and response to breaches in addition to our compliance obligations. So that's a major shift whenever you have the dollars that we're seeing with class actions sort of behind them, in addition to OCR and others, I think we're going to see some real changes in in the walking and talking of security programs for many organizations that have really been falling behind.

Brian Selfridge: [00:14:25] #4 - Item number four breaches are escalating, no surprise here, but I want to point out that 2020 was the first year in the history of our field where hacking and malicious activity from external actors has become the number one source of breaches in health care, finally eclipsing the lost and stolen devices category, which has been dominant for the last decade as the top breach source.

Brian Selfridge: [00:14:51] And that has in part to do with the encryption capabilities and adoption that we've seen also with OCR's focus in the last 10 years on making sure encryption is a priority for laptops, USB devices and the rest. So by all means, you still got to get that stuff taken care of if you haven't encrypted your devices and that's not on your roadmap, you are way, way, way behind. And you can expect to see some activity and enforcement around that. But we now see category number one is these hacking activities. And so health care remains a relatively soft target compared to other industries. This is why the bad guys are after us. We have a very large tech footprint. We have troves of valuable data that can be sold in a variety of ways. We have kind of lackluster security controls, deployment compared to some other industries, things like patching medical devices, which we talked about a moment ago. And it takes an average of three hundred and twenty nine days to detect and contain attacks in health care. That's according to IBM and Ponemon's report they put out this year. And that's not good.

Brian Selfridge: [00:15:53] That's almost a full year before we identify and contain attacks and we're paying ransom because our business continuity, disaster recovery and instant response processes specifically related to cyber attacks are just not mature enough. So as hacking surpasses the lost and stolen devices category, the bad guys are monetizing health care breaches through a variety of avenues. Of course, ransomware, which we talked about, which can average in the millions of dollars of Bitcoin payments, we have the ability for bad guys to sell high or health information on the black market, either for medical identity theft, traditional identity theft, medical claims fraud, prescription drugs acquisition and so on. So there's a lot of different ways to get money out of the same data and the same health care breaches. So the bad guys are are seeing us as a juicy target. And then that same IBM Ponemon report I mentioned list health care is once again the top industry for the highest average breach costs for for overall average averages. And that is a major problem that also continues to put us at the top of the list, not only of the volume of breaches, but the total impact to the industry overall. And, oh, by the way, we are distracted with a global pandemic. Right. And that's not going away. As the clock ticks over from December thirty one into twenty twenty one, the pandemic will be with us to some extent and hopefully on on on a trailing end as we head into next year.

Brian Selfridge: [00:17:22] Hopefully we're talking about how it went away and we took care of it and all that. But we do have a remote workforce. We've got the pandemic to deal with. We have budget cuts to deal with and furloughs and all kinds of things that we're still recovering from for some time on the delivery side. So expect these breaches to continue into next year. You can certainly count on that. You can certainly count on ransomware attacks increasing in scale and they don't appear to be letting up. And I think if you are looking realistically at your program for 2021, you can expect to be responding to one or more incidents of active intrusion and hacking and malware next year. So that just leads to not only, you know, continuing to focus on prevention as much as we can, but also spending cycles and energies on incident response and understanding how we're going to limit the damage when the bad guys are able to make some progress in our environment.

Brian Selfridge: [00:18:13] #5 - Number five, new privacy and security regulations and enforcement are steady despite political and social volatility. So what I mean by that is we've seen a steady amount of OCR enforcement, just like a drumbeat. The settlements are coming out. They're following the same themes that we've seen. 2018, 2019, 2020. Multimillion dollar settlements, civil monetary penalties, lack of risk analysis, lack of encryption, all the usual stuff and that we can go through all the themes. You know, separately, we did a webinar this year with OCR talking about the major, a recap of the year. So you can check that out if you want to go sort of line by line through that. But OCR is very busy.

