Top 10 Healthcare Cyber Risk Exposures Trends & Predictions for 2022

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

Meditology provides cybersecurity, privacy, and risk support for hundreds of healthcare entities across the country. We have been tracking macro trends in threats, risk exposures, regulations, enforcement, and best practices for healthcare cybersecurity and compliance programs. 

We have compiled the top cyber risk exposures trends and predictions for 2022 to help you map out your defensive strategy heading into the new year.  

Join us for this special episode of The CyberPHIx podcast where we discuss:
-

  • A look back at prior healthcare cybersecurity predictions: did we get it right? 
  • Trends and predictions for healthcare threat actors, attacks, and methods
  • Healthcare-specific vulnerabilities and risk exposures
  • Regulatory predictions including HIPAA, OCR enforcement, and emerging federal and state laws
  • Legal predictions including cyber liability and class action lawsuits
  • Cybersecurity program investments and constraints including automation and talent shortages

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:00] Hello and welcome to The CyberPHIx, your audio resource for cybersecurity, privacy risk, and compliance for the healthcare industry. I'm your host, Brian Selfridge. We have a very special edition of the podcast today where we're going to make some bold and some not-so-bold predictions about the state of healthcare cybersecurity heading into 2022. Now, to qualify our opinion here a little bit, our company Meditology Services, provides cybersecurity, privacy, and risk support for hundreds of healthcare entities across the country. We've been tracking macro trends and threats, risk exposures, regulations, enforcement, and just best practices generally for healthcare, cybersecurity, and compliance programs for a number of years. We work with our clients, regulators, partners, and many of the other key players in the healthcare ecosystem and for our loyal followers of the CyberPHIx podcast, you know that we've also been tracking events and trends on a week to week basis with our CyberPHIx Roundup podcasts and our routine interviews with healthcare, cybersecurity, privacy and compliance leaders for years now. So we're going to tap into all those insights as well as we look forward into 2022 and beyond it make some of those predictions we talked about. 

Brian Selfridge: [00:01:07] We've taken the time to compile the top cyber risk exposure trends and predictions for 2022 and really want to help you map out your defensive strategy and your proactive strategy, perhaps heading into the new year. Now it should be noted that this is not the first time we have attempted to make predictions about the healthcare cyber future. If you hang in toward the end of this episode, I'll recap some of our prior predictions from a few years ago and see how well we did with predicting the future. This should be fun, so get your hot chocolate, your candy canes, your streamers or sparklers, or whatever you typically use to enjoy yourself at the new year and settle in for some New Year predictions for 2022. So let's dive into it. 

Brian Selfridge: [00:01:46] Ok, so we're going to use a top 10 format kind of style here to talk about some of the cybersecurity predictions for 2022. These aren't necessarily in order, although I am going to start with, I think some of the more important areas that are certainly going to dominate heading into the future, so to speak. Although we do have some honorable mentions, so I'm not going to stick to just 10. I know that would be easy, but I feel like you'd be left out with a handful of areas that are still very important and maybe don't fit into that top 10 sorts of status. So we're going to cover all of it. 

Brian Selfridge: [00:02:17] So looking into the new year, the first and foremost, we would be remiss if we didn't spend some time talking about ransomware attacks and particularly their ability to escalate and really cripple healthcare organizations. So ransomware, when we talked about it a couple of years ago or as we've been tracking, it kind of started as a pretty traditional malware attack, right? It was in the category of an of a bad virus or even worms, even some of the worse worms that were out there earlier, that self-propagated were pretty nasty. And these were sort of on the upper-end scale of that type of attack. But if you look at how this has progressed over the last couple of years and heading into next year, the ransomware attacks are now much, much more devastating in their impact. It's not just about taking out one or more a handful of systems and machines in the environment, it's actually shutting down critical business functions that are having an impact in many different ways, not just from an IT perspective, but from a financial perspective, from a patient safety perspective. And we'll talk about that a little bit more in a moment. 

Brian Selfridge: [00:03:22] As one of our other predictions, but we absolutely expect to see ransomware attacks continue to evolve and evolution is not a good outcome for us. With respect to ransomware, the bad actors are getting better. They're automating their processes. They are like any good business should, and I'm not claiming they're good business. They're bad, bad businesses, but effective businesses. They are scaling up their operations. They're outsourcing to different parties for different pieces of the puzzle. So you have the sort of entry-level attackers that are paid just to get me into the environment. That's all they do. They hand off the credentials or the domain administrative credentials, whatever it may be to the healthcare system, off to the next set of attackers that will then actually go in and drop the ransomware and do the extortion and sort of that part of the business, whether it's through, you know, historically, the ransomware attacks were more about just past the ransom will unlock the system. You know, it's very, very simple. 

