Top 10 Cyber Risk Exposure Trends and Predictions for 2023

PODCAST TRANSCRIPT

Britton Burton: [00:00:14] Hello and welcome to The CyberPHIx your audio resource for cybersecurity, privacy risk, and compliance for the healthcare industry. I'm your host, Britton Burton. We have a very special edition of the podcast today where we're going to make some bold and maybe some not-so-bold predictions about the state of the healthcare cybersecurity industry heading into 2023. I'll qualify our opinion a little bit here. Our company, Meditology Services, provides cybersecurity privacy and risk support for hundreds of healthcare entities across the country. And our sister company, Corl Technologies, assesses thousands of vendors and products each year as a service center technology solution for managing third-party risk. So I say that just to say that we've been tracking macro trends of threats, risk exposures, regulations, enforcement, and just best practices in general for health care, cybersecurity, and compliance programs for a number of years. Through our two companies, we work with our clients. We work with regulators, partners, and many of the other key players in the healthcare ecosystem. And of course, for our loyal followers of The CyberPHIx podcast, you know that we've also been tracking events and trends on a week-to-week basis with our Roundup podcasts and in our routine interviews with healthcare, cybersecurity, privacy, and compliance leaders for years now. 

Britton Burton: [00:01:30] So we're going to tap into all those insights as we look forward into 2023 and make some predictions. Hopefully, this means that all these predictions are grounded in reality and the perspective that really does cover all aspects of the healthcare cybersecurity industry. We've taken time to compile these top cyber risk exposure trends and predictions for 2023, and we really want to help you map out your defensive strategy and your proactive strategy for heading into the New Year for things that you might want to keep an eye on. So this should be fun as you're finishing wrapping your presents or prepping for that New Year's party or maybe recovering from the holidays in early January. Give this a listen and tell us what you think. All right. So let's jump into the predictions. Our number one prediction for 2023 and spoiler alert or reverse spoiler alert. 

Britton Burton: [00:02:27] It's the same prediction as we had for 2022. Ransomware attacks are going to increase in frequency and impact patient safety, operational disruption, and financial performance for healthcare entities. Look, I don't think you have to be a soothsayer to make that prediction right. We're all seeing it. We know what's going on in the environment out there. We know how impactful it is to operations and how likely, especially healthcare victims are to pay the attackers who are coming at us. It is the dominant method of attack and compromise right now. Ransomware attacks are also evolving into these double and triple extortion ransomware attacks where attackers threaten to, first of all, compromise and steal the data and then ransomware systems and then as a part of the notice, threaten to release that data to the public because it increases the likelihood that a victim is going to pay. You may have strong backups and disaster recovery and business continuity plans. No one's perfect there, but maybe we've gotten a little better and maybe you're a little bit more likely to pay. If on top of just recovering your systems, you have the threat of your data being released and still facing all the consequences that come with sort of the traditional data breach. So I don't think ransomware attacks are going anywhere, unfortunately for all of us, in some ways, it at least has the attention of the right people that we need to support us and to help move our programs forward. 

Britton Burton: [00:03:50] But obviously ransomware itself is just a scourge and causes so many problems for not just costs and i.t. And security people, but real operational impacts and human life impacts that we're all aware of. And unfortunately, attackers know that motivates payments. So don't think those are going anywhere. Prediction number two health care vendor breaches increase in frequency cost and severity as cybercriminals target healthcare and clinical delivery moves into patient homes via third-party solution providers. So this is something that we've talked a lot about on the call side of our company. As the technology revolution explodes in health care and as health Iot and wearables  and the consumerization of health care, we talked about that a little bit in the last roundup is that all continues to trend up. You're just seeing more and more technology players in the healthcare ecosystem, more and more vendors as custodians of the data that we have as healthcare entities and the attackers are aware of that, they're shifting to the vendors. In many cases, that is because smaller vendors have less resources, maybe newer to the market, focused on product development and selling a new widget and security may be lacking in comparison to some of the larger, more mature healthcare entities. That is definitely going to continue the technology revolution. If you've heard me talk about it in some other cases, is we're certainly not at the very beginning of it, but I think we're more towards the late beginning of this technology explosion and certainly not at the end. 