Brian Selfridge: [00:18:53] We also have state privacy regulations like California and several other states that have not only been enacted, but are now sort of getting into the enforcement stages and they're all on the heels of GDPR. So GDPR, from the EU perspective, is having a large influence on the way in which state regulations are written around privacy and security controls in the U.S.. I think that's going to continue. If we look at 2021, I think we can expect to see more states regulations piling up. We can expect to see the resumption of. Some of the federal cybersecurity regulations that did lose a little bit of focus in the in the prior presidential administration, I think we expect to see enforcement of all the above start to get traction and even, I think, inching toward more of a GDPR-esque national healthcare privacy and security type regulation. So whether that will be in calendar year or twenty, twenty one or maybe shortly thereafter, not sure.

Brian Selfridge: [00:19:49] But I think I think that's certainly coming. So getting ready for those by understanding how you comply with the existing state regulations that are in large part, I think, going to be copy and pasted. Some of the major provisions into these federal regs, I think is a good place to put some energy and attention, at least to get smart on it for now and then start to build your capabilities around it before it becomes this huge scramble as these regulations get it, get a foothold.

Brian Selfridge: [00:20:14] #6 - Topic number six is third party vendor risk. How do we wait this long to talk about third party risk? Geez, there is basically a new chessboard and a new playing field for healthcare, cybersecurity and privacy risk that has come about, you know, I think organically across the last decade, but really coming to a head in 2020. So data is being shared with third parties at an exponential rate. The digital footprint we have and that we need to protect is growing so large that most health care, cybersecurity and risk teams just can't keep up. Regulations like the 21st Century Cures Act, which is another big game changer for us this year, are further accelerating the access and the sharing of data to third parties, including smartphone app providers and other really, really cool, innovative technologies and places, capabilities, systems, applications.

Brian Selfridge: [00:21:01] But that means that the data has already sort of left the station, so to speak. We use sort of the train analogy. Our data is going out in a bunch of different directions on a bunch of different trains and tracks, more than we can count, more than we can even keep our eye on.

Brian Selfridge: [00:21:15] And we now add that we accelerate that with regulations that are promoting and requiring technology to push that data out further on more tracks than before, more places than we've ever seen before. And then we also you couple that with the fact that the breaches of third parties are escalating because frankly, third parties, especially in healthcare, don't have a great track record on cybersecurity. That is improving in some aspects. But every new startup, every new small organization in particular, in particular, that we provide our patient health records and other sensitive information to needs to have time to mature, to grow a security program and have cybersecurity expertise, which is in demand at the moment. So they're doing their best to scrape by and deliver on their services or their capabilities or applications. And cybersecurity still isn't always getting proper investment. So I think that's going to continue. You add up data going everywhere, more vendors, weak security, and the breaches just keep rolling. We also have security standards, bodies like NIST that have released updates to adjust to this new normal of third party supply chain and or risk challenges. So we saw NIST 800-53 is update this year where they added the supply chain risk category to Rev 5. It's the first update in years and I think we can expect to see that driving some more attention and adoption of third party supply chain risk. We'll see more breaches and enforcement activities. Again, we had that joint presentation with OCR and we have a recorded webinar that you can check out.

Brian Selfridge: [00:22:44] But where the big theme was around third party business associate risk highlighting the cases in which Covered Entities have been fined for their lapses in business associate third party risk. We also have just the costs of the risks and the breaches themselves associated with third party. So a lot of reasons where third party vendor risk TPM, whatever acronym you want to use, is going to be really on the top of the list of risk program focus areas for 2021.

Brian Selfridge: [00:23:14] #7 - And a related risk, I'm going to point out, we'll move on to number seven here, which is cloud security, cloud security is becoming a whole new domain unto itself and even in a whole new skill set that's required for security programs. And I sort of nest this a little bit underneath third party risk because cloud security is essentially kind of a variant of third party risk as we're outsourcing our hosting of the sensitive data to cloud hosted platforms through these third parties. And we're learning that you can't just outsource the risk and that sharing information with the cloud hosted third party creates a shared responsibility model for cloud environments. And I think that that awareness wasn't always there in the last decade and it's sort of coming to a head in 2020. And so we'll need to build robust and reliable cybersecurity and risk management processes specifically around cloud configurations. Which parts do we retain? Which parts do we own? Which part is the responsibility of the vendor? And how do we get the validation, the verification that they are doing the right things on their end of the bargain to secure the ecosystem? So we still have a very, very long way to go.