Brian Selfridge: [00:04:20] Now they've found three four five six different ways to monetize that access. Whether it's holding your data and threatening to release that for a ransom or keeping the systems locked up, or there's been a variety of other creative ways of doing it. So I think certainly that is that evolution is going to continue. You're going to see more automated automation from the bad actors, and they're getting better, faster, and cheaper at deploying ransomware. And as long as that business model is there, which it is with the combination of cryptocurrency, which has also changed the game where it was, it was kind of a little bit harder to get the money. 

Brian Selfridge: [00:04:55] If you were a ransomware actor years ago, now you know, the bitcoins and the cryptocurrency allow them to really hide and obfuscate who they are and stay away from some of the tracking and law enforcement activities that used to just be the follow the money way of capturing and tracking down these folks. And that's getting a lot harder. So I think we can expect to see all those trends continue. And unfortunately, it's going to get a little bit worse, if not a lot worse before it gets better as healthcare is really just starting to, you know, think like turning the Titanic, right? You're trying to move this entire ecosystem of healthcare systems applications that's become not only larger but more complex with our healthcare vendors and that are involved in the process and them getting hit with ransomware attacks, everything else. So we've got to now really turn and shift the entire ecosystem to be able to better defend against ransomware attacks, either up front in terms of a prevention standpoint, as well as the response capabilities to really limit the impact and damage of these. So that's going to continue. The boat is turning and we're making we're about to make a run for it, but it's going to take us a while to get our engines revved up. So we expect that to continue. Absolutely. 

Brian Selfridge: [00:06:07] The next area that we expect to see in 2022 continue is also an evolution of sorts, and that's around supply chain risks or vendor risk management, whatever term you choose to adopt for third party organizations and vendors that support healthcare business associates, or I can keep throwing out words, but you know who we mean. 

Brian Selfridge: [00:06:28] Those attacks are going to absolutely continue to dominate not only the headlines but dominate the attention of boards and healthcare organizations, which will drive an increase in investment in supply chain risks and in vendor risk management programs overall, which I can tell you. Hands down is the most underinvestment, underinvested, underappreciated, and immature. Perhaps is the better word, you know, no disrespect to anybody but immature functions of healthcare security programs that the tools and the processes we're using today just are not capable of scaling to the level of attacks that we're seeing. And if you look just back, you don't have to go that far to see this trend. If you look back to 2021, which is right, that's look back. 

Brian Selfridge: [00:07:16] While we're still in 2021, at least, I am for a few more days, and we see the attacks against Microsoft Exchange, Kaseya, SolarWinds Log4j / Apache, it was one that just happened a little bit ago last week. So these types of attacks that go after the supply chain that have a breach once and impact many types of models is just the cybercriminals dream of minimal investment, maximizing return on investment and damage in the case where organizations have a desire to inflict more damage or just to gain access to information. So you have the nation-states who want to engage in cyber espionage and data collection and disruption. They love the supply chain because it gets them all that access for minimal or at least a minimized amount of effort for the actual invasion, so to speak. And then the traditional cybercriminals love it for ransomware and other things because they can, they can deploy and scale-out their attack very, very quickly via these third-party vendors that already have relationships with healthcare entities not only transactional relationships but technological relationships and the ability to jump across VPNs and systems and access control levels. 

Brian Selfridge: [00:08:30] Once you have that supply chain sort of trust level, and that is just a secret sauce for a lot of damage, and we expect to see that that continuing and we'll talk a little bit about, you know, the government and sort of what they're going to do in a moment. I think that's sort of inclusive of how they respond to all these things. But supply chain and previously mentioned ransomware are going to be really focused on governmental and standards bodies to help us get a handle on all this. 

Brian Selfridge: [00:08:57] The next area that I'll mention is cybersecurity talent shortages, and this is not the first time we've talked about this. This is a problem that is intensifying. We expect to see, you know, particularly following this whole 'great resignation' is a term that they're using for the day. I don't know who they are. You're using it. We're using it. I'm using it right now. 

Brian Selfridge: [00:09:17] The great resignation being for health, not only just healthcare cybersecurity resources, but individuals that following the pandemic are just leaving to either explore other opportunities, leaving their current job roles to explore other opportunities or just bowing out of the workforce altogether. In some cases, which is really interesting, but that is it's really bad timing for us, right? Because cybersecurity talent shortages have already been a problem. Now we have this much-increased demand for more cyber skills, right? Because what's there? All of a sudden, the boards are paying attention, and the government's paying attention. Nobody said, Oh, we got to solve this. What are we going to do? Well, you need a whole army of cyber warriors like yourselves and us and hopefully, folks that are involved in this space or want to get involved in this space and that takes time to build. That's a pipeline that takes time for individuals to get trained, to mature, to get the experience. 

