The year ahead will be marked by a changing tide of cyber standards—social, legal, and policy—that are raising the bar for provider organizations to protect the integrity of their data. On the policy front, of course, the updated version of the Health Insurance Portability and Accountability Act (HIPAA), which went into effect in September, has raised the bar on compliance activities, breach notification rules and patients’ rights, and requirements on business associates. In addition to policy, provider organizations can expect to face added pressure from technological changes, among them, cloud storage, the burgeoning use of personal devices in the workplace, the changing nature of “insider” threats, and additional focus from the corporate boards, which are increasingly taking a more proactive look at their organizations’ preparedness and mitigation strategies.
All of this means that cyber security should be a front-burner issue. Last week, Kroll, a New York-based risk mitigation and response firm, released its security cyber forecast for 2014. Healthcare Informatics spoke with Kroll’s senior managing director, Alan Brill, to put those forecasts into perspective for healthcare provider organizations.
1. NIST and other security frameworks will become de facto standards for best practices. Frameworks from the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO) and similar frameworks will drive organizational decision-making with regard to cyber security, according to Kroll. Organizations that do not follow suit may find themselves subject to shareholder lawsuits, actions by regulators, and other legal implications.
Brill points out that NIST, ISO and similar frameworks underlie the HIPAA Final Omnibus Rule. He also observes that “This trend will move the U.S. in the direction of the European Union, where there is greater recognition of privacy as a right.” He recommends that organizations be cognizant of these standards and “make strategic business decisions that give clients and customers confidence that their information is protected.”
2. The data supply chain will pose continuing challenges to even the most sophisticated enterprises. Brill notes that in the last five years, many tasks that would have been done completely in-house are now outsourced. “Now, instead of having everything in-house, there is this eco-structure, this ecology of companies in which various parts of the organization may work; and may share e-phi. It becomes extremely important to know where that’s happening,” he says.
Today, that’s not always the case, because decisions made at the departmental level or as part of the research operation aren’t necessarily being made by the hospital’s IT department, he says. Instead, those decisions are being made by the principle investigator, and it doesn’t always reach the point of someone suggesting that the legal department look at a vendor contract. “Any time sensitive data is leaving to go to a business associate or to software as a service (SaaS), an organization needs to ensure that appropriate steps have been taken to avoid a breach of its obligations under HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act,” he says.
3. The malicious insider remains a serious threat, but will become more visible. In 2014, a significant percentage of data breaches—possibly almost half—will come at the hands of people on the inside of an organization, according to Kroll. At the same time, insider threats are becoming more visible, as the federal government and states to privacy breach laws and enforcement regimes. “When we deal with incidents involving healthcare, a lot of times it is an insider,” Brill says. He adds that the nature of these incidents has changed, with increasing reliance on third parties to perform tasks. “It used to be that these things happened and the insider was an employee, but now we are finding that these insiders might be contractors, vendors, business associates. For that reason, it becomes important to understand not just your own practices with regard to HR-type security issues, but those of people you entrust with your data,” he says.
Brill cautions that organizations need to examine their entire data supply chain. He describes one recent case of a client that experienced a loss of back-up media. The culprit, it turned out, was a sub-contractor of the vendor performing the service. He recommends that organizations get their general counsel in decisions to hire outside vendors.
4. Corporate board audit committees will take a greater interest in cyber security risks and the organization’s plans for addressing them. Corporate boards are beginning to make a connection between an organization's financial well-being and cyber security, according to Kroll. As such they will expand their attention beyond financial audits to the organization's strategic plans for protecting non-public information and risk mitigation plans for responding to a possible breach.
Brill notes that this trend is even more common among hospitals than other types of organizations. Boards don't want their organizations to be the next poster child for a data breach, he says. “As we are seeing with other organizations in areas such as financial services, the board is getting more activist, and particularly the audit committee,” he says.