Each year around the holidays we stop to reflect on where we’ve been and what’s to come in the coming year. Without a doubt, 2014 was one of the most interesting years to date in healthcare from a cyber security perspective. I think we saw it all. Insider abuse, user error, physical theft, social engineering, directed attacks, state sponsored hacking; you name it we experienced it.
We also saw the number of individuals affected, the number of records potentially compromised, and even the cost of breaches increase. This is a rather disturbing pattern when you consider that it’s been a decade since the security rule went into force and it seems we are not doing any better, maybe even worse. I, and most likely others, would agree that is a wrong impression. Because we are just now realizing both the benefits and the risks associated with an automated, connected and digitized health record brought about from the Health Information Technology for Clinical and Economic Health (HITECH) Act and meaningful use only five short years ago. The opportunities for exploitation of this information have increased exponentially. So what does last year tell us about the future? Quite a few things:
The Threat – The bad guys are going to continue to outpace the good guys’ ability to thwart attacks in the race to compromise systems. Already, the sheer number of malware produced on a daily basis has antivirus solutions face down on the mat with the referee counting them down. Advanced Persistent Threats (APT) represent an ever present risk for the organization that fails to manage its enterprise with vigilance. The zero day attacks represent a problem for everyone. The increasing value of medical identities ensures that the criminal element from the individual thief to those in organized crime will grow and seek to compromise healthcare organizations. Whether or not we’ll see the major event that the Federal Bureau of Investigations (FBI) and Department of Homeland Security (DHS) have foretold is not what is really important. Whether the industry is ready or capable of taking action to avoid it is the real question.
Resources – Healthcare once again lagged behind all other regulated industries with respect to its investments on information security, coming in just shy of 3 percent of its IT budget. This is far below what is required to address this critical area of responsibility. The good news is that this is a slight increase from the past where the average was closer to 1.5 percent, but if we are really going to give those who have to combat the threat a fighting chance, resources will need to grow. Interestingly enough, those who have suffered a serious breach or security issues tend to spend much more on security. Dollars alone won’t fix the problem. Unfortunately, 2015 will still see many organizations wanting security staff, technology, and dollars.
Interoperability – Despite the challenges that an impending administration change will present for the folks at the Office of National Coordinator (ONC), the focus on interoperability by that group and the Health IT Policy Committee, National Institute for Standards and Technology (NIST) and others may pay big dividends for security. It’s hard to create interoperability without standards and/or frameworks, and those have long been friends to security. Hopefully the work of these bodies will also spur the development of an industry-adopted security framework, standards and certification criteria for critical systems involved in the processing, storage or transfer of electronic protected health information (ePHI).
Regulatory Action - The show must go on and will. Critical position vacancies at the Office for Civil Rights (OCR) will likely slow the introduction of any new rules such as Accounting for Disclosures, Minimal Necessary, Distribution of Fines, etc., but regulatory action of the existing rules will continue. More settlements will be announced and the fines are likely to be steeper. Thanks to the changes in the Omnibus Rule, investigations into breaches will continue as will reviews of complaints and the permanent Audit program will begin in 2015. Covered Entities and Business Associates had better get their houses in order. What bears watching next year are any legislative repercussions from the massive retail breaches of 2014, responses to warnings from DHS, the FBI and others with respect to the growing threat, and individual state legislation like we saw in Florida in 2014.
Medical Devices – In 2013, we started sounding the alarm for the growing risk associated with these platforms. In 2014, we saw the first real recognition of that risk with the DHS survey that produced a dismal report card for the medical devices tested. This was followed by guidance published by the Food and Drug Administration (FDA) for both manufacturers and consumers designed to address some of these concerns, but as guidance they fell short. We heard some stories from around the industry of a few vendors who were getting the message and beginning to listen and work with their customers, but it was not nearly enough. By the end of 2014, we have several groups, government agencies, etc. who are actively meeting and discussing the issue, and at least one regulator the FTC who openly said that medical device manufacturer claims were on their radar. The question is, will 2015 be the year we fix this issue?