Brian Selfridge: [00:10:09] And we're seeing that that that really become a problem and a limiter for healthcare organizations to grow their cybersecurity program, either in the macro level, but even in areas where specialized skill sets like cloud security, hacking skills, and penetration testing and other areas where you need these specialized talents. Third-party risk is another one, and there just aren't enough people out there to do it and with the skills to build and train and create your programs. So you couple that with the fact that this remote team model becomes the norm. I think in the new year as we come out of the pandemic and some, some genies are just not going back in the bottle and that genie of remote work or hybrid work or not coming into the office every day, however, you want to look at it is has become the norm. And I don't think that's going back in the bottle. I don't think that's going to be something that goes away.  

Brian Selfridge: [00:11:07] And but there are two sides to that coin, for sure. So a lot of the talent shortage conversation is a problem, right? Something that's going to be a constraint for a lot of programs. But there's also an opportunity where we now can tap into resources outside of our typical physical geographies. In places where you can find the talent that you need in cyber out of is coming out of cybersecurity programs and universities, for example, in places across the country and even in the world that you may not have been open to or the organization may not have been open to previously, and that that is an asset, although it cuts both ways when you know your organization's current team can be poached or they can leave. For other jobs where they may get a percent increase or some more flexibility in remote work or whatever it is that's attractive at the moment for your team may get gobbled up by other geographies and health healthcare organizations or financial industry or other places that are willing to pay more or might have other, more attractive benefits in those types of things. So it's going to be a bit of an arms race for cybersecurity talent for several years to come. I don't see this slowing down and we got to get out there and keep training and keep building and keep helping others know this space. 

Brian Selfridge: [00:12:19] The next area that I'll mention is around just breaches in general and healthcare breaches in particular. We were the top breached industry in the last couple of years running, according to IBM and other sources. That's not good news. We expect that to continue. Expect to see healthcare breaches increasing in frequency, pace. and the cost that they have to organizations as well as the severity of the breaches. So, you know, you'll still see your OCR, sort of improper disclosure type of breaches where we sent the wrong information to the wrong place. But honestly, that's not something that's driving the healthcare breach numbers. 

Brian Selfridge: [00:12:56] We had this big pivot a couple of years ago. I want to say 2019 or 2020, where we saw the breaches reported in healthcare went from predominantly lost and stolen laptops and misdirected information disclosures, those types of breaches and it's shifted to IT hacking incidents as defined by OCR, that's sort of their term. But when you look at those sort of charts that they put out and we watched the healthcare wall of shame that's put out by HHS. We saw that big shift toward more attacks, IT-based attacks, and with that becomes access to much larger volumes of patient information. The data breaches themselves are no longer just a couple of thousand records. It's sometimes tens of thousands, hundreds of thousands, millions of records, and we don't even bat an eye at that anymore. It seems every other week we see something along those lines. So that trend unfortunately will continue. 

Brian Selfridge: [00:13:52] Health care will continue to be one of the top breached industries, and there's a lot of reasons for that. Just I'll touch on it a little bit here, but what? I want to spend too much time, but you know, we are, I think, arguably one of the most complex ecosystems from an IT and a sensitive data perspective of any industry, if not the most complex. We've got PHI everywhere we have, and we also have other stuff like credit card data, we have other sensitive information we have to worry about. But PII PHI and those types of things are embedded in everything we do, right. They are in our systems, in-house, they are in our processes and workflows for every single side of the business. They are shared with our vendors now. Thousands and thousands of vendors for the typical healthcare entity now have access to large troves of data. So those breaches are going to continue not only for healthcare organizations but also the supply chain and vendors that support healthcare. 

Brian Selfridge: [00:14:51] So our next item now, I haven't been numbering these on purpose, but this is the fifth item in our top 10 for those that are keeping score. I haven't been numbering them because I think they're all important. I don't want you to get hung up on which one is the top, the top one. Although I welcome you to follow up with me afterward and tell me which ones you think are the most important.  

Brian Selfridge: [00:15:09] So the next item is patient safety and operations impacts. And that means that I was mentioning earlier the breaches before, before several years ago were really largely a lot about regulatory enforcement. And if we have a breach, therefore, comes the OCR to bring the hammer down on us for federal regulatory enforcement. That was sort of the big conversation. You don't want to lose data for that reason. And also, you know, as patients, you want to protect their information, identity theft, all of which are very, very important. But that conversation has shifted and will continue to shift into next year. Twenty twenty-two and beyond where the patient safety and operational impacts of breaches will become, if not if they haven't already become paramount drivers for cybersecurity investments in healthcare in particular. So other industries will have their own sort of nuanced responses to these attacks. And this sort of situation that's happening on the macro level. 

Brian Selfridge: [00:16:06] But for healthcare, it's all about keeping patients safe and keeping the revenue and finances intact, as well as reputational damage, which has impact on that as well in a lot of ways. But as these attacks happen, where you know, the minute you lose access to your transcription company or your electronic health record or any of the billing system, you name the system that the important system in your environment and you lose access to that from a breach of events that is either ransomware related or a vendor that goes down or becomes unavailable or has to respond. 