Britton Burton: [00:05:24] And that usually that that beginning of technology explosion usually comes with inadequate security, as it's usually a race to build new cool products that you can sell to the market. And then security comes along later. That tends to happen, at least in my opinion, with any kind of technology revolution in any industry. And we're just experiencing that in health care right now. So as vendors become more involved in the health care ecosystem, as we rely on them more for critical business processes to gain efficiency, to reduce cost, the data and the connectivity has to go somewhere, right? And so it's got to be protected all along the continuum. And I think vendors are more in the crosshairs than they've ever been for the attacker. Number three builds off of number two a little bit. But specifically, cloud-hosted platforms will become the primary custodians of electronic patient information, and cloud Misconfigurations will remain a top source of data breaches. So I referenced vendors becoming more custodians of sensitive data in number two. And number three really is hyper-specific to, I think beginning in 2023. Well, really it's already begun, but it will reach sort of a crescendo in 2023 and beyond. 

Britton Burton: [00:06:41] Cloud-hosted platforms will actually become the primary custodians of on-prem. We'll never completely go away, I don't think, at least not the in the near term. But more and more dependence on cloud. You're all aware of this. This is happening in every industry and health care is no stranger to it as well. Cloud [00:07:00] platforms allow elasticity, allow speed, allow efficiency and cost reduction that we just really can't match on prem and the digitization of health care. The digital goals of health care, business leaders, and clinical leaders require more focus on cloud, more move to cloud. And it's just it's an inevitability at this point. That means that the health care entity, the covered entity themselves, I think, is not going to be the primary custodian of PHI any longer as we move into 2023 and beyond. And as you all are aware, Cloud Misconfigurations are routinely the source of these breaches that we see. It's a very difficult problem to solve. So many of us are in hybrid cloud, multi-cloud. Your tool situation is all over the map. Because of that, the ability to even have visibility into your attack surface to know what's going on is very, very difficult. And then you have to triage alerts and have people who can interpret the different toolsets. And it's very, very difficult to manage. And misconfigurations can happen so easily as the the sort of traditional server sys admin type of role gets pushed to the left into the hands of developers. 

Britton Burton: [00:08:17] It's all needed from a speed and efficiency standpoint, but we're still pretty immature in the security space and how we actually manage it effectively. And I think those misconfigurations are going to continue. And as cloud platforms become the primary custodians of data, you combine that with still not great at just handling configuration management. This seems like maybe not that bold of a prediction number four, and it actually also builds off of numbers two and three boards increased focus and investment on third-party cybersecurity risk management. As awareness of the healthcare organization's dependence on vendors for critical business operations grows and as breach events escalate. So obviously, we just talked about more vendors in the health care space, consumerization of health care cloud platform, specifically becoming that primary custodian of data breaches in both instances increasing and not just breaches, but ransomware events, operational disruption events are increasing and that is going to capture the attention of the nonsecurity people more so than maybe it has, you know, for several years. I think one of the talking points of from a prediction standpoint is that boards are going to pay more attention to cybersecurity in general because of understanding its potential impacts to the business independent of third-party risk. Right. Just cybersecurity in general. And I think this prediction is more focused on actual awareness outside of security about how bad the problem is in third-party risk management and how impactful it can be, because we are depending on third parties for so much more of our critical business operations than we were a decade ago. 

Britton Burton: [00:10:00] It's just the nature of the beast. And as that realization comes to the boardroom, to the business, to again, to nonsecurity leaders, there's going to be increased focus and investment on solving that problem. I do believe we can solve this problem. It's a hard one. It's one of the hardest ones in security. I do believe we can solve it. And if we get the right focus from the right people, that will sure help a lot. Okay. Moving on to number five, going down a slightly different track here. New industry standards and guidance will establish [00:10:30] baseline expectations for health care, cybersecurity programs, and enforcement. For example, OCR has recognized security practices and services, and cyber performance goals. Now, if you've listened to the last two CyberPHIx roundups from November and December, these may not come as a surprise to you because we we deep dived the cyber performance goals from CISA and the recognized security practices from OCR. We also have a couple of blog posts on these. If you're if you're wanting to understand a little bit more about [00:11:00] them, we're also seeing a lot of momentum with HHS and some things like Chickpea or Hiccup that are establishing these kind of baseline acceptable standards and doing so in a really responsible way. 