Brian Selfridge: [00:24:20] And we'll also need to be training up and hiring a cloud security specialist. I think that's going to be a whole new field that will have its own dedicated specialization. So what can we expect to see in 2021? I think we can expect to see third party risk becoming really a primary focus of risk management programs in the next two to five years. And by primary, I mean, it's going to be most of what we do. Most of our data will be out with third parties will be in these cloud hosting environments. And the skill sets we needed to create a whole security ecosystem in our own proprietary networks are just going to be less relevant as the data is largely not here anymore. It's going to be mostly about securing third party environments. We can also expect to see security certifications like SOC 2 and HITRUST to become hard line requirements for sharing health care data. Many organizations have already started to go that route. I think the momentum is moving in that direction because it's simply too costly for every single healthcare entity to do a full blown audit and understand the security controls of every single vendor they deal with. That problem just doesn't scale. So we need to rely on things like SOC 2 certifications, HITRUST certifications to get that external validation, as well as rely on things like exchanges and information for third party vendor risk that can allow us to reuse information in in responsible ways that reduce the burden of the volume of assessments we need to be conducting.

Brian Selfridge: [00:25:48] If you're a Covered Entity or responding to if you're a vendor, which just doesn't right now happen very efficiently or cost effectively. And so expect to see changes there and we can expect to see that cloud security specialization crop up for teams. I think we'll see recruiting, cybersecurity, strategic planning around cloud environments. We expect to see more specialization and resumes that are focused on this. So all the all those reasons are good reasons to pay attention to third party risk and cloud security risk.

Brian Selfridge: [00:25:48] #8 - Number eight is enterprise risk reporting. We historically, as a cybersecurity privacy function, we've been very kind of IT centric. We've been very technically oriented. That's changing. And it's created a bit of a handicap for us, especially those those of us like myself that kind of grew up in that more IT centric view of being able to communicate cyber risk in a way that the business can understand and using the right terminology, understanding business integration and how our risks can be understood and decisions can be made at the business level and get away from this reporting of just the volume of vulnerabilities or how many missing patches we have, all of which are important, but really helping organizations understand what is the potential impact to our business if we do this or if we don't do that, and what type of financial risks, what type of compliance, what type of patient safety, all the stuff that we've been talking about earlier.

Brian Selfridge: [00:27:17] We need to get better at that. And I think 2021 is we're seeing signs that this is the year when we're really going to make investments in that skill set for the cyber risk teams. So I always joke information security and information risk is getting kind of yanked out of the basement of the hospital and into the boardroom. That's where we used to sort of just be buried there somewhere under it. And we're still working to build and refine those skills, to deliver visibility and decision making to the business. I think we'll also expect to see in 2021 more integration with cyber risk standards like fair for objectively measuring risk and consistently across organizations and understanding the financial impact of those. We've got a really long way to go to that level maturity. We got some pretty basic stuff we need to figure out ahead of time. But I think this is the year where we really start to get better at reporting risk, visualizing risk and tracking decision making around risk in a way that we can see if the investments we made are making a difference or not. And really, until you get to enterprise risk level reporting, it's hard it's hard to see that in a way that compares apples to apples with other risks that the business is having to undertake.

Brian Selfridge: [00:28:24] #9 - Number nine, we've seen more automation of security processes and capabilities, so that doesn't necessarily mean more tools. We've had plenty of tools over the last decade. In fact, arguably maybe too many. It's hard to find that there's so many point solutions and aggregate solutions that it's hard to choose which tool or tool sets to apply any given security program because of all the noise and all the choices that are out there. But in part, that's been a good thing. I think we're seeing more consolidation of those. We're seeing more smarter tech integrated that takes the different components of threat, intelligence and response and prevention and starts having them communicate to one another. We have some, you know, fledgling machine based learning and air quotes, AI type of technology that's helping us be smarter with the technology we do have, take advantage of the data that we have access to and draw some conclusions from it and even act in certain ways that don't require a human being to look at troves of bits and bytes flying across the network, try to make some sense of them and stop the bad guys before they get their attack. That's just not realistic. It's not scalable. And I think we're getting more of that automation that's helping us keep pace with the automation in the scales of attack that the malicious actors are putting in play for us.