Brian Selfridge: [00:16:39] All of a sudden you have multimillion-dollar financial impacts. You have medical devices and other systems that are providing real-time critical patient care affecting lives every day, every moment. Twenty four seven that when they become available, it has a very real intangible impact on patient safety. We've seen, you know, this isn't quantified well in terms of how many people have died or been hurt by deferred deferred hospitals or deferring from the ER or are turning down kind of procedures and those types of things that aren't able to happen in a timely manner. And there's cancer treatments, all kinds of stuff. There are stories in the news that that sort of touch on this here and there. There's even been reported deaths and lawsuits related to that. But on the macro level, we don't have really good stats around it. 

Brian Selfridge: [00:17:27] But we predict that those types of impacts are going to create sentinel events in the healthcare ecosystem for specific organizations and the industry as a whole, especially in the healthcare delivery side that are going to going to change the way that we think about cybersecurity risk, even more so than we do today. If we if I can be so bold as to say that I think we're going to see major major investments and attention on this topic as people, unfortunately, start getting hurt and the financial impacts make it difficult to sustain operations with these very real numbers that that happen. 

Brian Selfridge: [00:18:05] The next item is around the regulatory side, so this is an important prediction and one that I think has been percolating for some time, but the exact timing of when it's going to land is sort of tricky, but we're seeing all the signs, all the classic signs of big regulation coming down around cybersecurity from the federal, state and global levels in the coming year or years. I expect to see something in 2022. 

Brian Selfridge: [00:18:35] Typically, the way this stuff flows, if you think back to the introduction of HIPAA security rule and HIPAA privacy rule and HITECH and how those things have sort of evolved over time, they start with sort of ground-level states, you know, that has a more of a proactive kind of approach to this start, start testing out the waters and piloting regulations around things like breach notification and different areas. And we're starting to see that happen with topics like ransomware reporting with supply chain risk. We're seeing executive orders from the presidency. 

Brian Selfridge: [00:19:07] We're seeing a lot of questions and discussions from standards bodies, which is another place where you get those indicators and all of those are pointing toward one or more forms of major legislation and regulatory activity around cybersecurity in general. But I think also for healthcare cybersecurity, we're 20 years out, you know, plus from the introduction of HIPAA and the security privacy rules, they are no longer particularly effective, as effective as they could be at preventing, detecting and really impacting the ability for these types of attacks and breaches to happen. And so while that's as long as that's the case, there's going to be increasing sort of pressure cooker mounts or mounting pressure going on where we need to see some regulatory activity and expect to see it, whether we like it or not, it's coming and it could. 

Brian Selfridge: [00:20:01] I predict it will be a little bit more prescriptive around certain areas, things like third party risk, multifactor authentication, stuff that we've seen in some of the financial regulations are starting to require these types of very discrete controls, penetration testing, and ethical hacking tests. Those types of things are required as sort of a way of doing business, a requirement to do business. I think we'll expect to see that in the coming year, 2022. 

Brian Selfridge: [00:20:01] We'll see something, but probably in the next two to three years, at least, probably some major legislation. So we'll be interesting to see how that plays out. Of course, we'll keep you updated on everything we're hearing with our ear to the ground on those areas. 

Brian Selfridge: [00:20:43] The next area is around cyber liability changes, so this is not everyone's favorite topic, usually unless even the cyber liability, I think providers and carriers aren't thrilled with what's happened with the liability coverage over the last couple of years. I think if we just look at the trend of how this is played out, the early days of cyber liability coverage going back 10 years, 10, 15 years, maybe when they first started putting policies out, there were very, very light on detail. You could get a policy. The premium was was pretty low and there just weren't that many claims. I think that would sort of, you know, necessitate that becoming a risk. 

Brian Selfridge: [00:21:23] But the cyber liability carriers have gotten just run over by the volume of claims, particularly around ransomware attacks, and have had to pay out and are really struggling to make the business model work. So we're seeing, you know, already we can expect to see more premium increases that goes across the board. Anybody that has cyber insurance, cyber liability insurance coverage can expect that to double triple in cost in the coming year for sure, as well as just outright coverage denials and the inability to get coverage for a variety of factors. 

Brian Selfridge: [00:21:55] And the insurance carriers are just not willing to be not being willing to make the bet that they can. They can sort of make this work, and those that do get coverage are going to continue to get increased scrutiny to those policyholders that where a couple of years ago, even just even two or three years ago, you would see a really light application for cyber liability insurance that would say things like Do you have a network firewall? Do you have policies like really simple, pretty simple stuff? Now they're really digging deep and recognizing that the complexity of cybersecurity and the risk that they're underwriting is complex. And there's a lot to it. And there are factors, much like you would see from any other insurance situation where they have actuaries that look into the stats and figure out how if you're doing this behavior or that behavior, you're a lot more or less likely to have an incident and have a payout and a claim paid out. That type of rigor, I think, is going to go to be more so applied to cybersecurity and it risk management. 