Britton Burton: [00:11:12] I'm a big fan of them because they are not rewriting entire frameworks and ignoring work that's gone on for years from organizations like NIST that we're all following to some degree and using in our programs. And I love seeing that they're building on top of these and sort of giving [00:11:30] some starter guides to get into these larger frameworks that are so, so complex and overwhelming. If you're starting from scratch or even if you have a mature program and you're kind of needing to re-baseline against a standard. So I think you'll probably start to see whether it be lawsuits or settlements that occur where it cites an organization's lack of following the RSPs or the CPGs or something to that effect, which, you know, is [00:12:00] probably good. It gives us a little bit clearer bar to shoot for than we've all ever really had with HIPAA, where you're just looking for reasonability. What is reasonability? Let's work towards reasonability. And then the flip side of these lawsuits that might occur for lack of following something like RRSPs or CPGs, I think we'll also see cases dropped and resolutions reached because of the fact that an organization can prove that they're following minimum security practices and things like the CPGs and the RRSPs and P's and so on, and all the Ps. 

Britton Burton: [00:12:34] And so as more things like that occur, you're just going to naturally see these types of baseline expectations become baseline expectations because of the sort of legislative and legal activities that surround them. And they'll sort of crystallize into you just have to be doing these things and you need to be able to prove it. All right. Now number six, which directly builds off of number five. We believe that federal and state governments will target healthcare, cybersecurity with new laws and ramped-up enforcement that build off of these newly established baseline expectations for health care and critical infrastructure. Cybersecurity. Look, we just said we think we'll see lawsuits won and lost based on whether or not you can prove you're following some of these baseline expectations. And that will kind of crystallize in the industry as this is now the standard. I think you're also going to start to see law-making around that. And the north winds are really already there. I mean, how many headlines have we seen in the past year from Senator Warner's white paper on stricter rules around cybersecurity, potential new rulemaking from the SEC for publicly traded companies in terms of incident reporting and risk management reporting, the FTC's increased scrutiny, FDA's increased scrutiny. Every three-letter agency seems to be creating some new rules or at least pondering creating new rules. We continue to hear rumors about evolutions in HIPAA. 

Britton Burton: [00:14:02] I was listening recently to privacy attorney. Her opinion on this is that in 2023 we won't see a complete rewrite, but that we will potentially see some tweaks and changes and the full rewrite might come a few years down the road. But we continue to hear rumors about potential evolutions in HIPAA. So I think all of this just adds up when you take these baseline expectations that are beginning to be published by authoritative groups within the federal government. It's just not difficult to envision those being formalized into some type of rule or law under some agency somewhere. I think a lot of this will be more aimed critical infrastructure, which of course includes health care as opposed to health care specific, especially when you take into account the doubt and some privacy attorney's minds about HIPAA being completely rewritten soon. But it will certainly include changes to what we need to do and comply with and the healthcare space in terms of cybersecurity. All right. Moving on to number seven, remote and hybrid workforce becomes permanent. And as a result, cybersecurity programs adopt more restrictive zero-trust models for remote work. So, look, this one has probably already happened to a certain extent, at least the remote and hybrid piece of things. I know if you pay attention to this topic as much as I do, remote work is and hybrid work is a topic that's near and dear to my heart. 

Britton Burton: [00:15:26] There. There are some rumbles that companies are considering taking a little bit harder stance on this, but I just think the milk is spilt at this point and it's really hard to imagine that at least the hybrid component of work ever goes back to in the office all the time. And so if we know that, then I think the zero trust concepts are going to have to really take hold. Now, look, I'm skeptical may not be the right word, but I do think there's a little bit too much marketing hype on the term zero trust. A lot of it to me is just really sound [00:16:00] access control approaches. You know, there is not a single device that you buy and install and now you have zero trust. And maybe we're doing a little bit better with that as an industry in terms of how we're marketing what Zero Trust is. But I think you've all probably seen that and it's like flip the switch and you've got zero trust and that's not how it works. But the overall, the core of what zero trust is supposed to be, if you kind of unwrap all of the marketing hype from it, I think there is merit to it. And [00:16:30] the fact that the security perimeter is basically nonexistent now with cloud, with remote work, with all the devices that move around that need to be able to connect instantly. 

Britton Burton: [00:16:39] Actually, a former colleague of mine in a previous role has started saying that identity is the new perimeter. And I think that's that's very prescient. That's a great way to say it. And actually, a quick side note here, I've had some interesting discussions with some folks about the hype of Zero Trust and what it really is. I think it's a sort of endlessly interesting topic. If you would like to hear more about that from people who know it better than certainly, I do. Drop us a line. I'd love to know if that's a topic of interest to others as it is to me. I'd love to interview someone on it. If you happen to be an expert and it hit me up, maybe I can interview you and we'll do a dedicated episode to Zero Trust. Moving on to number eight attackers accelerate targeting of medical device IoT and OT security gaps, which introduces unprecedented risks to patient safety and business operations. Again, I don't think this is super bold, unfortunately. The healthcare industry is targeted the most and most data that you see about attacks and ransomware events. Because of the nature of what we're doing, we're not just processing data, we're not processing transactions. We are we're dealing with patient care and patient safety. And even when it's not life and death procedures for patients, anything relating to the care of a human is just an extra sensitive thing when it comes to availability and making sure your systems are ready to roll. 