Brian Selfridge: [00:29:40] #10 - Number 10 on our top 10 list, again, no particular order on these, but this is the last one that will measure as a theme for this year and into next year is staffing shortages for specialized cybersecurity resources continue. We still don't have enough good soldiers out there that have the right skills and experience, particularly in health care, to address the growing need for maturing and building cyber programs and addressing the risks that we've been talking about all along here. So, you know, health care continues to struggle also with this, in part because recruiting and retaining top talent is difficult as we go up against other industries that may be able to pay more aggressive rates. We talked about cash being tight on the provider side in particular. So it's hard for us to hire the best of the best and be able to retain those folks. We also have geographical limitations in many health care organizations where you don't exactly have tech hubs and talents in major cities in some cases where you can pull these type of cyber skills up front and bring them into play, although the remote workforce aspect is changing that a little bit. And one of the big themes that I'm looking to see if this plays out, but I suspect it will, is a lot of health care entities are going to change their very sort of rigid approach to hiring locally, which is a good objective in many, many ways. But if you just don't have the talent there, I think we've learned that remote work and remote workforce is absolutely doable. And hopefully that's opened the eyes to some organizations that might be able to expand their talent pool to other geographies and be able to have cyber talent that's available from other locations.

Brian Selfridge: [00:31:13] And we also see things like the virtual chief information security officer roles gaining more prominence where especially for small midsize organizations, you may not need an on staff dedicated CISO that is going to cost more than you can afford or there's not enough out there that have the right experience to meet your needs. So getting sort of a a partial CISO or virtual CISO  (vCISO) is also a trend I think is going to continue, especially for the smaller organizations. We also see managed services coming into play, a managed security services to help with the cybersecurity shortage. So there's no reason for every hospital in the United States, for example, to have its own full blown information security network, Operation Center, Security Operation Center that has 100 people in it, watching all the attacks and adjusting. And and that would be great if we could afford that type of headcount. But we really can't. And so leveraging managed services, models for not just network operations, which has been sort of one of the predominant themes, but things like third party risk and medical device security and other areas that we're talking about having shortages and challenges, we'll start to see more managed services organizations providing services, capabilities coming out to help sort of pull those resources, specialize those resources and help us deliver those capabilities on a more cost effective way to the industry as a whole.

Brian Selfridge: [00:32:35] So that's it for this episode of the CyberPHIx. I hope you've appreciated this very special look back at 2020 and a look forward into 2021 as we start thinking about the major themes that we can expect to learn from past here and address in the coming year. And I think if you look at these sort of one by one, you can see the reasons why much of these themes are not going away and are going to linger for well into 2021, 2022 and beyond. So let's get ahead of them as best we can and avoid sort of the reactive look at the industry and hopefully make the investments we can to avoid the pain and suffering and patient safety and compliance issues that crop up when we missed the mark on it.

Brian Selfridge: [00:33:19] So thank you all for everything you do to protect the health care organizations and the patients that we serve. I look forward to helping you through this journey and as do the entire Meditology team here. Wish you a great happy New Year as that arrives and holidays and may be safe and healthy into 2020 as we are 2021 as we all recover from what 2020 did to us.

Brian Selfridge: [00:33:43] One last point to note before we close out the year, we want to give a big thanks to the Philadelphia based band Steady State, who provided us with our theme music this year and released their self-titled album in 2020 Check them out at www.steadystateband.com. And we will leave you with a snippet of the full chorus that you listen to on this song every time on our episodes. And you can listen to it on the way out here. Thanks so much and have a great rest of your year.