Brian Selfridge: [00:22:55] But the cyber liability carriers have some catch-up to do because they're also competing with that cybersecurity talent shortage that we talked about where they need folks that understand cybersecurity enough to be able to advise on the creation of policies and coverage and what that scrutiny looks like and what makes an effective security program versus a noneffective one. And there's a lot of like those of us in the field know there's a lot of ways you could measure that, you know, certifications and standardized options and best practices. And those types of things are all ways to do that and security frameworks and the like. But they need to figure that out and they need to have those models built out. And I don't think they're quite there yet. 

Brian Selfridge: [00:23:35] And so I think we're going to see a lot of uncertainty around being able to get coverage. And when you do get coverage and we do have an incident, whether or not that will payout is still a bit of a coin flip in a lot of ways. When you get down to it. 

Brian Selfridge: [00:23:48] The next area and this is area number item number eight of our top 10, in no particular order is around cloud security risks. So this is not new. The idea of cloud, the buzzword of cloud, and the movement initially sort of the slow movement to the cloud and then the the major push to where the cloud has become the standard over the last several years has been interesting to watch. But I think from a security standpoint, we've gained some ground on cloud security. 

Brian Selfridge: [00:24:15] Initially, it was like these were all startups, right? And they had these very sorts of questionable cybersecurity programs and capabilities, even though they advertised from the get-go that, you know, you move your on site electronic health record to the cloud, it's going to be safe or secure. Don't worry about it. But a lot of that was like, Don't worry about it, and there are all these risks that you just can't see. And we've seen that that decision point, I think, hurt us in recent years with the supply chain attacks and the like. So we need to continue to combat that sort of out of sight, out of mind model, right? 

Brian Selfridge: [00:24:51] So we expect to see cloud applications, cloud security changing and evolving, where application vulnerabilities and configuration management really introduce the top breach exposure risks. So it's not just that you have a cloud security program, but you've you have to configure it. You have to keep up with all these latest attacks and incidents, and the cloud providers now have a big target on their back, right? These supply chain attacks that that can again attack once and impact. Many are now the top way of getting in, and there would be no greater win than to get access to a cloud-hosted provider, either at the infrastructure kind of level your Googles or your Amazons or those types of things, or for specific vendors that have configurations or misconfigurations on those platforms. 

Brian Selfridge: [00:25:40] And you know, if we talk about that cybersecurity talent shortage that I mentioned earlier, that cloud security skillset isn't the isn't there, there are not enough people to do that and do it well, not only for healthcare organizations but even for cloud security providers. And so you end up with these configuration mismatch misconfigurations and mismanagement that allows breaches to happen on those platforms. And then that becomes a sort of an exponentially more difficult issue to solve and the impact becomes much larger. So you expect that to continue and be a major focus area in the coming year and beyond. I don't think any of these are limited to a one-year term, unfortunately. 

Brian Selfridge: [00:26:20] Number nine here is around class-action lawsuits. Now, this I have been I've been beating the drum for this for a couple of years and those were maybe getting tired of me sort of continuing to predict it. But we predicted it a couple of years out and I think we've seen it's about every other week. There's a class-action lawsuit popping up related to a healthcare breach that happened either for the healthcare entity themselves or a third party vendor. And then everybody gets sued for these class actions, and that's continuing to change the playing field for the financial impacts related to cyber events that we aren't just going to be focused on the OCR regulatory compliance. We aren't just going to be focused on the downtime from a ransomware attack. We aren't going to just be focused on what happens when a critical supply chain vendor is out of commission and we can't run that part of our business or that function. Be it clinical, administrative, or otherwise, we're not just worried about those things, and all of those are pretty, pretty impactful situations. But now we've got to worry about the legal ramifications that often take quite a little while to play out. You have the two-year statute of limitations for a lot of stuff, but these cases are popping right after the breach. Even while we're still licking our wounds, trying to put out these fires, the lawsuits in the class action that becomes a distraction, that becomes a financial impact. I think that's going to continue and something we need to get better at preparing for and anticipating the reality of these types of legal situations. 

Brian Selfridge: [00:27:46] So number 10 in our top 10 and then we'll get to some honorable mentions along our way. Here is medical device security and IoT quagmires is the word I'm going to use. It is a quagmire that is a perfect word for this problem. Expect medical device security in IoT quagmires to persist, driven largely by legacy devices, right? We're getting a little bit better at the new devices that are coming in, but they have a lifespan of 10, 15, 20 years in some cases. So we just aren't going to solve medical device security anytime soon. I was a little hopeful five, six, seven years ago that there was a movement. We were talking about it. It was a buzz topic. It was at all the conferences like, OK, we're actually going to solve this as an industry, and I'm a bit disheartened by the lack of investment. I don't want to say lack of attention. It's been a lot of attention and discussion. It's just one of those big, tricky problems that can't be solved with a single tool or a single, you know, silver bullet and therefore makes it a bit prohibitive for organizations to tackle it when you've got a lot of other places to put your resources and energy. 