Britton Burton: [00:18:05] And unfortunately, attacks on medical device, IoT, and OT affect the ability to provide care. Additionally, you all know medical device OT Iot are all very similar in that they tend to be less secure than traditional i.t assets. There are nuances in each of them, of course, as to why that is the case. But at their core, just generally speaking, if you're familiar with this topic at all, it's not news to you that they're just generally less secure, they're easier to breach, they're easier to compromise. And that's certainly the type of thing that attackers are looking for. Attackers are like water. They're going to flow downhill to the easiest source. And unfortunately, these tend to be. I think there is some positive signs of that improving, but there's a long way to go. Number nine, legal accountability mounts as class action lawsuits increase in frequency and put financial pressure on healthcare organizations to bolster cybersecurity defenses. This is a topic that if you listened to the podcast before I came in, Bryan Selfridge was particularly interested in this topic and really kept an eye on it a lot. If you monitor news for cybersecurity breach lawsuits in any way, the number of them is just staggering now. And I don't think that was the case just a couple of years ago. 

Britton Burton: [00:19:27] It's just kind of becoming the expected outcome of any kind of breach event that there will be a lawsuit and probably a class action lawsuit with many thousands of people joining in. I'll leave the reasoning for some of that, which may not be completely altruistic out of this, except to say that it's just a part of our reality now, and that has to be a part of your impact modeling for your risk, for your risk management approach. It has to be a part of your incident response planning for your approach to [00:20:00] cybersecurity. It's not just the tactical cybersecurity defenses and how to respond and eradicate and recover. It is. And the recovery includes the legal ramifications and having your legal team involved upfront, meaning you are talking through incident scenarios with them, you are including them in planning. How would we respond to this? How is a ransomware event different than a traditional data breach? How is it different if it's a third party instead of our own systems that we manage? What is the legal response? How can we put defensive measures in place? And again, I hate to keep harping on it, but I think that's going to amplify those security baselines that we've talked about that you can set in place or if you already have in place, that you can produce documentation to prove that you're following cyber performance goals, that you're following recognized security practices. 

Britton Burton: [00:20:59] Because the reality of the current state is that it's going to happen to pretty much everyone. It's just how quickly can you recover and how defensively can you prove that you weren't asleep at the wheel. All right. And finally, to number ten, cybersecurity talent shortages intensify as the man grows for specialized skill sets and more organizations turn to manage services to deliver security programs. This one is not new either, right? We've seen the trend on cybersecurity talent for several years now. It does not seem to be getting better, unfortunately. There is some encouraging news about some attempts at educational programs funded from government. But we're years away, I think, from truly solving the gap because it is such a large problem that faces every industry. It's a complex problem. This is not a skill set you can hire without some level of dedicated training that we've got to infuse into schools and into programs that are outside of schools and non-traditional degree paths. I think that's absolutely critical. And I think that hiring organizations and HR leaders need to understand that traditional degree paths may not always be exactly what you need in the cybersecurity field. There's a lot to unpack there that might be an episode worth an interview at some point, too. But I think some other good news in that vein is there are also there are so many more managed services now in the cybersecurity space that can at least fill the gap for you. 

Britton Burton: [00:22:33] Manage services are a double-edged sword as a lot of you know, if you've gone down that road, there's a lot of great things that can come from it. But there's also not always the same level of understanding and due care you would have with internal resources defending your own network. But certainly, a lot of problems can be solved through managed services. And I think because there really is no other outlet, you've got to have someone that understands cloud security and it's really hard to hire that person right now. Then manage services will continue to grow and I think you'll probably see a lot of investment from private equity and so on because it's just such an obvious shortcoming and need in the marketplace. So that is it for our official top ten list. But since we're just like everyone else, and when we produce a top ten list, we can't keep it to an actual list of ten because it's so hard to do that. I want to do a few honorable mentions with you that we considered adding but ultimately didn't make the top ten cut. I won't pontificate quite as much on these. I'll run through them a little more quickly, but I think these are pretty solid and worth keeping on your radar. So here we go. 

