Each year around the holidays we stop to reflect on where we’ve been and what’s to come in the coming year. Without a doubt, 2014 was one of the most interesting years to date in healthcare from a cyber security perspective. I think we saw it all. Insider abuse, user error, physical theft, social engineering, directed attacks, state sponsored hacking; you name it we experienced it.
We also saw the number of individuals affected, the number of records potentially compromised, and even the cost of breaches increase. This is a rather disturbing pattern when you consider that it’s been a decade since the security rule went into force and it seems we are not doing any better, maybe even worse. I, and most likely others, would agree that is a wrong impression. Because we are just now realizing both the benefits and the risks associated with an automated, connected and digitized health record brought about from the Health Information Technology for Clinical and Economic Health (HITECH) Act and meaningful use only five short years ago. The opportunities for exploitation of this information have increased exponentially. So what does last year tell us about the future? Quite a few things:
The Threat – The bad guys are going to continue to outpace the good guys’ ability to thwart attacks in the race to compromise systems. Already, the sheer number of malware produced on a daily basis has antivirus solutions face down on the mat with the referee counting them down. Advanced Persistent Threats (APT) represent an ever present risk for the organization that fails to manage its enterprise with vigilance. The zero day attacks represent a problem for everyone. The increasing value of medical identities ensures that the criminal element from the individual thief to those in organized crime will grow and seek to compromise healthcare organizations. Whether or not we’ll see the major event that the Federal Bureau of Investigations (FBI) and Department of Homeland Security (DHS) have foretold is not what is really important. Whether the industry is ready or capable of taking action to avoid it is the real question.
Resources – Healthcare once again lagged behind all other regulated industries with respect to its investments on information security, coming in just shy of 3 percent of its IT budget. This is far below what is required to address this critical area of responsibility. The good news is that this is a slight increase from the past where the average was closer to 1.5 percent, but if we are really going to give those who have to combat the threat a fighting chance, resources will need to grow. Interestingly enough, those who have suffered a serious breach or security issues tend to spend much more on security. Dollars alone won’t fix the problem. Unfortunately, 2015 will still see many organizations wanting security staff, technology, and dollars.
Interoperability – Despite the challenges that an impending administration change will present for the folks at the Office of National Coordinator (ONC), the focus on interoperability by that group and the Health IT Policy Committee, National Institute for Standards and Technology (NIST) and others may pay big dividends for security. It’s hard to create interoperability without standards and/or frameworks, and those have long been friends to security. Hopefully the work of these bodies will also spur the development of an industry-adopted security framework, standards and certification criteria for critical systems involved in the processing, storage or transfer of electronic protected health information (ePHI).
Regulatory Action - The show must go on and will. Critical position vacancies at the Office for Civil Rights (OCR) will likely slow the introduction of any new rules such as Accounting for Disclosures, Minimal Necessary, Distribution of Fines, etc., but regulatory action of the existing rules will continue. More settlements will be announced and the fines are likely to be steeper. Thanks to the changes in the Omnibus Rule, investigations into breaches will continue as will reviews of complaints and the permanent Audit program will begin in 2015. Covered Entities and Business Associates had better get their houses in order. What bears watching next year are any legislative repercussions from the massive retail breaches of 2014, responses to warnings from DHS, the FBI and others with respect to the growing threat, and individual state legislation like we saw in Florida in 2014.
Medical Devices – In 2013, we started sounding the alarm for the growing risk associated with these platforms. In 2014, we saw the first real recognition of that risk with the DHS survey that produced a dismal report card for the medical devices tested. This was followed by guidance published by the Food and Drug Administration (FDA) for both manufacturers and consumers designed to address some of these concerns, but as guidance they fell short. We heard some stories from around the industry of a few vendors who were getting the message and beginning to listen and work with their customers, but it was not nearly enough. By the end of 2014, we have several groups, government agencies, etc. who are actively meeting and discussing the issue, and at least one regulator the FTC who openly said that medical device manufacturer claims were on their radar. The question is, will 2015 be the year we fix this issue? That remains to be seen, but the industry is ready.
Experience – More than ever we need experienced personnel filling all roles in information management and security is no exception. No one knows this better than CIOs who in 2014 recognized the criticality of both information security and clinical informatics through the College of Healthcare Information Management Executives (CHIME). The CHIME-created Association of Executives in Healthcare Information Security (AEHIS) is designed to foster the professionalization of the individuals assigned to these roles in healthcare. By all accounts, there is a severe shortage of experienced information security personnel and many healthcare entities have had trouble recruiting to fill these positions. Hopefully this effort will make healthcare a more attractive market for security professionals, work to develop in house capabilities and provide ideas and solutions for information security challenges.
Data Management – Hopefully 2015 will be the year we focus on the data. 2014 showed us once again that focusing on everything else isn’t working. From lost and stolen devices not properly protected, to excessive access rights making identity theft easier, to endpoint insecurities and even desktops and servers not secured adequately, we lost data right and left. We can’t ignore or avoid protecting any platform where the information resides, but we can and should reduce the number of platforms PHI is on through smarter data management. Some in healthcare understand this and are beginning to look to better data management to reduce their exposure. Unfortunately, there are many who are not doing the same. I expect that 2015 will see continued loss of data through unprotected platforms storing too much information.
Workforce Exploitation – In 2014, we saw a real increase in the number of social engineering attacks against workforce members. The normal social engineering water cooler, and social media attacks were all prevalent, but it was phishing that saw the largest increases. In fact, many of the more serious hacks or malware attacks were preceded by a phishing effort first. We saw random phishing attacks, directed spear phishing and combinations. These attacks are often successful because they prey on peoples emotions, desires, in some cases fantasies, but more often than not, it’s the expectation that recipients are tired, busy or in a hurry and not paying attention. The solution is education and many organizations are learning that the best education platform is one that provides immediate feedback to the user. Those organizations that have employed this form of training have seen big decreases in the number of incidents experienced. If this trend continues, 2015 might be the year we gain some ground here.
Teaming for Success – This year witnessed more and more healthcare entities turning to specialists to perform security tasks where deep expertise and knowledge or specialized infrastructures were required to accomplish those tasks successfully. This was especially true for things like technical testing, monitoring both network and user environments and intrusion detection, but more organizations embraced independent assessments and support for the day to day programs as well in the face of scarce resources and the desire for due diligence. These same factors will affect 2015 as well and external security service providers will help fill these gaps. Managed services will continue to be important in 2015.
Cost of Security – The cost of security, which includes the cost of insecurity or bad security, will rise in 2015. I don’t think anyone has figured out the number for 2014 yet, but I think it is safe to say that it has risen. A big component of this is the legal expense incurred when there is an incident or breach. An unwanted and costly side effect of many incidents is a law suit. Good security costs a lot, bad security costs more. It is all about managing risk. Ignoring the threat or betting that something will not happen is not managing risk. In 2015, we will still be learning this lesson, again.
Being Proactive – Last year we saw a large number of physicians and medical professionals victimized by tax fraud. One of the things we learned in that experience is that once you become a victim of tax fraud the IRS can issue a second factor for identification to protect your filing going forward. We saw HeartBleed come out and compromise people’s passwords, but those using two factor authentication weren’t harmed. When do we learn that passwords and user IDs alone are not sufficient and start employing more proactive protections such as a second factor? Why must we become a victim first? Tax fraud costs billions each year. Maybe in 2015 we’ll learn a little bit of inconvenience eliminates a whole lot of pain.