Brian Selfridge: [00:28:57] So I think we all know that medical device and IoT security is a problem. I think we talk about it a lot. But the real investment that require that's required to create a medical device security program that that that fully brings in biomedical and clinical engineering, I.T. network vendors, and the medical device manufacturers legal compliance procurement. All the people that need to be involved are just not talking to each other and not coordinated in the way it needs to happen. So this is not so bold a prediction in the sense that I think this is going to continue for years to come, and we're going to continue to see incidents around medical device security that are going to be very, very causing for concern and areas and investment, and we'll continue to focus on that. All right. 

Brian Selfridge: [00:29:44] So those are 10, if you hung in with me this long, I'll try to be quick about the rest. So I want to mention seven honorable mentions areas that we didn't quite get into the top 10, but I think are worth you paying attention. So I'll go a little bit quicker on these. First is just the whole cybercrime and nation-state attack model and what's happening. We expect those attacks to accelerate cybercriminals getting emboldened by the amount of money that they can get from these attacks fairly easily. And even when they get knocked down, they stand right back up under a different moniker, leverage the same old networks that they have for the attacks and rebrand and go back at it. It's not. It's very rare that we can actually knock many cybercriminals off the board entirely, although that it's happening a little bit. 

Brian Selfridge: [00:30:30] But we have seen the federal government getting more involved and I expect in 2022 and beyond that, the federal government not only at the U.S. level but internationally is going to really get a lot more coordination because it's it's. No longer just a U.S. problem or just this particular geography or this particular sector, it's all sectors globally. And when you get that type of scale and that type of pain across the world, you start to see, you know, a degree of being fed up, right? It was like, OK, this is enough. 

Brian Selfridge: [00:31:01] This is painful for everybody and you'll have your Russia's and Iran's and China's and others that are going to be a little bit more in North Korea, more aggressive in their stance on this, maybe a little bit more of proactive combatants. And you may not be able to stop that right away, but at least kind of coordinating being able to chase down the finances, shut down the servers wherever they may live, go after individuals at any point in the chain, I think, is going to at least put some pressure on the cybercriminals. Now the nation-state actors are going to keep doing what they're doing as long as they have funding and support, and that's going to continue for years to come. So don't expect that to to slow down anytime soon. 

Brian Selfridge: [00:31:41] We're also going to see the second area that I have here is more board-level awareness. We've talked about that a little bit and just the attention to cybersecurity in healthcare is now less about educating the board around these risks and finally moving into So what do we do about it? How do we invest where we put our energy? And that's an important pivot in the conversation that I expect to continue into 2022 and beyond and become much more of a risk management discussion versus an educational what is this cyber risk stuff all about? 

Brian Selfridge: [00:32:12] So the third area is around cybersecurity certifications and the adoption levels of those. We expect to see pretty significant increases in the adoption of security certifications, things like HITRUST certifications, the SOC 2's of the world or another big one in healthcare. And we're seeing more and more pressure for healthcare organizations to demonstrate that they have strong security programs demonstrated, either because they want things like the HIPAA / OCR safe harbors that came out earlier this year. And we want to be able to get credit for that in the event of a breach or because if you're a healthcare vendor, there's a requirement, a contractual requirement to get certified. That's going to continue to increase the pressure for cybersecurity adoption and then for everything else. 

Brian Selfridge: [00:32:58] We've talked about cybersecurity, liability insurance and everything else. At some point you're going to have to demonstrate, are you doing the right things, the best to your ability, keeping up with industry standards on this stuff? And maybe you got breached and oh OK, that's a problem, but you were doing everything you could and and discerning that situation from organizations that just aren't investing at all or hardly at all. Don't have a security officer, don't have a program, aren't doing the right things. And so cybersecurity certifications, we believe, are going to continue to increase in adoption across the board, just as one of the only reliable mechanisms to have a third party validate that you're doing the right things against an industry standard or standards. And that's that's just going to continue to be important for a variety of of reasons. 

Brian Selfridge: [00:33:45] There's another trend that we see and this is the fourth one of the seven I mentioned, and that's around what I'll call continual compliance models emerging. And that is we look at the traditional models we looked at for risk analysis and risk management in healthcare and across the sort of the industry verticals was around doing things like annual security risk assessments or periodic assessments or quarterly scans and sort of then working that list. And we're certainly going to continue to do that and we'll continue to see that we're not I don't think that's all going to get upended overnight. 

Brian Selfridge: [00:34:19] But what we're seeing is the trend in 2022 and beyond moving toward a continual model of compliance. So we're scanning all the time. Not real-time, but scanning for vulnerabilities regularly. We're patching regularly. We're doing pen tests on a regular basis. We are doing assessments of every product and service and vendor that we deal with every time out. And we're going back and looking at the vendors that we have in-house that we haven't checked in on in a year or two or whatever the frequency maybe, depending on their importance and getting into that, that sort of more real-time risk management where we have continual visibility to where the risks are, be able to adjust on on a much more agile basis of where we put our investments in our energy and shift quickly. 