Britton Burton: [00:23:45] All right. The first honorable mention, is the false perception of cyber liability insurance as a silver bullet wanes, as insurers raise premiums, limit coverage levels, and decline some claims. Healthcare organizations realize that insurance is an important line of defense and a mature security program, but not the only line of defense. And honestly, that's really where we should have been all along. Hopefully, none of our listeners view cyber liability insurance as the silver bullet, but I think there was a bit of that sentiment out there, and that is, I think, going to wane as it becomes harder to obtain and then even harder to win damages when you do have it. Number two, cyber resilience capabilities, including incident response and disaster recovery, become a focal point for investment for healthcare entities. I think that's obvious with everything we've talked about with ransomware increasing and we're just kind of accepting that the bad day is going to happen, but it's more about how quickly you can recover from it and how resilient you are to it. Number three, fourth-party risks and vulnerabilities escalate and drive maturity and vendor inventory tracking via things like software, builds of materials, and related models. This was really hard not to put into the top ten. It's really close, in my opinion, but we're still, as an industry, trying to wrap our arms around third-party so we may save the fourth-party prediction as a top ten for 2024. 

Britton Burton: [00:25:04] But again, that realization of fourth parties as a major, major problem that we need to solve is coming more to the forefront. And I welcome trying to solve that problem with you all. Number four Cybersecurity Certification Adoption increases As pressure mounts for healthcare organizations to demonstrate strong security programs. This is a really interesting topic to me. We have a lot of professions that require certification and licensing to do critical things that you wouldn't just trust Joe Schmo off the street to do. And I think there could be a lot said for requiring some of that in our industry in terms of companies proving their cybersecurity posture as being suitable for entering into contracting rather than some of the legacy ways we've handled pushing questionnaires back and forth. It's going to be a lot of interesting trends there. In 2023, HITRUST just announced some new evolution in their framework that allows for some leveling of their assurance mechanisms that can be right-sized to the vendor and the inherent risk that they present. And I think this type of thinking is exactly what we need right sizing to inherent risk, but making companies prove a strong cybersecurity posture before you enter into business agreements with them. For five in our honorable mentions leading-edge cyber attacks, including things like Deepfake technologies, MFA bypass attacks, and quantum encryption attacks begin to emerge and set the stage for the next decade of cyber security risks. 

Britton Burton: [00:26:36] There's a whole lot of really interesting stuff here you can nerd out on. The quantum computing thing is mind-boggling and also sort of scary if you understand the sort of hack now breach later concept that some are worried about not going to go too deep into them right now. But it's super interesting topics. If you want to fill some of your holiday downtime with interesting research, that's not quite the same as the day-to-day. What new vulnerability is hit? The news or recent breach just occurred. Number six, continual risk management and compliance models emerge and replace many of the traditional annual or periodic security assessment and mitigation approaches. I think this is a really important one for third-party risk management. The point in time we assess you once in a three-year contracting lifecycle, just doesn't make sense. It hasn't made sense for years, but we're evolving as an industry to try to figure out how to solve this problem. And there are some really interesting continual risk management approaches that I think can replace some of the dilapidated models we have in terms of third-party risk management today. And our final honorable mention number seven, Cyber Risk Analytics and Reporting elevate the cyber security conversation from one that is deeply technical and confusing to one that is more easily understood by business and clinical leaders. 

Britton Burton: [00:27:51] And I think this one stems from everything we've talked about today. We've talked a lot about third parties and our critical business dependencies on them lawsuits, regulations, things that you don't have to have a master's degree in cybersecurity to understand and really being able to elevate the conversation to that and to the actual impacts that our organizations feel because of deficient cybersecurity or an evolving threat landscape, I think that we're going to get better and better at reporting risk in ways that use data and are based on all that detailed control and vulnerability stuff that we care about on a day to day basis. But abstract it to a degree that a business person can understand and actually want to take action on. And that's really where we've got to get to be great risk managers. That is all for this session of The CyberPHIx. This was really fun, putting this together and thinking through what might happen in 2023. Hopefully, you saw that these are grounded in some form of reality and these didn't seem completely out of left field to you. We certainly hope this has been informative for you and resonated with your real-world experiences and whether you agree wholeheartedly with them or you want to tell me how wrong we are, we would love to hear from you. If you want to talk about any of them. 

Britton Burton: [00:29:09] This, just reach out to us at The [email protected] That is all we have for this year, drawing 2022 to a close. We hope to hear from you and see you in the New Year and in the coming weeks and months to figure out which of these predictions played out and which ones be dead. So thank you for everything you do to keep healthcare systems and organizations safe. And we'll talk to you again in the new year. Hope you have the happiest of.