Brian Selfridge: [00:35:05] Right? Things like this Log4j vulnerability that just happened last week. As an example, you can pick your your your attack of the day when we have to stop everything we're doing, relook at our risk factors, and then go and make changes in investments to our models and program to address the sort of incident of the moment. These continual compliance models allow us to really get better at that and be more agile and not just sort of stuck with, well, we'll do everything we do for a year, then we'll see how we did a year later and try again that that's just becoming too long of a lag cycle for. Are organizations to be effective. 

Brian Selfridge: [00:35:44] The next area that I'll mentioned is around just an output in a reaction to the 21st Century Cures Act for those that followed that, if you're not sure what that is, we've done webinars and blogs and things on it. You can go to Meditology services, see Resource Center. But the 21st Century Cures Act is designed to sort of connect a and open up the floodgates of electronic transmission and exchange of patient information particularly designated to work, getting it out of just a locked up in electronic health record systems and down into patient apps, wearables, you know, and different places where we need to have that information to provide effective care and allow the patient to have a little more control over their information so that that Cures Act is great and it's creating a lot more movement of fee. 

Brian Selfridge: [00:36:34] But that creates security risks that I think we're going to just see start to play out in 2022 twenty twenty three as more of these, these patient apps, the wearables and the application programming interfaces, the APIs that connect all this stuff have cybersecurity considerations to them. And we're going to see breaches, we're going to see challenges, we're going to see oversight. And there's going to be, I think, a flurry of activity sort of in the next year. That will be a reaction to those pipes starting to actually have free flowing through them versus just in 2021 where it was, it was announced. There's a rule, everybody scrambling to create this stuff. And I think we'll have to react to it. 

Brian Selfridge: [00:37:12] The last two areas that I'll mention on honorable mentions are one is this zero trust model, which is admittedly a buzz term. But the idea that we just have to get away from allowing everything to talk to everything else by default and sort of do the converse of that, of understanding that we need to allow nothing to talk to anything else until we sort of authorizing it. That's a gross oversimplification of zero trust model, but that's in principle sort of part of what's behind it. 

Brian Selfridge: [00:37:39] Expect to see that that whole mindset and model gaining steam as we see it gained steam in other industries, in healthcare, trying to adopt it. I think we'll see other industries move faster and we'll need. And healthcare will continue to kind of tread water on this due to the complexity of our systems and application sprawl. Anytime there's an elegant model that comes out from the federal government and other industries that say, all you have to do is just do like application. Whitelisting is one that was years ago was a fad and something that is a wonderful idea to say, all right. We're only going to allow certain applications to communicate. You get to healthcare like you just keeping track of what applications are in play and in use in the cloud and locally is just very, very difficult, if not near impossible to keep an eye on at the level where you need to start whitelisting things. So I think healthcare is going to really struggle with zero trust, although that shouldn't stop us from trying to sort of move toward that ideal as we implement new systems in particular. 

Brian Selfridge: [00:38:40] And the last one I'll mention is around cybersecurity automation. This is just an overall theme, but the idea that we have this cybersecurity talent shortage, we have less and less capable people with the information in their brains. To solve our cybersecurity challenges, and I shouldn't say that entirely, right, we actually have more cybersecurity professionals ever before, but the demand has outpaced our supply and that's going to continue. So we have to look to cybersecurity automation to take the human out of as much of, especially the sort of the grunt work of things like collecting risk data from vendors or from our applications or looking through logs and trying to decide what's a problem and what's not. And just that reliance on human capital is going to continue to decrease. And we're we're going to see a lot more cybersecurity automation in every facet of everything we do ramp up. Whereas before I think it was just sort of chugging along at a sort of a traditional innovation sort of pace. Now we're like, we need this. There's no longer an option to expect to solve cybersecurity and healthcare with people alone. 

Brian Selfridge: [00:39:49] So 'people, process, technology. Don't forget about the process part. That's still I'm not making a prediction around this discretely, but I think we have always had a problem with the process part and understanding how to make the people and the tech work well toward what toward our aims. So that will continue to be a pain point into the new year, for sure. 

Brian Selfridge: [00:40:15] Ok, so that is our top 10 plus seven honorable mentions for those that have hung in this long. I want to take a look back at some prior predictions we've made and see how well we did. Well, you can be the judge of how well we did. I'm going to just focus in specifically on a couple of years back. I want to look at 2019 and see, OK, we're about three years out. How did we do? 

Brian Selfridge: [00:40:38] So looking at our top 10 from back then, we had number one was 'cybersecurity moving from I.T. to enterprise risk focus'. So getting out of just an I.T. discussion, getting into the boards, getting into more of a enterprise-level risk conversation, absolutely. At least, I think I think that's happened quite a bit and that's been largely driven by the accelerated pace of the attacks that we've seen. It's just impossible to ignore us anymore. We're not just the I.T. people in the basement of the hospital. We are front page news for better or for worse. So I think that's hoping that once played out. 

Brian Selfridge: [00:41:14] The number two: breaches and ransomware attacks evolve and increase. Ok, Enough said they're number three: Regulatory activity continues for OCR, GDPR, and states. I think that's true to a large extent. We've sort of incrementally seen regulatory updates, not the large-scale one that I'm one or two that I'm waiting for to drop in the coming years. But it's been trending in that direction. 

Brian Selfridge: [00:41:37] Number four, third-party vendor security and privacy risk management becomes front and center. Ok, I think that's an understatement with what we've seen in the last couple of years. Supply chain risk has had its day and will is having its day.  

Brian Selfridge: [00:41:37] Number five: asset management IoT and medical device security get investments. Oh, that's the one I said. I was hoping that was more of an aspirational desire a couple of years ago that we would make some more investments. And actually, it has. I mean, we've seen more tools and technology come out on the IoT medical device side that have been great and really big game changers for us a lot of ways and we've seen more investment in the tech side. I don't think we've solved the problem by any means. We have seen some more investment in things like network segmentation and those big complex projects that take a while. So, you know, this might be technically true, but I don't think it's meeting the spirit of what we were hoping we would see by 2022 or 2021 the type of investments that we need. So hopefully that will accelerate number six hacking attacks, get more targeted and increase in frequency check. Let's check that one-off. 

Brian Selfridge: [00:42:46] Number seven: Cybersecurity and privacy talent shortages impact program success. Oh, so we've been predicting this one for a while. It came to come true, and it's getting worse, unfortunately. 

Brian Selfridge: [00:42:57] Number eight: Capital budgets increase as operating budgets only see marginal increases. So what we meant by that, and at least what I meant by that back then was the trend that we were seeing that there was more spending on tools and tech and things that could be sort of one time investments to try to boost the program or solve this or that particular risk at the cybersecurity level. And then a hesitation to hire more people and more recurring costs around cybersecurity. I think that was just a function of what was going on at the time. And I think that is now shifted pretty, pretty extensively. I don't think we see that operating budget thing issue anymore and think, if anything, the purse strings have been opened for hiring cybersecurity talent professionals on the operating budget side. But now there's just not the people out there to do the work. And so there's a lot of open requisitions and you know, the capital budgets are still, you know, plugging along at their normal paces. So that's kind of an interesting one that has shifted quite a bit in a couple of years. 

Brian Selfridge: [00:44:05] Number nine: data proliferation continues as big data privacy concerns loom. That was there was a lot more, it feels to me anyway. There was a lot more sort of big privacy breach issues and challenges that people were getting really worried about the amount of patient information, PII, and other data that are getting accumulated and unable to sort of be reined back in. I think that is still absolutely happening. Then we saw the big, the big-box vendors, tech vendors like Facebook, and other places having these huge breaches and scandals around data privacy. And that is still happening. But what's interesting is that the discussion has really shifted more to the cybersecurity side of things and the impact of these events and everything we talked about earlier here as being the paramount concern because now systems are shutting down, we're losing money, people are getting hurt, right? And data privacy, while still very, very important and at the core of what we do in this field seems to be taking a backseat. It's kind of interesting in some ways, but I think that will rear its head back into the front and center the next big breach or two that we have around data privacy. So. It's not going anywhere, the regulations will certainly incorporate that as if we do see new regulations, so we'll keep an eye on it. 

Brian Selfridge: [00:45:20] And the last one number 10: mergers, acquisitions, and affiliations add complexity for security programs. And that, I do believe played out. There was a huge flurry. This is two-three years ago around mergers and acquisitions. Just in general. It slowed down a bit now this year into next year, it's mostly the larger organizations that are still in the gobble up mode and consolidate mode. So it still happening on the macro scale. But it was just this flurry of activity back then, and I think I think it's it's settled down a little bit as folks have gotten gobbled up either gobbled up or taken over other healthcare entities in that whole cycle. So very, very interesting to see how that played out. 

Brian Selfridge: [00:46:06] So you can be the judge of whether or not you know, those predictions have panned out. That's three years ago. Well, maybe we'll dig deeper next time and go back even further eight, 10 years ago and see what we were talking about back then. 

Brian Selfridge: [00:46:19] But for now, that's all for this session of the CyberPHIx. We hope this has been informative for you and want to love to hear from you if you want to talk about any of this. Just reach out to us at CyberPHIx at Meditology Services. That's all we have for this year. We hope to hear from you and see you in the new year and the coming weeks and months, and figure out which of these predictions played out and which ones have not. So thank you for everything you do to keep our healthcare systems and organization safe, and we'll talk to you again in the new year.